This post was written by Michael J. Assante, SANS ICS Director
There have been a small number of reports describing a power outage in Eastern Ukraine on the day before Christmas Eve. What makes these reports unique is the cited cause of the outage. A small number of sources in Russia and Ukraine indicate the electrical outage was caused by a cyber attack, specifically a virus from an outside source. I am skeptical as the referenced outage has been hard to substantiate and the cause surfaced relatively quickly (normally, determining root cause analysis of an incident takes time especially when it pertains to activity on the network).
The power outage was described as technical failures taking place on Wednesday, December 23 that impacted a region around Ivano-Frankivisk Oblast. One report suggested the utility began to disconnect power substations for no apparent reason. The same report goes on to describe a virus was launched from the outside and it brought down the "remote management system" (a reference to the SCADA and or EMS). The outage was reported to have lasted six hours before electrical service was restored. At least two reports suggest the utility had initiated manual controls for restoration of service and the SCADA system was still off-line due to the infection.
The technical details provided simply characterize what system operators observed while also indicating it was a virus. One report stated, "central dispatch was blinded", which may refer to a loss of view that could have been the result of a denial of service due to a data storm, an HMI crash, or the loss of communications from the field. Quotes from one source suggest a company official said, "We can say that the system was actually hacked".
A later report originating from Ukraine was quick to suggest the Security Service of Ukraine (SBU) suppressed an attempt by Russian special services to affect computer networks of the energy complex of Ukraine. This report would indicate that more than one utility had been infected. This report describes the attack as a denial of service or flood. The source describes the reports coming from the SBU press center. They go on to suggest the malicious software has been located and an investigation is on going.
If these reports end up being true and the cause was a malicious outsider then we are being publicly introduced to the world's second or third known power outage caused by a cyber attack. The attack as described sounds like a virus delivered by unknown means that was capable of causing data floods on the SCADA network, but it is too soon to tell if it was a simple denial of service or not. It is unclear if the utility, that suffered the outage, took the system down in order to shift to manual control (which would be odd) or if the outage was a result of the system being misoperated (breakers being opened as a part of the cyber attack).
It is important to exercise caution before jumping to conclusions for several reasons. First, Open Source Intelligence (OSINT), although valuable, can be falsified. Intelligence analysis must consider the credibility and type of sources that produced the information. In this case there is a Russian security lab news source, a financial press page in Ukraine, and a media outlet inside of Ukraine. I am hoping that references to SBU press center statements will be easy to validate in the coming days. Second, the technical details released are sparse as to be expected. The attack has been referred to by all three sources as being malware-based but one source indicates a denial of service where the other source talks about an infection that was able to knock substations out of service.
If this incident can be validated then we would like to analyze the malware and try to determine if the disruption in electrical service was the result of a designed payload or if the system was shutdown for other reasons (for example loss of view) or a natural event that escalated into an outage as a result of the SCADA not performing as expected. The difference between an intentional and capable threat to a power system and an event where cyber was one of a number of causal factors is a big deal.
One final note, I would also caution readers not to prematurely follow suggestions that it was definitively a Russian attack against Ukraine's infrastructure. The geopolitical situation between Ukraine and Russia includes both open physical conflict and numerous cyber campaigns. Attribution can be difficult and false flag attacks would not be out of the realm of possibility. There are motives that can be explored on both the Russian and Ukrainian side. As a community we are aware of two recent campaigns involving malware and ICS that can be described as targeted in nature: HAVEX and BlackEnergy2. These two campaigns have been associated with Russian cyber actors. This makes the Ukrainian case even more interesting but at this time there is not reporting or evidence enough to declare anything definitively.
The SANS ICS team will be closely watching this case and the reporting around it as well as performing our own investigations with contacts in the community. Stay tuned as more information becomes available and we will do our best to keep you informed.
Bio: Michael Assante is currently the SANS lead for Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) security and co-founder of NexDefense an Atlanta-based ICS security company. He has also served as CSO of NERC, several high-level positions at Idaho National Labs, and CSO of American Electric Power.