January 2016 – Ukraine Power – Cyber Attack

On the 23rd December 2015 Ukraine suffered what is believed to be the first successful cyber-attack on an electricity distribution network cutting the power at 17 substations and leaving 225,000 people without power for several hours. In this blog we review the events leading up to and during the attack and what additional security controls could have been considered.

It is understood that the attackers initially launched their attack by sending phishing emails to the power utility companies’ offices some six months before the main attack. These emails contained Microsoft Excel attachments containing macros which deployed malware once opened by internal staff.  Once the malware had been installed it allowed the hacker to gather passwords and logins which enabled them to mount the attack.

After six months’ worth of information gathering and planning, the attack was finally executed on the 23rd December. Despite firewalls being in place between the affected computers and the electricity distributor’s supervisory control and data acquisition (SCADA) servers, the attackers were able to remote desktop into the SCADA computers using credentials gathered from the phishing attack and cut the power to 17 substations. Additionally they rewrote the firmware in the electronic devices used to communicate with the substations’ circuit breakers. This meant that the power could not be turned on remotely once engineers had regained control of the SCADA computers and could only be turned back on using manual processes once the engineers had visited the substations. The attackers also jammed phone lines during the attack to make it hard for engineers to determine the extent of the blackout.

It’s interesting to see from this attack that both technical and non-technical security weaknesses were exploited in a coordinated way. The attack initially started with a phishing attack which resulted in the malware propagating to the network. From a Verizon study of 150,000 phishing emails it was found that 23 percent of recipients open phishing messages and 11 percent open attachments. It also identified that 1 in 10 people open an attachment when they have no idea what they’re opening. To address this human security weakness, an effective employee awareness programme could have been put in place, including security training courses, general awareness campaigns and simulated phishing exercises conducted. The company’s security policies must be communicated to staff on a regular basis to ensure these principles underpin all working practices and to embed these firmly into the company culture.

Other security weaknesses that may have contributed to an attack of this nature are sharing of user account and password information and failing to change default accounts on systems. From an IS Decisions report, titled “From Brutus to Snowden: Anatomy of an Insider Threat,” users in the United States and UK were polled on their habits around sharing credentials. The report found that only 51% of people polled said that they never share passwords or log-in details, 23% said they share with one or more co-workers, 10% shared with a manager, 10% indicated they share when required and 7% said they share password with IT. This means there are multiple access points to gain information on a specific account being targeted and secondly the method for sharing these passwords may also be open to attack. For example, a password list shared by e-mail, if intercepted would enable an attacker to gain access to multiple accounts. Or if default administrator account names were not changed this would mean that to access administrator accounts, one authentication factor is already known which aids the attacker.  Coupled with failing to change the default passwords for these accounts, this is the equivalent of leaving your house’s doors and windows wide open whilst going on holiday.

Lastly, a specific control that would have ensured failure of this type of attack would be to have an air gap connection between the power utilities network and the electricity distributors SCADA servers. As a logical path existed between the two networks it was possible to use the power utilities corporate IT infrastructure which was accessible from the internet to attack the SCADA servers. Removal of this logical path and implementation of direct management of the SCADA servers would have meant it would be impossible to launch an attack outside of the local proximity of the SCADA servers.

It can be seen from this that the standard ISO27001 approach of implement, measure, improve and ensure everyone understands the risks is a sound approach and that the most effective security measure is to embed security into the way people work.