If they tell you that defects in digital infrastructure protection may cause a nationwide blackout, believe it or not, they are not that far from the truth. Our expert analyzed a real case of cyber attack on electricity distributor in Ukraine.
In December 2015, a targeted attack targeted the Ukrainian company Kyivoblenergo. The attacker started with social engineering. He sent an email to employees with a document containing malicious code. In this way, he gained access to the victim’s network. He had been present on the network for almost six months, which gave him enough time to familiarize himself with the environment and launch a highly synchronized multi-stage attack in several locations. He managed to gain administrator access rights and map the victim’s infrastructure. He figured out how to communicate with the DMS systems and wrote his own malicious firmware for the next stage of the attack. The attacker even tested his exploit directly on the victim’s network before launching it. He ran the KillDisk tool to erase his traces on the systems in order to prevent any forensic analysis. The attack caused a massive power outage and simultaneously knocked out the phone service at the call center.
The cyberattack on the Ukrainian power plant was well-planned and highly coordinated. The attacker had multiple ways to penetrate the network. Various information was available from publicly available sources, including detailed lists of infrastructure types, e.g. from Remote Terminal Unit vendors, as well as versions published by industrial ICS vendors on the Internet. It appears that the VPNs to the ICS systems from the commercial network did not have two-factor authentication.
In addition, the firewall allowed the attacker to remotely manage the system from an external environment using the remote access function, which is a native part of the systems. The network did not contain any security monitoring components. There was no SIEM, and the most important factor was probably the under-dimensioning of the professional staff. The attacker was present in the network for six months and remained undetected until the attack was launched. Using tools to send logs to a central server and analyze them would significantly increase the likelihood of his detection. When applying such an approach, the systems record all activities, including every step of the attacker, so his tracks would not be covered even by anti-forensic tools.
Although fortunately there was no outage, the consequences of this attack were significant. If the company had implemented controls at each of its layers of digital infrastructure protection (using active security monitoring), the attackers would have been detected much earlier. Defending all layers of data security can prevent or minimize damage even in sensitive cases like this one.
