Ukranian Power Grid Attack“Black Energy”

POSC 3350: April 7, 2017

Garrett Henderson, James Cheatham, Josh Senft, Cole Leininger,

Travis Frank

The Power Grid: Understanding the problemOverview

Power Grid:

An electric grid is a

distributed system

designed to deliver

electricity efficiently from

multiple sources to

customers.

Grid design

Power generation- Power

plants

Power Transmission-High

voltage between plants

Power distribution-

substations and lines to

the curbside

Attack Surface

The distributed nature of

system controls makes for

a large attack surface.

Use of dial-up modems

and internet connectivity,

give attackers

opportunities that are not

usually available in other

systems.

Grid overview

Ukrainian Power grid

Black Energy: Understanding the Weapon (Oleksiuk Dmytrio)Black Energy 3

Malware: Trojan horse &

Spyware

Vector: Rogue Software

(MS Word & Excel

Macros)

Impact:

● Scans for systems

● Delivers Payload

Black Energy 2

Malware: Backdoor &

Rootkit

Vector: BlackEnergy3

route

Impact:

● Open to hacker

● Remote Control

● Increase Privileges

KillDisk

Objective: Worm

Vector: BlackEnergy3

Impact:

● Corrupts Data

● Crashes Systems

● Paralyzes Response

ActorsAttacker: Sandworm

Russian based hacker and espionage group

Motive: Ukrainian-activist physical attack on

Crimean substation & 2014 Russian

Annexation of Crimea

Known Capabilities:

● High degree of success in systems

infiltration.

● Activities also include espionage,

harassment and denial of service attacks.

● Known to have spied on NATO and an

United States org in previously

Responders: Energy Companies

Involved Companies:

Prykarpattyaoblenergo, Kyivoblenergo,

Chernivtsioblenergo

Ukrainian Response Units: Department of

Cyber Police, Ivano-Frankivsk Patrol Police

Post Incident, cyber analyst groups

including US DHS, E-ISAC, and ICS

investigated the hack.

Attack PlanReconnaissance ● ID valuable & available targets

Weaponization ● BlackEnergy3(Black Energy2 &KillDisk)

Delivery ● Spearphishing via Microsoft Word & Excel

Exploitation ● BlackEnergy3 Systems Scan

Installation ● BlackEnergy2 secures foothold

Command and Control ● Backdoor & Remote Access

Actions on Objectives ● SCADA Control

Exploitation ● Power Shutdown & System Wipe

Related Images (Same Source)

Related Images (Same Source)

The Attack

Response

Immediate response

● Manual mode, inhibit controls, constrained

operations

Mid term response

● Cyber Asset Restoration, Electric System

restoration

Identification/

Awareness

● System monitoring

Post-event analysis,

changes, etc.

● Forensics, Information sharing, System

hardening and prep.

Cost AnalysisImplications of Attack

● No reported financial estimate

● No loss of life or hardware

● Dangers

○ Attack in December (28.2, -32.3) F

● First publicly known attack on electrical

grid

● Increase in Ukrainian-Russian Tensions

25

ImprovementsUkrainian Government

● Security Architecture Revision

● End-User cybersecurity training

● Backup Systems (Tech, Comms

Power)

● National Security Alert

○ Protect Generation Equipment

● Emergency Response Protocols

○ Priority Analysis

○ Traffic Control (Ground & Air)

○ Mobile Communications

○ Frequent Patrols

United States

● Security Architecture Revision

○ Emergency manual switch

● Increased Red-Team Initiatives

● Consider Air-Gap in Automation

● Network isolation possibility

● Have safe zones set up and secured

Sources● “Is this the future of cyberwarfare?” - Al Jazeera

● “Attackers use Word Docs to deliver Black Energy malware” - Security Week

● “Ukranian power attack a wake-up call, says Canadian utility CIRO”

● “Alert: Cyber-Attack Against Ukranian Critical Infrastructure” - ICSCERT

● “BlackEnergy trojan strikes again: Attacks Ukranian electric power industry”

● “BlackEnergy malware activity spiked in runup to Ukraine power grid takedown”

● FAQ: BlackEnergy

● BlackEnergy APT Attacks in Ukraine employ spearphishing with Word docs

● Analysis of the cyber attack on the Ukranian Power Grid

● First known hacker-caused power outage signals troubling escalation

● NSA Chief warns BlackEnergy attack on US power grid ‘a matter of when…’

● Everything we know about Ukraine’s Power Plant Hack

What happened?On December 23, 2015, Ukrainian power companies experienced unscheduled power outages impacting a large number of customers in Ukraine.

Power outages were caused by remote cyber intrusions at three regional electric power distribution companies (Oblenergos) impacting approximately 225,000 customers.

Public reports indicate that the BlackEnergy (BE) malware was discovered on the companies’ computer networks.

According to company personnel, the cyber-attacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities.

During the cyber-attacks, malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections.

The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access.

All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack.

The AttackThe infection vector used in these attacks is Microsoft Office files containing malicious macros. Using a spearphishing campaign to try to get users to run these macros, the attackers were able to gain access. This is a prime example of how important user education on cybersurety is. Once inside the system the attackers were able to explore, escalate privileges and deploy backdoors and other software such as killdisk which was used to wipe systems.

However, experts believe the malware is not directly responsible for the outages, and instead it only helped attackers cover their tracks and make it more difficult to restore service.

7 110 kV and 23 35 Kv substations disconnected for 3 hrs

Energy Team Outline1. Context

a. Issue (Explain cyberattacks on power grid)

b. BlackEnergy (What is it, what does it do, how, what can it be used for)

c. Incident (What Happened, when, where)

i. Timeline

2. Analysis

a. Actors, Motives, Capabilities

b. Responders & Responses (What government agencies provided first response? Follow on support?)

c. Factors

d. Concerns & Damages (impact on critical infrastructure and general population)

3. Security Development

a. What were the long-run lessons learned and political/social/economic consequences

b. How has community resiliency been increased in the impact area?

Context

Analysis

Security Development