DHS Warning about Ukrainian Electric Grid Attack

By John Atienza on March 15, 2016

Posted March 9, 2016

Source: https://fcw.com/articles/2016/03/09/rockwell-ukraine-grid.aspx

Further Reading: http://westoahu.hawaii.edu/cyber/index.php/blackenergy-trojan-used-in-attack-against-ukrainian-critical-infrastructure/

The Department of Homeland Security is warning critical infrastructure providers that cyber attacks like the one that hit Ukraine’s electrical grid are hard to detect and recover from. There is no evidence as of yet of anything similar to that happening in the United States. DHS Assistant Secretaries Andy Ozment and Greg Touhill stated that the agency is briefing U.S. critical infrastructure providers after the attacks. The attacks on Ukraine were tied to a Russian-linked BlackEnergy hacking group, and they are a known APT group. DHS cyber defense teams have already informed critical infrastructure providers including chemical, nuclear, transportation, natural gas, and water sectors through Sector Coordinating Councils and Information Sharing and Analysis Centers. In 2014 CERT warned of Black Energy using Microsoft Office documents in a “targeted campaign to infiltrate computer facilities at a U.S. academic institution, Western European governments, energy, and telecommunications companies.”

The attack on the Ukrainian electrical grid was well coordinated. Kaspersky reported that Black Energy did extensive reconnaissance of the victim networks prior to the actual attack. It is thought that phishing emails were used to gather actual credentials used in remote administration tools or ICS client software using VPNs to turn off breakers. At the end of the attack they used KillDisk malware to wipe systems and specific files on target systems. They also used it to corrupt system master files and firmware in Serial-to-Ethernet devices at power substations. Black Energy also setup automatic disconnects to servers’ Uninterruptible Power Supplies using a remote interface. They also performed a denial of service attack on the electrical companies’ system repair dispatchers’ consoles and blocked customer calls reporting the power outages.