For the second time in as many years, security researchers have determined that hackers have caused a power outage in Ukraine that left customers without electricity in late December, typically one of the coldest months in that country.
The researchers’ conclusion, reported by news outlets including Dark Reading, Motherboard, and the BBC, signals yet another troubling escalation in the hacking arena. A December 2015 attack that caused 225,000 Ukrainians to lose electricity was the first known instance of someone using malware to generate a real-world power outage. Ukrainian officials have pinned the attack on the Russian government, a claim that’s consistent with some evidence collected by private security firms.
Now, researchers say a second power outage that struck Ukraine in mid-December was also the result of a computer intrusion and bears many of the same technical hallmarks as the first one. It was part of a series of malicious hacks that have recently targeted key Ukrainian infrastructure, including the country’s rail system server, several government ministries, and a national pension fund. The attacks started on December 6 and lasted through December 20. The December 17 power outage was the result of an attack at the Pivnichna substation outside Kiev that began shortly before midnight. It lasted for about an hour.
Demonstration of capabilities
“The attack [was] not meant to have any lasting dramatic consequences,” Marina Krotofil, a security researcher for Honeywell Industrial Cyber Security Labs, told Motherboard. “They could do many more things, but obviously they didn’t have this as an intent. It was more like a demonstration of capabilities.”
At the S4x17 Conference in Miami on Tuesday, Krotofil said last month’s attacks used many of the same tools that were deployed in the year-earlier hack—including a framework known as BlackEnergy and disk-wiping malware called KillDisk. The breaches stemmed from a massive spear phishing campaign that struck government organizations in July and allowed the attackers to conduct months of covert reconnaissance before finally striking last month. The phishing e-mail came from a highly trusted individual and contained a macro attachment that infected people who allowed it to run. The “dropper” malware, DarkReading reported, underwent 500 software builds over a two-week period, a testament to the rigor of the attackers’ software development.
In a pre-recorded video played at the conference, Oleksii Yasynskyi, head of research for Information Systems Security Partners in Ukraine, which has investigated the attacks, said the attackers belonged to several different groups that worked together. Among other things, they gathered passwords for targeted servers and workstations and created custom malware for their targets.
The attack on the Pivnichna transmission facility shut down the remote terminal units that control circuit breakers. That hack was less severe than the one used in the 2015 attack, which rendered the devices inoperable and prevented engineers from remotely restoring power. Last month’s hacking campaign also made use of denial-of-service attacks.
It’s still too early to definitively attribute the attacks to the Russian government, but it’s also not possible to rule the possibility out. Last month’s attack came around the same time that the US intelligence community blamed Russia for hacks against Democratic groups and individuals, attacks that were allegedly aimed at disrupting the 2016 US presidential election. If Russia is in fact behind campaigns in both countries, the attacks signal Russia’s growing willingness to use hacking to achieve geopolitical goals. Even if Russia isn’t involved, the events in Ukraine demonstrate that once-unprecedented attacks on power facilities and other critical infrastructure are quickly becoming the new normal.