Details about the unprecedented hacking of the electric network of Ukraine

On Wednesday, December 23, 2015 at 15:30, residents of Ivano-Frankivsk in western Ukraine were preparing for the end of the working day and were about to go home through the cold winter streets. In the control center of the enterprise " Prykarpattyaoblenergo ", which distributes electricity in the region, the dispatchers have almost completed their shift. But when one of them put the papers on the table in order before the work was finished, the cursor on the computer screen moved from the spot.

The dispatcher saw the cursor purposefully move to the control buttons of the circuit breakers at the regional substation, then press the button to bring up the window with the switches to bring the substation offline. A dialog box appeared on the screen demanding to confirm the operation, and the operator looked dumbfounded as the cursor slid into this window and pressed the confirmation button. He knew that somewhere in the area outside the city thousands of houses had just lost their light.

The dispatcher grabbed the mouse and desperately tried to regain control, but the cursor did not respond to its manipulation. He independently moved in the direction of another switch, and the current session of authorization in the control panel unexpectedly interrupted. The dispatcher hastily tried to log in back, but his password was no longer valid: the attackers changed it. He could only helplessly look at the screen, where the unknown turned off the substation switches for one by one, stopping about 30 of them. On this they did not stop. In addition to "Carpathian region", at the same time, two more energy enterprises were attacked, so that the total number of decommissioned substations was twice as high, and 230,000 residents were left without electricity. And as if this was not enough, the hackers still turned off the backup power sources, depriving the controllers of the dispatchers themselves in two of the three control centers.
')

Brilliant plan

The hackers who hacked into Ukraine’s energy enterprises — the world's first confirmed case of power grid outages — were not some kind of opportunists testing their abilities. As a result of a thorough investigation of the incident, new details came to light: it is clear that behind the attack there are qualified and secretive strategists who carefully planned the attack for many months, first conducting reconnaissance, examining the victim’s networks, retrieving the controllers ’account data, and immediately launching a synchronous attack control center.

“It was a brilliant attack,” said Robert M. Lee, who assisted in the investigation, a former cyber operations officer in the US Air Force and co-founder of Dragos Security, which specializes in protecting critical infrastructure. - Speaking about the sophistication of hacking, many people always focus on the malware that was used. But for me, the sophistication of the attack lies in the level of logistics and planning of the operation ... and what happens during it. And here was a really sophisticated job. ”

Ukraine immediately pointed to Russia as the initiator of the attack. Robert Lee declined to call any country, but he said that there is a clear distinction between the different stages of the operation, which implies the participation of hackers of different levels at different stages. Therefore, it is likely that the attack was carried out with the cooperation of several completely different participants - perhaps cybercriminals and national scale players.

“It should be a well-funded, well-trained team ... But it’s not necessarily a state level,” he said. Perhaps, at first, cybercriminals of the lower level gained primary access to the network, and then handed over control to more experienced hackers at the federal level.

One way or another, a successful attack on the energy network raises the question of the security of such networks in the United States, experts say. Surprisingly, Ukrainian management systems are better protected from such an attack than the American ones, since they are well separated by firewalls from business networks. But even this protection was not enough, because employees remotely log in to the SCADA network (Supervisory Control and Data Acquisition), from which the electrical subsystems are controlled. At the same time, there is no two-factor authentication, so that knowing the manager’s credentials, attackers can take control of the electrical substation control systems.

Electric power supply in Ukrainian cities was restored within one to six hours. But even more than two months after the attack, the control centers never returned to normal operation, according to a recent US report . Computer security specialists from Ukraine and the United States say that hackers have replaced firmware on critical equipment in 16 substations, and now they do not respond to commands from the center. Electricity is supplied, but it is necessary to control the switches in manual mode.

When attacking the American network, everything can end more sadly, because in many American substations there are no backup systems for manual control, that is, in the event of such sabotage, it will be much more difficult to restore the power supply.

Chronology of the attack

Several US agencies helped Ukraine investigate the attack, including the FBI and the US Department of Homeland Security. The consultants included experts Robert Lee and Michael Assante (Michael J. Assante), both teaching computer security courses at the Washington SANS Institute . They were pleasantly surprised that an advanced system of firewalls and system logs that helped to reconstruct the chronology of events operates in Ukrainian energy companies - this is not often encountered when investigating attacks on commercial companies, and even less often during attacks on critical infrastructure.

According to Lee and the Ukrainian expert who participated in the investigation, preparation for the attack began last spring with a phishing campaign aimed at the IT staff of energy companies and system administrators. There are 24 regions in Ukraine, 11-27 districts in each region. In each area has its own company that manages the distribution of electricity in the network. Phishing emails with Word documents in attachments were sent to employees of three such companies. When you run the document, a window appeared asking you to enable macros to run. If the user did this, then a program called BlackEnergy3 with a backdoor for remote access was installed on the computer. Vulnerabilities in Word and installing Trojans through macros is an ancient technique that has recently become popular again .

Phishing attack gave attackers access only to the corporate network. To get into the SCADA system, it was necessary to break through the firewall. For several months, hackers have been scouting. They gained access to Windows domain controllers that manage user and domain interactions, including user logon processes, authentication, and directory searches. From there, they took the credentials of employees, including passwords from VPN services, which were used by employees in remote mode to access the SCADA system. Having penetrated into SCADA, hackers began to slowly prepare for the attack.

First, they changed the configuration of uninterruptible power supplies (UPS), which provided backup power in two control centers, to turn off the lights at the same time to both residents and controllers in the enterprise. This is a blatant and aggressive act that can be interpreted as a “big fuck you” by energy companies, says Lee.

Each company has its own electricity distribution network, and at the stage of exploration, hackers carefully studied these networks. Then they wrote the original firmware versions for serial-to-Ethernet converters in substations. These devices transmit commands from the control center to the substation. Disabling the converter makes remote control of the substation impossible. “The malware update for a specific operation has never been used before,” comments Robert Lee. - In terms of attack, this is very cool. I mean really great work. ”

By the way, the same models of serial-to-Ethernet converters are used in American substations.

Armed with malicious firmware, hackers were ready to launch an attack.

On December 23, at about 3:30 pm, they logged into the SCADA system using someone else's passwords via VPN and sent commands to disable the preconfigured UPS. Then they began to open access to the substations and disconnect them one by one. A telephone TDoS attack on the call centers of energy companies was organized right before this, so that consumers could not get through and inform dispatchers of the lights off prematurely. Robert Lee notes that telephone DDoS shows a high level of complexity and planning for the entire operation. “What sophisticated hackers do is make concerted efforts, even taking into account unlikely scenarios, to ensure that all possible problems are resolved,” he says.

Holding TDoS gave the attacker a little more time. While dispatchers notice strange activity on computers, some substations will already be disabled. Experts say that in the case of a politically motivated attack by Russia against Ukraine, a telephone DDoS performs another task: to undermine citizens' confidence in Ukrainian energy companies and the government.

After power outages at substations, hackers replaced the firmware on serial-to-Ethernet converters installed there. Upon completion of the operation, they launched a malware called KillDisk to erase files and MBR on computers in control centers.

Installed logic bombs launched KillDisk on a timer 90 minutes after the start of the attack, that is, at about 5:00 pm It was at this time that “Prykarpattyaoblenergo” published on its website a message with information about what was already known to citizens: electricity in some areas was turned off and the reasons for the failure were investigated.

Half an hour later, when KillDisk completed its dirty business, “Prikarpatyeoblenergo” published another message: the cause of the failure was the hacker attack.

...

Whoever is behind the organization of the blackout in Ukraine is the first of its kind attack that creates an ominous precedent for the safety of electrical networks around the world. Dispatcher "Prykarpattyaoblenergo" could not know what threatens the flicker of the mouse cursor on the screen that day. But now all those responsible for the power supply in the world have received a warning. This attack was relatively short and mild. The following may not be the same.