The Cyberattack on Ukraine

After Russia annexed Crimea from Ukraine in 2014, authoritiesstarted nationalizing Ukrainian-owned energy companies in Crimea.In late 2015, Ukrainian supporters physically attacked electricalpower distribution centers, plunging two million Crimeans in thedark.

Each of Ukraine's 24 regions is served by a different electriccompany. On December 23, 2015, the Ukrainian power grid experienceda cyberattack. The activists simultaneously attacked three powerdistribution substations, cutting power to some 230,000Ukrainians.

The multistage, targeted cyberattack actually started in thespring of 2015. Let's take a look at how the cyberattackunfolded.

The Spear-Phishing Attack. In the first stage, the attackerslaunched a spear-phishing attack on IT staff and systemadministrators at three of the power distribution companies inUkraine. The attack sent e-mails to employees that contained amalicious Word file. If an employee clicked on the document, apopup window told them to enable macros for that file. If they didso, a malicious software program named BlackEnergy3 infected theircomputers and allowed the hackers entry into their system.

Reconnaissance. The spear-phishing attack allowed the intrudersto access the power distribution companies' corporate networks.However, the intruders still had to gain access to the supervisorycontrol and data acquisition (SCADA) networks that actuallyoperated the power grid, but the power companies had competentlyseparated those networks from corporate networks with a firewall.Therefore, the attackers had to search the corporate networks andgain entry to the Windows Domain Controllers. From there, thehackers gathered employee login credentials from the user accounts.Some of these login credentials were used by employees to accessvirtual private networks (VPNs) to remotely log in to the SCADAnetwork. The attackers now had access to the SCADA networks.

Disabling the uninterruptible power supply. The attackers nowrejigged the supply of uninterruptible power to the three systems'control centers. They wanted to cut power to the operators as wellas the customers.

Disabling the converters. The attackers then coded malicioussoftware to supersede the actual software on converters at powercompany substation control systems. (These converters handle datafrom the SCADA network to the substations.) Disabling theconverters stopped employees from transmitting remote commands toreestablish power after it was cut. The converters could not workand could not be recovered. This situation meant that the powercompanies could not recover until they obtained new converters andincorporated them into the power system. (Note: Power companies inthe United States use the same type of converters as those used inUkraine.)

Denial-of-service attack. The attackers now targeted customercall centers, initiating a telephone denial-of-service attack. Thatmeant that customers could not call in to report the blackout whenit occurred. The attack jammed up the distribution centers' callcenters with thousands of false calls, blocking actual customersfrom getting through. This denial-of-service attack allowed theattackers more time to work on their attack because not only weresubstation employees seeing false information on their hijackedcomputers, but they were receiving no phone calls reporting poweroutages.

Causing the blackout. On December 23, the attackers used thecommandeered VPNs to access the SCADA networks and deactivate theuninterruptible power supply that they had already reconfigured.Then they removed substations from the power grid.

Deploying KillDisk. Lastly, the attackers deployed softwarecalled KillDisk to complete their path of destruction. KillDiskdeletes or overwrites essential system files from operators'computers to disable them as well. Because KillDisk also wipes themaster boot file, operators could not reboot the crashedcomputers.

About half the homes in Ukraine's Ivano-Frankivsk region lostpower. The cybercriminals also simultaneously attacked a largemining company and a major railway. The incidents seem to have beenpolitically motivated, meant to disable Ukrainian criticalinfrastructure in a strike, according to security analysts at TrendMicro (www.trendmicro.com).

Homes and businesses in the impacted areas only lost power fromone to six hours. However, more than two months later, the controlcenters were still not completely back online. Electricity wasstill being delivered, but employees had to manually operate thepower substations.

The attack caused only digital damage; if the substations hadbeen physically damaged, it would have taken much longer to restorepower. In 2007, the U.S. government showed how criminals couldremotely destroy a power generator through a SCADA attack with just21 lines of malicious code.

Infrastructure personnel can learn many lessons from the attack.Ukraine's power generation control systems were unexpectedly morerobust than some in the United States. The reason is that theUkrainian SCADA networks were separated from the business networkswith excellent firewalls. However, the Ukrainian control systemsstill had security weaknesses. For example, employees remotelyaccessing the SCADA network were not prompted to use two-factorauthentication, which enabled the hackers to steal logininformation and gain entry to the SCADA systems.

Another lesson is that in the United States many power systemslack manual backups. That is, if criminals were to attack automatedSCADA systems in the United States, it would be much more difficultto bring the grid back online.

This first-ever successful attack of a power grid's computers isa dire safety warning for other such systems across the world.Experts in industrial control systems at the Sans Institute(www.sans.org) say the hack of the Ukrainian power grid was thefirst time that cybercriminals have managed to directly bring downa power grid.

In December 2016, Ukraine was attacked again. Reports allegedthat a group of Russians attacked computers at a control center ofa power supplier in Kiev. The attackers apparently used phishingattacks on workers, enabling the intruders to grab logininformation and disable substations. The shutdown affected some 20percent of Kiev's nighttime electrical use.

Sources: Compiled from J. Condliffe, “Ukraine's Power Grid GetsHacked Again, a Worrying Sign for Infrastructure Attacks,” MITTechnology Review, December 22, 2016; E. Markowitz, “After UkraineCyberattacks, FBI and DHS Urge U.S. Power Companies to DevelopBetter Safety Protocols,” International Business Times, April 21,2016; “FBI, DHS Issue Warning about Increasing Cyber Threat toNation's Power Grid after Downplaying It in January,”Cyberwar.news, April 12, 2016; B. Gertz, “FBI Warns of Cyber Threatto Electric Grid,” The Washington Free Beacon, April 8, 2016; K.Zetter, “Inside the Cunning, Unprecedented Hack of Ukraine's PowerGrid,” Wired, March 3, 2016; D. Voltz, “U.S. Government ConcludesCyber Attack Caused Ukraine Power Outage,” Reuters, February 25,2016; W. Ashford, “Ukraine Cyber Attacks Beyond Power Companies,Says Trend Micro,” Computer Weekly, February 12, 2016; J. Robertsonand M. Riley, “How Hackers Took Down a Power Grid,” BloombergBusinessWeek, January 14, 2016; M. Heller, “Russian Actors Accusedof Attacking Ukraine with BlackEnergy Malware,” TechTarget, January4, 2016; D. Goodin, “First Known Hacker-Caused Power Outage SignalsTroubling Escalation,” Ars Technica, January 4, 2016; J. Cox,“Malware Found Inside Downed Ukrainian Grid Management Points toCyberattack,” Motherboard, January 4, 2016.

• Questions ( 1 point * 3 = 3 points)

1. Describe what the Ukrainian power distribution companies didcorrectly to try to prevent such attacks.
2. Describe what other actions that the Ukrainian powerdistribution companies did incorrectly, or did not do at all, inorder to try and prevent such attacks.
3. What lessons can other power companies gain from the Ukrainiancyberattack?

• Explain the following 10 types of deliberate attacks (for eachitem, please do not write more than 5 lines). (0.2 point * 10 = 2points)

1. Espionage and trespass
2. Information extortion
3. Sabotage and vandalism
4. Identity theft
5. Phisihing attack
6. Distributed denial-of-service (DDoS) attack
7. Back door
8. Supervisory control and data acquisition (SCAND) attacks
9. Cyberterrorism and cyberwarfare