Last December 23rd, about 700,000 Ukrainian customers lost power between 3 and 6 hours. The SANS Industrial Control System (ICS) team provided recently more details about the incident.
The primary target of the attack were the SCADA systems (supervisory control and data acquisition). SCADA equipments are computer based systems used to control and monitor industrial equipments.
According to Michael Assante, SANS lead for Industrial Control System (ICS), the cyber attack milestones were the following.
- The adversary initiated an intrusion into production SCADA systems
- Infected workstations and servers (Via a Malware)
- Acted to “blind” the dispatchers
- Acted to damage the SCADA system hosts (servers and workstations)
- Action would have delayed restoration and introduce risk, especially if the SCADA system was essential to coordinate actions
- Action can also make forensics more difficult
- Flooded the call centers to deny customers calling to report power out (Initiated a possible DDoS on the company websites).
An example of a SCADA Network (Source: www.buraq.com)
A piece of Malware code was recovered and analyzed by SANS. It’s a 32 bit Windows executable and is modular in nature indicating that this is a module of a more complex piece of malware. According to Michael Assante, the Malware likely enabled the attack, but the ‘KillDisk’ component that was found did not cause the outage. The assumption is based on the timing and the sites impacted during the attack.
The system was restored progressively by the staff using a “manual mode” vs the SCADA system: “Field staff at the impacted power companies manned required substations, transferring from “automatic to manual mode”, and manually re-closed breakers to energize the system.”
Kyivoblenergo: one of the two power companies that were targeted (Kyivoblenergo)
Last November, power lines serving almost 2 million residents of the Crimea peninsula were damaged by a pair of explosions, cutting electricity for the region. A similar incident occurred again December 27th, four days after the Cyber Attack.