A US investigation found that a December hack on the Ukrainian power grid was coordinated and highly sophisticated.
The report released Thursday offers a detailed look at one of the first cyber-attacks to succeed in taking down part of a national power grid. The well-planned strike, which blacked out more than 225,000 people, hit three regional electronic power distribution companies within 30 minutes of each other on December 23.
An attack such as this one has long been a nightmare scenario for top US officials. National Security Agency and US Cyber Command chief Adm. Michael Rogers has previously warned that it’s not a matter of if, but when attackers will also target US power systems.
The impacted sites continue to “run under constrained operations” more than two months later. In addition, the report states that three other organizations, some involved with unspecified Ukrainian “critical infrastructure,” also appear to have been hacked – but didn’t suffer overt impacts to their operations.
The US sent a team of cyber officials including from the Department of Homeland Security, Department of Energy, and FBI to Ukraine to work with the government and learn lessons to prevent such future attacks.
The group didn’t independently review technical evidence from the Dec. 23 cyber-attack, although it conducted interviews and did other spadework to piece together what appears to be a highly targeted and advanced hack.
The hackers appeared to conduct “extensive reconnaissance of the victim networks,” possibly by first using malware introduced via phony “phishing” emails to snag usernames and passwords to access the facility remotely and hit their circuit breakers.
The networks were compromised at least six months before the outage, by sending emails that included the downloader for the virus BlackEnergy to company employees whose emails were found publicly online, said Anna Dudka, a spokeswoman for the Ukrainian Energy Ministry.
All the affected companies reported infections with malware known as “BlackEnergy,” although US investigators said they are still evaluating whether that specific malware played a role in the attacks.
At the end of the attack, hackers wiped targeted files on some of the systems at the three electrical companies using malware called “KillDisk,” which also rendered the system inoperable.
The hackers also did their best to interfere with power-restoration efforts. For instance, they aimed to keep important servers inoperative by remotely disconnecting their “uninterruptable power supplies,” which would normally keep the computers running even in a blackout. The attackers managed that by accessing an internal management program for those power supplies.
Among several preventative measures, the report suggests that companies isolate systems used to run critical infrastructure from the Internet and that they limit the ability to remotely access these systems.