Thursday, December 31, 2015

More info on Ukrainian power problems

I wanted to update the available information on the Ukrainian utility hacks to round out my blogging year.  Nothing like ending the year on a high note :)


Based on available reporting, it appears that attackers combined both cyber and kinetic sabotage for maximum effect.  This article indicates that explosions were heard and damage consistent with an explosion was found near a pylon supporting power lines.
The text below comes from the official Ukrainian Government website (translated with Google Translate).  It indicates that malware was used in the attacks.
Security Service of Ukraine has warned Russian special services try to hit the computer network of the energy complex of Ukraine.
Employees of the Security Service of Ukraine found malicious software in the networks of individual regional power companies. Virus attack was accompanied by continuous calls (telephone "flood") technical support room supply.
Malware localized. Continued urgent operational-investigative actions.
Press Center Security Service of Ukraine
Another interesting note is the use of  telephone DoS attacks during the suspected malware attack.  Any organization conducting sand table exercises should consider how this combination of attacks would impact an incident response.

Reuters also published information on the suspected attack in this article, though technical details on the malware and/or tactics used are largely lacking.

An direct attack on one nation's power grid by another nation would potentially open the door for retaliation in the form of disruptive cyber attacks.  The laws of war for cyber attacks that cause kinetic effects are not universally accepted and are poorly understood by political leaders who might order or authorize such attacks.  Citizens in a nation who believe that the state is not acting in their best interests might move to strike without the authorization of the state.  While the danger of asymmetric cyber warfare has been discussed fairly extensively, we lack real experience to know how nations will react to this sort of attack.

As I was finishing this post, I noted that my friend and SANS colleague Robert M. Lee is working on a post of his own.  Stay tuned to his updates as he apparently has acquired a sample of suspected malware used in the attack.

Happy New Year and let's have a great 2016!

Update: Twitter follower "Lin S" noted that the telephone DoS may have simply been an overload of phone capacity as technicians and customers called for help.  I meant to note this as a possibility originally, but got busy when someone forwarded me a sample of the malware (I'm a malware geek at heart).  If the numbers flooded were publicly available, then this is probably due to customers without power.  If the number is not publicly available (e.g. internal help desk), it would more likely indicate malicious attacker behavior.  The reason I gravitated to the latter was the note of the "telephone flood" in the official state press release.

1 comment:

  1. Using Kaspersky Anti-virus for a number of years now, and I would recommend this solution to all you.

    ReplyDelete

Note: Only a member of this blog may post a comment.