-First known hacker-caused power outage signals troubling escalation
by Dan Goodin - Jan 5, 2016 3:36am WIB
Highly destructive malware that infected at least three regional power authorities in Ukraine led to a power failure that left hundreds of thousands of homes without electricity last week, researchers said.
The outage left about half of the homes in the Ivano-Frankivsk region of Ukraine without electricity, Ukrainian news service TSN reported in an article posted a day after the December 23 failure. The report went on to say that the outage was the result of malware that disconnected electrical substations. On Monday, researchers from security firm iSIGHT Partners said they had obtained samples of the malicious code that infected at least three regional operators. They said the malware led to "destructive events" that in turn caused the blackout. If confirmed it would be the first known instance of someone using malware to generate a power outage.
"It's a milestone because we've definitely seen targeted destructive events against energy before—oil firms, for instance—but never the event which causes the blackout," John Hultquist, head of iSIGHT's cyber espionage intelligence practice, told Ars. "It's the major scenario we've all been concerned about for so long."
Researchers from antivirus provider ESET have confirmed that multiple Ukrainian power authorities were infected by "BlackEnergy," a package discovered in 2007 that wasupdated two years ago to include a host of new functions, including the ability to render infected computers unbootable. More recently, ESET found, the malware was updated again to add a component dubbed KillDisk, which destroys critical parts of a computer hard drive and also appears to have functions that sabotage industrial control systems. The latest BlackEnergy also includes a backdoored secure shell (SSH) utility that gives attackers permanent access to infected computers.
“Perfectly capable”
Until now, BlackEnergy has mainly been used to conduct espionage on targets in news organizations, power companies, and other industrial groups. While ESET stopped short of saying the BlackEnergy infections hitting the power companies were responsible for last week's outage, the company left little doubt that one or more of the BlackEnergy components had that capability. In ablog post published Monday, ESET researchers wrote:
Our analysis of the destructive KillDisk malware detected in several electricity distribution companies in Ukraine indicates that it is theoretically capable of shutting down critical systems. However, there is also another possible explanation. The BlackEnergy backdoor, as well as arecently discovered SSH backdoor, themselves provide attackers with remote access to infected systems. After having successfully infiltrated a critical system with either of these trojans, an attacker would, again theoretically, be perfectly capable of shutting it down. In such case, the planted KillDisk destructive trojan would act as a means of making recovery more difficult.
Over the past year, the group behind BlackEnergy has slowly ramped up its destructive abilities. Late last year, according to an advisory from Ukraine's Computer Emergency Response Team, the KillDisk module of BlackEnergy infected media organizations in that country and led to the permanent loss of video and other content. The KillDisk that hit the Ukrainian power companies contained similar functions but was programmed to delete a much narrower set of data, ESET reported. KillDisk had also been updated to sabotage two computer processes, including a remote management platform associated with the ELTIMA Serial to Ethernet Connectors used in industrial control systems.
In 2014, the group behind BlackEnergy, which iSIGHT has dubbed the Sandworm gang, targeted the North Atlantic Treaty Organization, Ukrainian and Polish government agencies, and a variety of sensitive European industries. iSIGHT researchers say the Sandworm gang has ties to Russia, although readers are cautioned on attributing hacking attacks to specific groups or governments.
According to ESET, the Ukrainian power authorities were infected using booby-trapped macro functions embedded in Microsoft Office documents. If true, it's distressing that industrial control systems used to supply power to millions of people could be infected using such a simple social-engineering ploy. It's also concerning that malware is now being used to create power failures that can have life-and-death consequences for large numbers of people.
Ukrainian authorities are investigating a suspected hacking attack on its power grid, the Reuters news service reported last week. ESET has additional technical details about the latests BlackEnergy package here.
While Saudi Arabia's largest gas producer was also infected by destructive malware in 2012, there's no confirmation it affected production. iSIGHT's report suggests a troubling escalation in malware-controlled conflict that has consequences for industrialized nations everywhere.-
(Nhớ lại : năm 2010, “sâu” máy tính Stuxnet, một hoạt động chiến tranh mạng giữa Mỹ – Israel, đã gây thiệt hại về vật chất cho một cơ sở hạt nhân của Iran, một nhà máy thép của Đức…)
by Dan Goodin - Jan 5, 2016 3:36am WIB
Highly destructive malware that infected at least three regional power authorities in Ukraine led to a power failure that left hundreds of thousands of homes without electricity last week, researchers said.
The outage left about half of the homes in the Ivano-Frankivsk region of Ukraine without electricity, Ukrainian news service TSN reported in an article posted a day after the December 23 failure. The report went on to say that the outage was the result of malware that disconnected electrical substations. On Monday, researchers from security firm iSIGHT Partners said they had obtained samples of the malicious code that infected at least three regional operators. They said the malware led to "destructive events" that in turn caused the blackout. If confirmed it would be the first known instance of someone using malware to generate a power outage.
"It's a milestone because we've definitely seen targeted destructive events against energy before—oil firms, for instance—but never the event which causes the blackout," John Hultquist, head of iSIGHT's cyber espionage intelligence practice, told Ars. "It's the major scenario we've all been concerned about for so long."
Researchers from antivirus provider ESET have confirmed that multiple Ukrainian power authorities were infected by "BlackEnergy," a package discovered in 2007 that wasupdated two years ago to include a host of new functions, including the ability to render infected computers unbootable. More recently, ESET found, the malware was updated again to add a component dubbed KillDisk, which destroys critical parts of a computer hard drive and also appears to have functions that sabotage industrial control systems. The latest BlackEnergy also includes a backdoored secure shell (SSH) utility that gives attackers permanent access to infected computers.
“Perfectly capable”
Until now, BlackEnergy has mainly been used to conduct espionage on targets in news organizations, power companies, and other industrial groups. While ESET stopped short of saying the BlackEnergy infections hitting the power companies were responsible for last week's outage, the company left little doubt that one or more of the BlackEnergy components had that capability. In ablog post published Monday, ESET researchers wrote:
Our analysis of the destructive KillDisk malware detected in several electricity distribution companies in Ukraine indicates that it is theoretically capable of shutting down critical systems. However, there is also another possible explanation. The BlackEnergy backdoor, as well as arecently discovered SSH backdoor, themselves provide attackers with remote access to infected systems. After having successfully infiltrated a critical system with either of these trojans, an attacker would, again theoretically, be perfectly capable of shutting it down. In such case, the planted KillDisk destructive trojan would act as a means of making recovery more difficult.
Over the past year, the group behind BlackEnergy has slowly ramped up its destructive abilities. Late last year, according to an advisory from Ukraine's Computer Emergency Response Team, the KillDisk module of BlackEnergy infected media organizations in that country and led to the permanent loss of video and other content. The KillDisk that hit the Ukrainian power companies contained similar functions but was programmed to delete a much narrower set of data, ESET reported. KillDisk had also been updated to sabotage two computer processes, including a remote management platform associated with the ELTIMA Serial to Ethernet Connectors used in industrial control systems.
In 2014, the group behind BlackEnergy, which iSIGHT has dubbed the Sandworm gang, targeted the North Atlantic Treaty Organization, Ukrainian and Polish government agencies, and a variety of sensitive European industries. iSIGHT researchers say the Sandworm gang has ties to Russia, although readers are cautioned on attributing hacking attacks to specific groups or governments.
According to ESET, the Ukrainian power authorities were infected using booby-trapped macro functions embedded in Microsoft Office documents. If true, it's distressing that industrial control systems used to supply power to millions of people could be infected using such a simple social-engineering ploy. It's also concerning that malware is now being used to create power failures that can have life-and-death consequences for large numbers of people.
Ukrainian authorities are investigating a suspected hacking attack on its power grid, the Reuters news service reported last week. ESET has additional technical details about the latests BlackEnergy package here.
While Saudi Arabia's largest gas producer was also infected by destructive malware in 2012, there's no confirmation it affected production. iSIGHT's report suggests a troubling escalation in malware-controlled conflict that has consequences for industrialized nations everywhere.-
Just before Christmas, power went out across western Ukraine. Soon after, the energy ministry confirmed it was exploring claims a cyber attack disrupted local energy provider Prykarpattyaoblenergo, causing blackouts across the Ivano-Frankivsk region on 23 December. The SBU state intelligence service said Russian attempts to disrupt the country’s power grid had been deflected, but did not comment on any specific attack.
The details were patchy. But today, the Computer Emergency Response Team of Ukraine – CERT-UA – told FORBES the outages were caused by an attack. National CERTs are in charge of coordinating responses to and investigations into cyber attacks. Eugene Bryksin, a member of the government organization, said it was working with Prykarpattyaoblenergo on the investigation but could provide no information other than to confirm the accuracy of the reports.
If his information was accurate, the attack is a rare public example of hackers taking out critical infrastructure and another sign of the rising digitization of warfare. Neither Prykarpattyaoblenergo nor the SBU could be contacted at the time of publication.
Bryksin also said research by somewhat sceptical US-based researchers looking for digital clues was accurate, in particular the attribution to a group of hackers using the so-called “BlackEnergy” malware.
Robert M Lee, 27-year-old co-founder of consultancy Dragos Security and former cyber warfare operations officer for the US Air Force, told FORBES he had obtained a piece of malware that had found its way onto the Prykarpattyaoblenergo network. On initial analysis, it did not appear to contain functions that would have switched off power, but was designed to wipe systems to render post-attack forensics ineffective. Nevertheless, he believed the evidence indicated hackers really were responsible for taking out the power in Ivano-Frankivsk.
“When this first came out, I was extremely sceptical,” Lee said. “But with a sample coming forward and that sample being new and unique… there’s a really high chance it was directly involved in the attacks.”
The malware was soon linked to a known hacker tool - BlackEnergy – that had previously been used in attempts to breach energy providers the world over, including US organizations. Security firm ESET said the hackers had used backdoors to spread the KillDisk wiper malware across energy companies in the Ukraine, not just Prykarpattyaoblenergo. The initial point of infection with the BlackEnergy malware occurred after employees opened Microsoft Office files containing malicious macros – single computer instructions that define sets of instructions for particular tasks.
A file surreptitiously serving the BlackEnergy malware. Ukraine says hackers using BlackEnergy breached an energy company to shut off power in the west of the country.
ESET researcher Anton Cherepanov also found the KillDisk variant detected in various electricity companies in the region contained “functionality specifically intended to sabotage industrial systems”. It looked to kill two “non-standard processes” – executable files called ‘komut.exe’ and ‘sec_service.exe’. Whilst the anti-virus firm’s researchers couldn’t determine what komut.exe did, it said the second process name may belong to software called ASEM Ubiquity, a platform often used in industrial control systems (ICS). Where that latter process was found, the wiper would terminate it and overwrite the executable with random data.
Cherepanov said his employer could “assume with a fairly high amount of certainty” that a range of tools had been used by the BlackEnergy group to cause the power outage in the Ivano-Frankivsk region.
Jake Williams, principal consultant at whitehat hacker firm Rendition Infosec, also analyzed the malware from the Prykarpattyaoblenergo network, noting it sought to wipe a variety of files. He confirmed the sec_service file was targeted. Once the malware had infected a Windows system, it would force a reboot. “In most cases that machine is not going to come back up,” Williams said.
Beware BlackEnergy
The BlackEnergy malware, which has been used in attacks dating back to 2007, was originally thought to be focused on cyber espionage. But in 2014, hackers updated the toolset to include malicious code targeting SCADA ICS, known-to-be-vulnerable kitused to control power stations and other critical infrastructure.
A link between BlackEnergy and the KillDisk malware was first reported by CERT-UA in November when news publications were attacked around the 2015 Ukrainian local elections. This added to suspicions Russian-sponsored hackers were involved in the group.
Intelligence provider iSight Partners said it believes a hacker collective called Sandworm Team has been using BlackEnergy over the last two years. The company said today it believed the group was Russian and that it targeted US and European industrial control systems from 2014 onwards. “Renewed BlackEnergy activity, which we believe is Sandworm Team, was uncovered throughout 2015 in Ukraine affecting government, telecommunications, and energy sector organizations in the country,” it wrote in a statement to media.
But Russian individuals and businesses have also been targeted by hackers using the BlackEnergy malware, according to November 2014 research from Russian firm Kaspersky. It said the list of victims is long and diverse, with power facilities, government bodies, emergency services and academics also targeted, across a wide range of countries. Kaspersky also suggested BlackEnergy had been used for criminal enterprises but some time in 2014 was used in attacks that appeared to have government backing.
Tit for tat attacks?
During the last two weeks of December, power was also taken out in Crimea, a region recently annexed by Russia in 2014. One attack appeared to be the result of physical disruption. Ukraine was accused of carrying out the hit. Lee wondered whether the digital hit on Ukraine could have been a response to the earlier sabotage.
Causing explosions is an obvious if blunt way to cause disruption, but attribution is fairly obvious. When it comes to digital attacks, however, trying to conclude who was responsible is far trickier. This is one of many reasons nation states are heavily investing in offensive cyber resources: when they strike they can easily deny culpability.
Meanwhile, cheap attack tools and widespread insecurity across critical infrastructure technology make a devastating attack on energy companies feasible. Recent reports that an American dam was targeted by Iranians showed no country can be complacent.
Shodan’s ICS Radar, highlighting a vast number of industrial control systems in the US accessible over the Internet. Some may be vulnerable to foreign cyber attacks.
“[The Ukraine attack] is fairly significant,” Williams added, who described general industrial control system security as a “train wreck as far as security goes”. “The odds are good that you could pop into ICS networks… and replicate this kind of attack.
“I do think this is a wake up call for a lot of energy companies and not just energy companies.” There is certainly a growing list of companies severely damaged by destructive attacks, from Sony Pictures to Saudi Aramco to the Sands Casino. All industries are vulnerable.
Tips and comments are welcome at TFox-Brewster@forbes.com or tbthomasbrewster@gmail.com for PGP mail. Get me on Twitter @iblametom and tfoxbrewster@jabber.hot-chilli.net for Jabber encrypted chat.
