SANS Industrial Control Systems Security Blog

Current Reporting on the Cyber Attack in Ukraine Resulting in Power Outage

SANS ICS

This post was written by Michael J. Assante, SANS ICS Director

There have been a small number of reports describing a power outage in Eastern Ukraine on the day before Christmas Eve. What makes these reports unique is the cited cause of the outage. A small number of sources in Russia and Ukraine indicate the electrical outage was caused by a cyber attack, specifically a virus from an outside source. I am skeptical as the referenced outage has been hard to substantiate and the cause surfaced relatively quickly (normally, determining root cause analysis of an incident takes time especially when it pertains to activity on the network).

The power outage was described as technical failures taking place on Wednesday, December 23 that impacted a region around Ivano-Frankivisk Oblast. One report suggested the utility began to disconnect power substations for no apparent reason. The same report goes on to describe a virus was launched from the outside and it brought down the "remote management system" (a reference to the SCADA and or EMS). The outage was reported to have lasted six hours before electrical service was restored. At least two reports suggest the utility had initiated manual controls for restoration of service and the SCADA system was still off-line due to the infection.

The technical details provided simply characterize what system operators observed while also indicating it was a virus. One report stated, "central dispatch was blinded", which may refer to a loss of view that could have been the result of a denial of service due to a data storm, an HMI crash, or the loss of communications from the field. Quotes from one source suggest a company official said, "We can say that the system was actually hacked".

A later report originating from Ukraine was quick to suggest the Security Service of Ukraine (SBU) suppressed an attempt by Russian special services to affect computer networks of the energy complex of Ukraine. This report would indicate that more than one utility had been infected. This report describes the attack as a denial of service or flood. The source describes the reports coming from the SBU press center. They go on to suggest the malicious software has been located and an investigation is on going.

If these reports end up being true and the cause was a malicious outsider then we are being publicly introduced to the world's second or third known power outage caused by a cyber attack. The attack as described sounds like a virus delivered by unknown means that was capable of causing data floods on the SCADA network, but it is too soon to tell if it was a simple denial of service or not. It is unclear if the utility, that suffered the outage, took the system down in order to shift to manual control (which would be odd) or if the outage was a result of the system being misoperated (breakers being opened as a part of the cyber attack).

It is important to exercise caution before jumping to conclusions for several reasons. First, Open Source Intelligence (OSINT), although valuable, can be falsified. Intelligence analysis must consider the credibility and type of sources that produced the information. In this case there is a Russian security lab news source, a financial press page in Ukraine, and a media outlet inside of Ukraine. I am hoping that references to SBU press center statements will be easy to validate in the coming days. Second, the technical details released are sparse as to be expected. The attack has been referred to by all three sources as being malware-based but one source indicates a denial of service where the other source talks about an infection that was able to knock substations out of service.

If this incident can be validated then we would like to analyze the malware and try to determine if the disruption in electrical service was the result of a designed payload or if the system was shutdown for other reasons (for example loss of view) or a natural event that escalated into an outage as a result of the SCADA not performing as expected. The difference between an intentional and capable threat to a power system and an event where cyber was one of a number of causal factors is a big deal.

One final note, I would also caution readers not to prematurely follow suggestions that it was definitively a Russian attack against Ukraine's infrastructure. The geopolitical situation between Ukraine and Russia includes both open physical conflict and numerous cyber campaigns. Attribution can be difficult and false flag attacks would not be out of the realm of possibility. There are motives that can be explored on both the Russian and Ukrainian side. As a community we are aware of two recent campaigns involving malware and ICS that can be described as targeted in nature: HAVEX and BlackEnergy2. These two campaigns have been associated with Russian cyber actors. This makes the Ukrainian case even more interesting but at this time there is not reporting or evidence enough to declare anything definitively.

The SANS ICS team will be closely watching this case and the reporting around it as well as performing our own investigations with contacts in the community. Stay tuned as more information becomes available and we will do our best to keep you informed.

Michael AssanteBio: Michael Assante is currently the SANS lead for Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) security and co-founder of NexDefense an Atlanta-based ICS security company. He has also served as CSO of NERC, several high-level positions at Idaho National Labs, and CSO of American Electric Power.

13 Comments

Posted December 30, 2015 at 9:12 PM | Permalink | Reply

Everardo Trujillo

Thanks for the valuable insight Mr. Assante

Posted January 4, 2016 at 4:22 PM | Permalink | Reply

doug rhoades

Any new info on this Mike?

Posted January 5, 2016 at 2:13 AM | Permalink | Reply

robertmlee

Mike and I will be covering everything we have tomorrow during the webcast: https://www.sans.org/webcasts/deconstructing-reports-iranian-activity-power-grid-york-dam-101327

Posted January 6, 2016 at 10:52 PM | Permalink | Reply

Andrii

It is very good that this was brought up to attention! After more information got public coverage by big names like iSight, ESET, Trend Micro and CyberX we wrote a local recap of attack on Media and Energy adding what we can share as local security specialists some comments directly from the frontlines:
https://socprime.com/en/blog/blackenergy-phase-2-from-media-and-electric-companies-to-darknet-and-ttps/

Posted January 8, 2016 at 3:29 PM | Permalink | Reply

M.Trump

Thanks, Mike! I look forward to keeping up with your progress. Looks like your message during our presentation in '15 was dead on the mark.

Posted January 10, 2016 at 4:25 PM | Permalink | Reply

BT

And how all these related to the power outage exactly? Citing untrustworthy TSN and SBU on the cause without exploring other possibilities is irresponsible! Have we already reliably excluded human error or an act of sabotage as we already observed in that region recently? Is it possible the power plant workers celebrating upcoming Christmas spilled BEvERage over control panel that caused a short circuit? Given the corruption spread in the country is it possible the bureaucrats stole the funds allocated for maintenance? Is there any reason it could not be a technical failure caused by poor CNI maintenance due to lack of government funding caused by the State's debts default? Just to name a few''

Posted January 10, 2016 at 6:18 PM | Permalink | Reply

robertmlee

BT you're right to want to ensure that 1. sources aren't blindly trusted and 2. all scenarios are ruled out. Over the past couple of weeks the SANS ICS team did our own investigation past what was reported by the TSN and SBU. Most importantly, we did a deep technical analysis of the control systems and what was possible vs. not possible. Based on how they have their systems setup and the impact observed there is no reasonable possibility that this was a human error, fault, or reliability issue. There was an obvious coordinated attack against multiple sites one after another. Combining that with what we know about the initial foothold the the adversary gained through BlackEnergy, what the operators reported having seen from the control systems during the incident, and the deliberate flooding of the telephone lines we are confident in our analysis. Great questions though and as folks who are usually skeptical of reported incidents they are appreciated.

Posted January 10, 2016 at 7:38 PM | Permalink | Reply

BT

@robertmlee ''" you wrote: "Based on how they have their systems setup and the impact observed there is no reasonable possibility that this was a human error, fault, or reliability issue." This is a very strong statement. It means you are saying that a crime has occurred, and that you have proven beyond any reasonable doubts that it was caused by malware. So, you are confident your evidence will stand a trial. This is great! Any possibility you can share details with the community to examine your great work?

Posted January 10, 2016 at 8:46 PM | Permalink | Reply

robertmlee

Yes, as noted at the end of the most recent blog we will be putting out compiled analysis over the next two months. When we were confident we released the blog especially since the community was reporting a lot of different narratives many of which we could disprove. The webcast, conference presentation, and finally the DUC will all provide a lot more analysis on what can be shared. Additionally, I will reiterate that the malware did not cause the outage. The malware was likely used to gain an initial foothold and amplify the attack. Thanks.

Posted January 10, 2016 at 9:48 PM | Permalink | Reply

BT

Thanks for your response @robertmlee. So, "the malware did not cause the outage" unlike stated by TSN and SBU ''" thanks for the confirmation. Although, it was clear from the analysis provided previously ''" the code simply did not have the functionality to do so. Also, what exact module in the malware "amplified" the attack?
Let's take a step further ''" to declare occurrence of a malicious act / crime, apart of the opportunity (insecure systems) and the means (malware) we need a motive.
What is the motive to leave millions of people without electricity at winter time for the alleged Nation State if it can simply turn the gas supply off? Yet instead it supplies gas to the regions where the suffered State is not providing to own citizens due to the geo-political reasons?!
Have you thought about a false flag operations? When a State that already knowingly deprives own citizens of power in one part of the country, doing so in another part of the country at the same time accusing another State seems a reasonable motive to me.

Posted January 18, 2016 at 7:18 PM | Permalink | Reply

robertmlee

No problem. As far as the amplified comment we are specifically referring to the capability to blind the operators by taking out the SCADA applications. Taking those applications out would not cause a power outage but it would make restoration more difficult. We've thought heavily on the false flag operations aspect; when the case was first discovered Dec 23/24th that was my first theory actually. I figured it was either a false flag or that it was just a reliability issue and malware just happened to have been found. So I started off skeptical and then through analysis of the available data, etc. am now confident it was an attack. More information does need to be public though and we're working to make it so ''" hopefully to help others feel confident as well so we can extract lessons learned. There's definitely nation-state motivation on this one for a couple of areas but we are staying away from that because attribution is not what we want to focus on ''" only the lessons learned for defense.

Posted January 19, 2016 at 10:34 AM | Permalink | Reply

Joel Langill

I am most interested in Robert M Lee providing some additional details around his statement "we did a deep technical analysis of the control systems" and help me understand: (1) how you knew the specifics of the ICS vendors and architecture, and (2) the methods you used to perform such as rigorous analysis.

Posted January 19, 2016 at 4:24 PM | Permalink | Reply

robertmlee

Very fair questions Joel. We're working on a paper that will go through most of that. The purpose of the blog was not to provide any sort of evidence but to state our confidence level and where we are with it; the evidence will be in the paper and accompanying webcast. The SANS ICS team has called out events that were just hype before and given that we had credible evidence to state that this wasn't hype we felt we owed it to the community and to try to get ahead of any sort of news spin that would state facts incorrectly (like the reports stating that KillDisk took down the power).