Gap analysis of power station cyber attack
If they tell you that defects in digital infrastructure protection may cause a nationwide blackout, believe it or not, they are not that far from the truth. Our expert analyzed a real case of cyber attack on electricity distributor in Ukraine.
In December 2015 a Ukrainian company Kyivoblenergo was compromised by a targeted attack. The attacker started with social engineering. He sent an email containing malicious office document to the employees. This way he gained access to victims network.He spent almost six months inside the network, which was enough time to learn the environment and execute a highly synchronized, multistage, multisite attack. He managed to get the administrator access and mapped victims infrastructure. The attacker learned how to interact with DMS systems and wrote custom malicious firmware to execute next stage of the attack. Attacker even tested his exploit directly in victim network before launching it. In order to delete his footprints in the systems, he launched KillDisk to prevent any forensic analysis. Execution of attack caused massive power break and simultaneously executed telephone denial of service on the call center.
The cyber attack against Ukrainian power station was well-planned and highly coordinated. The attacker had multiple choices how to penetrate into the network. There was a variety of open-source information available, including a detailed list of types of infrastructure such as Remote Terminal Unit vendors and versions posted online by ICS vendors. The VPNs into the ICS from the business network appear to lack two-factor authentication. Additionally, the firewall allowed the adversary to remote admin out of the environment by utilizing a remote access capability native to the systems. On the network, there were no components for security monitoring. Any SIEM was missing and the most importantly: it seems that experts were understaffed. The attacker was on the network for 6 months and become undetected until the attack was launched. Using tools for sending logs to a central server and their analysis would significantly increase the probability of detecting him. In this approach systems log all activities including attackers’, so even anti-forensic tools would not hide the tracks of the attacker.
Fortunately, there was no blackout taking place but the consequences of this attack were still great. If the company employed control mechanisms on each of its digital infrastructure protection layers (they would apply active security monitoring), the attackers would be exposed much sooner. Guarding all layers of data security can avoid or minimize damage even in such sensitive cases as was this one.