First Ever Power Outage Caused By Hackers With Malware Attack On Electrical Grid In Ukraine

Thousands of people in Ukraine experienced power outage after hackers hit electrical substations during holiday season, say researchers, signalling a worrying sign of potential cyberattacks to come.

“This is the first incident we know of where an attack caused a blackout,” said John Hultquist, head of iSIGHT Partner’s cyberespionage intelligence practice. “It’s always been the scenario we’ve been worried about for years because it has ramifications across broad sectors.”

The power outage in the country first took a regional control center offline resulting in half of the homes in Ukraine’s Ivano-Frankivsk region to be left without power for several hours reported Ukrainian news service TSN in an article posted a day after the December 23 failure. The report went on to say that the outage was the result of malware that disconnected electrical substations.

Researchers at iSIGHT on Monday said their analysis of malware found on the systems of at least three regional electrical operators confirmed that a “destructive” cyberattack led to the blackouts across the Ivano-Frankivsk region of Ukraine.

According to security experts who have long cautioned about the possibility for cyberattacks on the power grid said that electrical outages can lead to ripple effects that leave communities struggling with things like communication and transportation.

If confirmed, this would be the first known instance of a hacker group or individual using malware to cause a full-fledged power outage.

“It’s a milestone because we’ve definitely seen targeted destructive events against energy before—oil firms, for instance—but never the event which causes the blackout,” said Hultquist. “It’s the major scenario we’ve all been concerned about for so long.”

The attackers in this case have used a kind of malware that cleaned files off computer systems, shut them down leading to the blackout, Hultquist said. It’s believed that the trojan known as BlackEnergy, which started out as a tool to create denial of service (DDoS) attacks in 2007 has since been developed into sophisticated malware and is the reason behind the blackout. However, the Trojan was updated two years ago to add a host of new features, including new functions that had the ability to render infected computers useless.

According to ESET, the malware was recently updated again to add a new component called KillDisk, a tool that destroys critical components found within hard drives and contains a deadly function that could “sabotage industrial control systems.” The BlackEnergy malware also contains a backdoored SSH utility that lets attackers gain direct access to the infected machine.

A closer look into BlackEnegry malware indicates that it has mainly been found carrying out spying activities on targets associated with news organizations, power companies and other industrial-based groups. Though iSIGHT has yet to confirm the malware was the culprit, ESET did not tie the malware to the most recent blackout. However, it did state that new BlackEnergy features had more than the necessary capability.

“Our analysis of the destructive KillDisk malware detected in several electricity distribution companies in Ukraine indicates that it is theoretically capable of shutting down critical systems,” said Robert Lipovsky and Anton Cherepanov, both malware researchers for ESET, in a blog post published Monday. “However, there is also another possible explanation. The BlackEnergy backdoor, as well as a recently discovered SSH backdoor, themselves provide attackers with remote access to infected systems. After having successfully infiltrated a critical system with either of these trojans, an attacker would, again theoretically, be perfectly capable of shutting it down. In such case, the planted KillDisk destructive trojan would act as a means of making recovery more difficult.”

Ukrainian authorities have begun investigating a suspected cyberattack on the country’s power grid. iSIGHT believes the attacks that caused the blackout were the work of a hacking group dubbed as “Sandworm” believed to have ties to Russia. However, neither claims have yet been proven. In a 2014 report, iSIGHT said the group was targeting NATO, energy sector firms and U.S. academic institutions as well as government organizations in Ukraine, Poland and Western Europe.

“Operators who have previously targeted American and European sensitive systems look to have actually carried out a successful attack that turned the lights out,” Hultquist said.

In the meantime, cheap attack tools and widespread insecurity across critical infrastructure technology make a devastating attack on energy companies feasible. Recent reports that an American dam was targeted by Iranians showed no country can be complacent.

“[The Ukraine attack] is fairly significant,” Williams added, who described general industrial control system security as a “train wreck as far as security goes”. “The odds are good that you could pop into ICS networks… and replicate this kind of attack.

“I do think this is a wake up call for a lot of energy companies and not just energy companies.” There is certainly a growing list of companies severely damaged by destructive attacks, from Sony Pictures to Saudi Aramco to the Sands Casino. All industries are vulnerable.”

Cyberattacks against infrastructure, such as electricity grids, have also been cause for alarm for politicians. In November, UK chancellor George Osborne confirmed almost £2bn in funding to help protect the UK from cyberattacks and so that it could develop its own.

“If the lights go out, the banks stop working, the hospitals stop functioning or government itself can no longer operate, the impact on society could be catastrophic,” Osborne said at the time.

The coming 2016 is going to be critical for the world of attacks headed for Internet-connected industries, with the first massive attack already causing power outage for hundreds of thousands of naive residents. Malware and its growing capabilities are only going to become more deadly this 2016.


Please enter your comment!
Please enter your name here