Ukrainian CyberSecurity Under Scrutiny As Hackers Disable Power Twice In A Year
This week marks the one-year anniversary of the first publicly acknowledged cyberattack that took down portions of a state power grid, in a carefully planned, meticulously executed attack that has had serious repercussions on the cybersecurity industry.On December 23, 2015, around 225,000 customers of three electricity suppliers in western Ukraine were cut off from power. Subsequent investigations have revealed that the required computer breaches and malware plants began six months before, in the summer of 2015.
Less than a year on, there has already been a second suspected cyberattack on a transmission substation in northern Kiev, in the early hours of December 18, 2016. Substations have long been considered a weak point in critical infrastructure security, with the physical locations being remote and almost completely automated in operation. State operator Ukrenergo’s engineers quickly attributed the outage to external interference through data transmission and ceded control to local cybersecurity experts for investigation. Power was eventually restored by disabling computer networks and switching the substation back to manual mode. A statement from Ukrenergo acting chief director, Vsevolod Kovalchuk, pointed the blame at the Russian state, citing a long spate of attacks aimed at crippling key Ukrainian infrastructure.
The original 2015 hack used spearphising malware nicknamed ‘Blackenergy’, which is Trojan malware specially designed to launch DDoS attacks and download custom spam. In this case, it delivered ‘KillDisk’, a disk-killing, data-trashing Trojan. This rather chilling malware cocktail was delivered through an infected Excel file containing macros, which when run, installed BlackEnergy, which in turn launched KillDisk.
When questioned on the likelihood of a similar incident occurring within the United States, Marcus Sachs, SVP and Chief Security Officer with the North American Reliability Corp (NERC), pointed to a failure to follow basic IT common sense – changing passwords regularly, upgrading software to cover known problems and more.
Reports coming out of Ukraine over the past two weeks suggest that state-sponsored cybercriminals have also successfully taken down the websites and payment systems of the defence, finance and infrastructure ministries, as well as those of the state treasury, the state pension fund and the state railway company. Since 2014, low-level attacks aimed at the Ukrainian mining industry, banks, the national power grid and the state rail operator have been widely attributed to Russia.