Earlier this month, we wrote about a power outage in Ukraine that was blamed on hackers.
The incident has now been categorised by the SANS Institute as a “co-ordinated attack on the Ukrainian power grid” .
However, contrary to some media reports, it does not appear the outages were caused directly by malware, Director of SANS ICS Michael J. Assante said in a blog post.
The SANS assessment of the attacks concludes that the attackers did use malware to gain a foothold in the targeted utilities and initiate command and control, and that deliberately-destructive malware was used to frustrate recovery.
SANS also says that the attackers attempted to “blind” dispatchers by flooding the dispatch center with phony calls as a further tactic to disrupt and distract support staff during the attack.
Nevertheless, SANS cautioned against concluding that the malware known as BlackEnergy, and a related component known as KillDisk, were directly involved in the attack, although they were subsequently found on the utilities’ systems.
The malware campaign tied to BlackEnergy “has solid links to this incident,” Assante said, but it is “far too early in the technical analysis” to conclude that malware samples recovered were tied to this incident.
As fellow Naked Security writer Paul Ducklin told me, “Just because you have a breach and then find malware doesn’t necessarily mean that one caused the other. They could both be the side-effects of a bigger security hole.”
Most importantly, the KillDisk component was likely not the direct cause of the outage in this incident, Assante said.
It’s also not possible at this time to attribute the attacks to any particular group or nation state (there’s no proof that this was “cyberwar”).
What is clear is that power companies, now more than ever, need to be prepared for the risk of cyberattack.
Assante commended the technicians for quickly responding to the outage by switching to “manual mode” to restore the system, and turning the power back on for affected customers within hours.
As Assante said, SANS and the power community must learn from this incident how to detect, respond and restore from cyber attacks in the future, because coordinated attacks are now an “expected hazard.”
For the rest of us, what can we learn?
Although this was a targeted attack, it would be a mistake for anyone to think they don’t need to have security in place because “no one’s interested in little old me.”
Attackers don’t have to target you from the start: they can use automated techniques to find a list of vulnerable victims from a very broad list, and only then decide which victims to target specifically.