On March 18, 2016, a report was released by a joint team from the North American Electric Reliability Corporation’s Electricity Information Sharing Analysis Center and SANS Industrial Control Systems. According to the report, the cyber attack against a Ukrainian electric utility in December 2015 that caused 225,000 customers to lose power for several hours was based on months of undetected reconnaissance that gave the attackers a sophisticated understanding of the utility’s supervisory control and data acquisition networks.
The report states that the attackers initiated their reconnaissance of the utility’s systems approximately six months before carrying out a coordinated series of attacks within 30 minutes of one another on December 23, 2015. Power was restored after several hours, but grid operators were forced to switch to manual mode to do so and remained operationally constrained for a substantial period of time after the attack.
The attack featured a wide range of sophisticated tactics, including spear phishing emails, variants of BlackEnergy3 malware, manipulation of Microsoft Office documents infected with malware, harvesting credentials and other information to gain access to the Internet Connection Sharing (“ICS”) network, operating ICSs through supervisory control systems, targeting field devices at substations, writing custom malicious firmware to render devices such as serial-to-ethernet convertors inoperable, and using telephone systems to generate thousands of calls to the company’s call center to deny access to customers reporting outages.
But the report found the level and extent of undetected reconnaissance to distinguish the attack: “[T]he strongest capability of the attackers was not in their choice of tools or in their expertise, but in their capability to perform long-term reconnaissance operations required to learn the environment and execute a highly synchronized, multistage, multisite attack.” The report warned that such prolonged, undetected access can enable attackers to tailor attacks to individual systems’ weak points.
The attack was the first publicly acknowledged attack against an electric utility to result in power outages and, the report suggests, involved nothing that would prevent it from being replicated or adapted to critical infrastructure systems anywhere in the world. In response, the report showcased the ICS cyber kill chain mapping tool to help utilities understand how attackers formulate plans and target vulnerabilities, highlighting the value of basic cybersecurity practices.
“The mitigation recommended here is to understand where this type of information exists inside your business network and ICSs,” the report said. “Minimizing where the information resides and controlling access is a priority for an ICS dependent organization.…It is extremely important to note that neither BlackEnergy3, unreported backdoors, KillDisk, nor the malicious firmware uploads alone were responsible for the outage.…Each was simply a component of the cyber attack for the purposes of access and delay of restoration.…The actual cause of the outage was the manipulation of the ICS itself and the loss of control due to direct interactive operations by the adversary.”
Additional mitigation measures and recommendations are discussed in the report.