News & Blog

Gap analysis of power station cyber attack

Gap analysis of power station cyber attack

If they tell you that defects in digital infrastructure protection may cause a nationwide blackout, believe it or not, they are not that far from the truth. Our expert analyzed a real case of cyber attack on electricity distributor in Ukraine.

In December 2015 a Ukrainian company Kyivoblenergo was compromised by a targeted attack. The attacker started with social engineering. He sent an email containing malicious office document to the employees. This way he gained access to victims network.He spent almost six months inside the network, which was enough time to learn the environment and execute a highly synchronized, multistage, multisite attack. He managed to get the administrator access and mapped victims infrastructure. The attacker learned how to interact with DMS systems and wrote custom malicious firmware to execute next stage of the attack. Attacker even tested his exploit directly in victim network before launching it. In order to delete his footprints in the systems, he launched KillDisk to prevent any forensic analysis. Execution of attack caused massive power break and simultaneously executed telephone denial of service on the call center.

The cyber attack against Ukrainian power station was well-planned and highly coordinated. The attacker had multiple choices how to penetrate into the network. There was a variety of open-source information available, including a detailed list of types of infrastructure such as Remote Terminal Unit vendors and versions posted online by ICS vendors. The VPNs into the ICS from the business network appear to lack two-factor authentication. Additionally, the firewall allowed the adversary to remote admin out of the environment by utilizing a remote access capability native to the systems. On the network, there were no components for security monitoring. Any SIEM was missing and the most importantly: it seems that experts were understaffed. The attacker was on the network for 6 months and become undetected until the attack was launched. Using tools for sending logs to a central server and their analysis would significantly increase the probability of detecting him. In this approach systems log all activities including attackers’, so even anti-forensic tools would not hide the tracks of the attacker.

Fortunately, there was no blackout taking place but the consequences of this attack were still great. If the company employed control mechanisms on each of its digital infrastructure protection layers (they would apply active security monitoring), the attackers would be exposed much sooner. Guarding all layers of data security can avoid or minimize damage even in such sensitive cases as was this one.

Subscribefor more usefull articles

I agree and consent to and want to receive useful articles (Newsletter) by email from company Binary Confidence that contain useful articles and information from IT Security industry or about security projects or achievements of this company. Company Binary Confidence will not share my personal data with any third party for marketing or other purposes. other recipients, except company MailChimp that provides platform for sending our useful articles (Newsletters). I can withdraw my consent at any time on or on +421 232199980 or by opt out link in each Newsletter email. I have read and understood the Privacy Policy and I agree how my personal data are processed and what my rights are in respect of processing my personal information for purpose of subscription for useful articles (Newsletter). I declare that I am over 16 years old.



Binary Confidence s.r.o.
Špitálska 53,
811 01 Bratislava
Slovak republic



+421 2 321 999 80

    I agree with Privacy and Data Protection Policy
    By clicking [I agree] you consent to processing your personal data by company Binary Confidence s.r.o. and you accept Privacy and Data Protection Policy.