The SANS Institute concluded the late December power outages in Ukraine were directly caused by cyber attacks, the company said Jan. 9.
The SANS Industrial Control Systems (ICS) team had been analyzing information made available by the affected power companies, researchers, and media.
“We assess with high confidence based on company statements, media reports, and first-hand analysis that the incident was due to a coordinated intentional attack,” Micharl Assante, SANS lead for ICS and Supervisory Control and Data Acquisition (SCADA) security, said in a blog post.
The attack on the Ukraine power utility was composed of several elements including denial of view to system dispatchers and attempts to deny customer calls that would have reported the power outage. SANS also assessed with high confidence there were coordinated attacks against several regional distribution power companies.
A North American electricity industry information center last week recommended its members review their cyber network defenses after it was clear a cyberattack likely caused of the power outage (Defense Daily, Jan. 8).
While SANS noted the exact timeline and order for which utilities were affected is unknown, the Kyivoblenergo company’s public updates to customers clearly stated an unauthorized intrusion into their systems took place from 15:30-16:30 that disconnected seven 110 kV substations and 23 35kV substations. The result was 80,000 customers losing electricity.
SANS highlighted it is confident several steps occurred in the attack, although the exact timing is unknown. The attacker initiated an intrusion into production SCADA systems; infected workstations and servers; acted to “blind” the dispatchers; acted to damage SCADA system hosts (servers and workstations), which would both delay restoration and make forensics more difficult; and flooded the call centers to deny customers the ability to report the power outage.
The institute also noted several actions probably happened but have not yet been fully confirmed. Adversaries infected workstations and, moving through the environment, acted to open breakers and cause the outage. In addition, they initiated a possible Distributed Denial of Service (DDoS) attack on the company websites.
There has been a discussion in the cyber analyst community about whether a malware sample from one of the infected networks was directly responsible for the outage or merely present in the system and unrelated to this attack. SANS concluded a third option–the malware probably enabled the attack but the suspicious “KillDisk” component of the malware did not itself cause the outage.
Assante noted many of the samples being analyzed in the cybersecurity community as reported by others should not be guaranteed to be involved in the incident.
“The malware campaign reported, tied to BlackEnergy and the Sandworm team by others, has solid links to this incident but it cannot be assumed that files such as the excel spreadsheet and other malware samples recovered from other portions of that campaign were at all involved in this incident. It is possible, but far too early in the technical analysis to state that,” Assante said.
While he commended security researchers and companies assessing this incident, Assante said they should be careful to not overstate the current analysis of malware samples due to their link to the larger campaign as being specific to this incident.
“Simply put, there is still evidence that has yet to be uncovered that may refute the minutia of the specific components of the malware portion of the attack.”
SANS does not view the malware itself as having caused the outage, but helped the attacker break into the utility’s systems.
“We assess currently that the malware allowed the attackers to gain a foothold at the targeted utilities, open up command and control, and facilitate the planning of an attack by providing access to the network and necessary information,” Assante said.