25 February 2021

The world-changing 2015 cyberattack on Ukraine's power grid

By Roman Marshanski

In 2015, Ukrainian power plant operators fell victim to a sophisticated cyberattack that used spear phishing emails to gain initial entry into their system, BlackEnergy 3 malware for credential theft, and other techniques at the later stages.

The attackers remained undetected for more than six months before causing a power outage by the manual manipulation of the industrial control systems.

According to credible sources, a similar cyberattack on the US power grid can be accomplished by a few nations and the possibility to stop such an attack would be low.

User awareness training, Zero Trust Network Access (ZTNA), manual takeover by physically present personnel, and other techniques can be used to stop similar attacks.

Background

By making the world more connected, the Internet has exposed its most critical systems. So the Internet has opened the gates to a new kind of war: the war where humans wreak colossal physical damage from the computer screens. This report is about one of those sci-fi scenarios not long ago considered either impossible or extremely unlikely to ever happen.

Not long ago, cyberattacks on the electric grid were considered a sci-fi scenario. Many cybersecurity experts dismissed such attacks as impossible. But then everything changed. Suddenly, such an attack left more than two hundred thousands people without electric power.

As a matter of fact, one former high-ranking US intelligence official didn’t even believe that story at first. Like many in the industry, he knew the old industry joke: squirrels are a greater threat to the electric grid than hackers. This joke came into existence because, until that game-changing cyberattack, the external cause of an electric power station outage was usually a bird or a rodent. No hacker group was advanced enough to hack an electric grid.

That changed on December 23rd, 2015. That day, an outage left about 225,000 people in Ukraine without electricity. The next day, a Ukrainian news outlet TSN reported that a cyberattack left half of the Ivano-Frankivsk region de-energized. This cyberattack was actually a series of coordinated cyberattacks against three energy companies.

The resulting outage has lasted for only several hours. But during those several hours, hackers have controlled the SCADA distribution management system.

Investigative insight & outlook

About 91 percent of cyberattacks start with a malicious email. This cyberattack, while the first of its kind, has used the same attack vector: email. The attackers have sent spear phishing emails to energy companies’ IT and administration personnel.

These emails contained malicious attachments in the form of Office documents. Once a personnel member opened one of these emails, the popup asked him to enable macros. You can see that popup in the picture below.

Enabled Office macro functionality allowed the malware to load itself onto the system. The malware that exploited this Office functionality is called BlackEnergy 3.

Originally developed as a DDoS malware toolkit, Russian hacker group Sandworm has updated BlackEnergy 2 to its latest known iteration BlackEnergy 3, adding capabilities for espionage against industrial control system networks. In other words, the hackers have used this malware to collect information about the power plants’ networks, not to cut off the power.

This malware can be recognized in two ways; first, by looking at the names of Trojans, which are:

Backdoor.Win32.Blakken

Backdoor.Win64.Blakken

Backdoor.Win32.Fonten

Heur:Trojan.Win32.Generic;

Second, by inspecting its YARA signatures, which follow below.

// detect common properties of the BE2 and BE3 loader

rule BlackEnergy

strings:

$hc1 = {68 97 04 81 1D 6A 01}

$hc2 = {68 A8 06 B0 3B 6A 02}

$hc3 = {68 14 06 F5 33 6A 01}

$hc4 = {68 AF 02 91 AB 6A 01}

$hc5 = {68 8A 86 39 56 6A 02}

$hc6 = {68 19 2B 90 95 6A 01}

$hc7 = {(68 | B?) 11 05 90 23}

$hc8 = {(68 | B?) EB 05 4A 2F}

$hc9 = {(68 | B?) B7 05 57 2A}

condition:

2 of ($hc*)

// detect BE3 variants that are not caught by the general BlackEnergy rule

rule BlackEnergy3
{

strings:

$a1 = "MCSF_Config" ascii

$a2 = "NTUSER.LOG" ascii

$a3 = "ldplg" ascii

$a4 = "unlplg" ascii

$a5 = "getp" ascii

$a6 = "getpd" ascii

$a7 = "CSTR" ascii

$a8 = "FONTCACHE.DAT" ascii

condition:

4 of them

// detect both packed and unpacked variants of the BE2 driver

rule BlackEnergy2_Driver

{

strings:

$a1 = {7E 4B 54 1A}

$a2 = {E0 3C 96 A2}

$a3 = "IofCompleteRequest" ascii

$b1 = {31 A1 44 BC}

$b2 = "IoAttachDeviceToDeviceStack" ascii

$b3 = "KeInsertQueueDpc" ascii

$c1 = {A3 41 FD 66}

$c2 = {61 1E 4E F8}

$c3 = "PsCreateSystemThread" ascii

condition:

all of ($a*) and 3 of ($b*, $c*)

// detect BE2 variants, typically plugins or loaders containing plugins

rule BlackEnergy2

strings:

$ex1 = "DispatchCommand" ascii

$ex2 = "DispatchEvent" ascii

$a1 = {68 A1 B0 5C 72}

$a2 = {68 6B 43 59 4E}

$a3 = {68 E6 4B 59 4E}

condition:

all of ($ex*) and 3 of ($a*)

Attackers have used this malware about six months before turning off the power. During these months, the hackers have used it to collect credentials, elevate privileges, and perform lateral movement across the network. That lateral movement led them into the power stations’ SCADA system.

Once in the SCADA system, attackers uploaded malicious firmware to the serial-to-ethernet devices. Afterwards, the attackers used remote administration tools on the operator workstations to access the industrial control system.

Later on, access to operator workstations allowed them to lock the operators out. But before doing it, they installed customized KillDisk across many devices. Finally, attackers opened the circuit breakers. At the same time, they mounted a telephonic DDoS attack against the energy company’s call center so that the customers wouldn’t be able to reach the company.

While the cyberattack on the power station has used a few different software elements, none of them were responsible for the outage itself. The cause of the outage was the attackers’ manual manipulation of the industrial control systems.

All of the stages of this attack are depicted in the figure below.

What happened in Ukraine can happen in the USA. According to The Council on Foreign Relations, “the U.S. power system is as vulnerable—if not more vulnerable—to a cyberattack as systems in other parts of the world.” As a matter of fact, the US power grid may be much more vulnerable than many other countries’ power grids and is likely to become even more vulnerable because of its increased dependence on IT systems.

According to the United States Government Accountability Office and related testimony given to the U.S. Senate, the power grid’s reliance on IT systems and its increased interconnectivity can be exploited by malicious actors. Furthermore, the same source notes that smart grid systems consistently lack security features. This source isn’t the only one that points to the vulnerability of U.S. critical infrastructure.

Director of the National Security Agency Admiral Michael Rogers has stated in his Congress testimony that a few countries, including China, likely have the capacity to shut down the U.S. power grid. Furthermore, according to The Council on Foreign Relations, there’s only a low likelihood that security measures would stop a determined and capable adversary.

Therefore, it’s very likely that a war between the USA and another nation with significant resources would bring about a successful cyberattack on U.S. critical infrastructure that would result in billions of economic damage. The sheer size of the U.S. power grid makes it nearly impossible to make the power grid completely immune to cyberattacks. So the alternative – the possibility to make the power grid totally immune to a capable adversary’s attack – is unlikely to be true. However, preparations can be made to minimize the impact of a cyberattack.
Recommendations & mitigations

One of the used cyberattack methods is spear phishing. User awareness training is the best way to mitigate it. While mail gateways provide automated filtering of incoming email, they’re unlikely to be successful at identifying and blocking spear phishing emails from well-funded adversaries such as APTs. This is so because APTs and serious criminal organizations have whole departments dedicated to testing their software and tools. So they can find out the mail gateway used at a particular power station, purchase it, and test it with spear phishing emails, finding out which ones it doesn’t block. In other words, automated solutions aren’t very effective against well-crafted spear phishing emails. But user awareness training can be coupled with ongoing phishing testing to make employees understand attackers’ methods. Furthermore, sandboxing software can be installed and configured, so that all email attachments open in secure sandboxes from which malware has little chance of escaping.

Another used cyberattack method is credential theft via malware. Keystroke loggers were a part of BlackEnergy 3 malware. Organizations should use YARA tool and previously provided YARA signatures to search their networks for indicators of compromise by BlackEnergy 3. However, adversaries can update BlackEnergy 3, use different malware, or perform a completely different method of credential attack. In other words, the YARA tool has limitations. So the best mitigation strategy would be directory segmentation. That would obstruct adversaries’ lateral movement throughout the network.

Attackers have also connected to the organization’s VPN, making themselves look like the organization’s employees. This can be mitigated with two methods: two-factor authentication and time-of-day restrictions. Furthermore, the network security can be enhanced with Zero Trust Network Access (ZTNA). The latter security approach requires identity identification for every person, regardless of whether that person is inside the network or outside of it. User’s VPN access shouldn’t grant that person access to all of the organization’s resources.

Additionally, the attackers have remotely accessed power companies’ workstations. To mitigate this, remote access should be disabled both at the network firewall and the host.

To prevent attackers from uploading malicious firmware to the serial-to-ethernet devices, remote management of field devices must be disabled most of the time. Only during the most necessary periods, should it be enabled.

Furthermore, logging should be enabled on all devices that support it. This data should be shared with network defenders in real time via security information and event management. And defenders must be trained to spot odd communications and use tools such as YARA.

Defenders should also use backup and recovery tools to create digital images that establish a baseline of normal activity. That would make it easier and faster to identify abnormal activity.

Moreover, power stations and related technologies must be configured in a way that allows manual takeover by physically present personnel. This is what allowed the personnel of Ukrainian power companies to restore the electricity in just a few hours.

There’s also a more innovative way to secure the power grid: blockchain technology. According to the research paper "Distributed Blockchain-Based Data Protection Framework for Modern Power Systems Against Cyber Attacks", blockchain technology can increase the power grid security “by using meters as nodes in a distributed network which encapsulates meter measurements as blocks”.

No comments: