s4 krotofil morning_sesh_2017
Post on 19-Jan-2017
156 Views
Preview:
TRANSCRIPT
NEW WAVE OF CYBER ATTACKS IN UKRAINE
Marina KrotofilLead Security Researcher
Honeywell Industrial Cyber Security Lab
S4x17Miami, Dec 10 2017
Power failure in Dec 2016 in Kiev, Ukraine
Residential areas in the Right Bank area of Kiev and neighboring areas lost power
Power was restored at 01:05 am Initially both hacker’s attack and
equipment failure were among the possible causes
Ongoing investigation confirms cyber incident
https://www.youtube.com/watch?v=AUoiKZBqIo0
Electrical transmission-level substation Pivnichna (330kV) suddenly cut off from main power grid Dec 17th 2016, at 23:53 (11:53 pm) We thank leadership of IT-department
Ukrenergo for supporting us in this talk
About ISSP
Shortly before midnight on December 17, someone started disconnecting circuit breakers through remote means until the electrical substation was completely disabled, Mr. Kovalchuk said. Utility employees re-energized the substation by manually restoring equipment to their “on” positions. Mr. Kovalchuk said he believes the latest attack was well planned because the targeted substation is one of the utility’s most automated.
http://www.wsj.com/articles/cyberattacks-raise-alarms-for-u-s-power-grid-1483120708
Timeline of recent cyber-attacks in Ukraine
December 2016
Dec 6 Dec 13
Dec 12
Dec 14-15
Dec 16
Dec 17
Dec 20Ukrainian Sea Port Authority
Defense Ministry
Substation Pivnichna (UkrEnergo)
Ministy of Finance
State Tresury Service
Pension Fund
State Executive Service
.
.
. Ukrainian Railways
Near-Dnepro Railways
.
.
Ministry of Infrastructure
Major Internet provider „Volya“
.
.
PFTS Ukraine Stock Exchange
.
.
Ukrainian Railways Information systems and online resources affected
− Online train ticket selling system− Automated system for managing freight cars− Internal information resources (servers) htt
ps:/
/ww
w.u
z.go
v.ua/
en/
Attack on Freight Cars Management System is claimed to be a demonstration maneuver− The attackers targeted at stealing passenger traffic data− There are concerns about stolen passengers personal and payment data
Collateral damage due infrastructural interdependencies − Outage of freight cars where needed (interrupts in cargo shipments) − Manual dispatching of freight cars
General facts 6,500 attacks in the past 2 months
− 5 organizations and 31 information resources− Remote exploitation and DDoS attacks− NO maximum damage
Ministry of Finance and State Treasury declared some losses− Damage of network equipment− Loss of 3 Tb of data− Unable to carry out large number of transactions (typical # 150k per day)
SABOTAGE is widely hypothesized as most likely hacking campaign goal − Destabilization of overall political and financial situation− Security professionals believe Ukraine serves as one of the training grounds
for hacking R&D
Déjà vu and Jamais vu Similarly to 2015, the wave of spear fishing
− Everybody is in careless summer mood− Many people on vacation
In contrast to 2015 attacks grew in sophistication− New evasive techniques for establishing initial foothold − Much more complex and better organized
Similarly to 2015, there are “silence” & recon periods− Active phase has started in December (2016)− The same old tools are used (from BlackEnergy framework and alike)
started in month of July (2016)
http:
//w
ww
.qui
ckm
eme.
com
/mem
e/35
r4vh
Security Service of Ukraine (SBU) stated that recent attacks are similar to last year attacks on power utilities
We anticipated these attacksOct 31, 2016
Friendly visit of ISSP Labs in Kiev, Ukraine
Lab‘s screen
Beer-ISAC
Thank you and see you in the afternoon
Marina Krotofilmarina.krotofil@honeywell.com@marmusha
top related