# The BlackEnergy Attack Cyber-Attack on the Ukrainian Power Grid in 2015 # Introduction - December 23, 2015 massive power outages for up to three hours in the Ivano Frankivsk region [^2] - impacting 225.000 to 700.000 people [^2] - First reported power outage and attack on energy company caused by a cyber-attack [^2] - Engeneers lost automated control capabilities, forced to switch to manual operation to restore service [^2] # Context - Time of civil unrest in Ukraine (2014 Ukrainian revolution)[^1] - Violant protests - Government was overthrown - Ukrainian president ousted - Anexion of Crimea by Russia[^1] - War with Russia in the region of Donbas[^1] - Strong interest from russia in energy supplies from Ukraine[^1] - Russia held a Gas suply in the Ukraine and using energy and gas as a coercive tool for decades[^1] - Ukraine was searching for ways to gain energy independence from russia[^1] - Russia has been using cyber operations for espionage and sabotage for decades alongside traditional military force and political and economic pressure (Hybrid Warfare)[^1] - Ukraine as a backdore to the rest of Europe [^1] # Attackers - Russian-based group known as **Sandworm** (aka Voodoo Bear) # Target of attack - Ukraine power companies [^2] # Motivation of attack - Hacking on Ukrainian IT-Systems was used to create chaos and a smoke-screen[^1] # Protective measures - Control network was secured behind a firewall[^1] # Risks/vulnerabilities - No Two-Factor-Authetification - Lack of training with Spear phishing attacks - Leaked insider knowledge # Method of attack - Many contributory factors but trigger was malicious software that had been introduced into three Ukrainian power utilities via explicitly-targeted spear phishing attack using Microsoft Office Spreadsheet attachments supposedly from Ukrainian Parliament [^2] - Spear phishing attacks are ... - BlackEnergy is a malware weapon which is frequently associated with Russia-bases cyber-attacks [^2] - Denial of service attack (DDos) # Before Attack - Before the attack there was likely a thorough pre-attack surveillance of the network, suggesting the possibility of an insider being involved. [^2] - Reconnaisance phase may have started early 2014 [^1] - Spear phishing emails were send from mid 2014 - mid 2015 to employees of various power companies around the ukraine[^1] - Users were prompted to "click here" to "enable macros" which triggerd the installation of **BlackEnergy** [^2] - The BlackEnergy malware is known for remaining inactive for long periods before activating to cause damage or steal data[^2] # Attack progression - Allowed attackers to take over the internet-connected control systems to open circuit breakers at around thirty substations[^2] - Likely through found worker credentials and VPN for login[^1] - The malware also allowed to disrupt communication between the control systems and the main network. This was done by targeting the serial ports. Which put the attackers in stealth mode so they could operate freely[^2] - Additionaly the malware installed a 'KIllDisk' plugin which damaged the disk drives of the control systems, which prevented restarting the systems which made is harder to restore the power[^2] - Stealth attributes were used in the malware to avoid detection and to complicate post-incident forensic analysis to keep the indentity of the attackers privat[^2] - Another attack was launched during the attack[^1] - Telephone denial of service attack (DDos) against customer call centers to prevent customers to report on outages. - Callcenters were floaded with calls from russia to prevent legitimate users of getting through # Aftermath - Affects were felt for months because the attackers overwrote critical firmware at over 16 substations which forced manual operations for months [^1] - Preventing engeneers to send commands to reclose the breakers - Paved the way for similar attacks[^1] - Fear of a next attack and a bigger attack could be possible [^1] - Cyberwarfare is real and might be become a more common tactic and infrastructure is more vularable to this[^1] # Aspects of information security - **Access to Engineer Accounts (Authenticity):** The attackers managed to acquire legitimate credentials, likely through the BlackEnergy malware delivered via spear-phishing. This breach compromised the authenticity of the system, as unauthorized attackers gained access by masquerading as legitimate users. Authenticity in information security refers to the assurance that information, transactions, and communications are genuine and from verified sources. - **Modification of Firmware (Integrity):** The attackers rendered Serial-to-Ethernet devices at substations inoperable by corrupting their firmware. This action directly targeted the integrity of the hardware components of the power grid, altering their intended function and reliability. - **Use of KillDisk Malware (Availability and Integrity):** The KillDisk malware was employed to erase selected files and corrupt the master boot record of systems, rendering them inoperable. This not only disrupted the availability of critical systems needed for the power grid's operations but also directly attacked the integrity of the data and systems by maliciously altering and destroying data and system functionality. # Mitigation Opportunities - Requiering Two factor authentification - IT supervision[^1] - Secure unauthorized acces to network diagrams, documentation, programs and manuals[^2] - Better user training for working with attechments[^2] - Update hardware and operating systems. For example old unused ports should be locked or disabled and all unused OS services eliminated[^2] - Secure network-accessible computers[^2] - Network monitoring[^2] - Protect network with firewalls and application whitelisting[^2] - Anti-virus protection[^2] - Secure consoles with badges, passwords, access logs and locked wiring cabinets[^2] - Video surveillance of control rooms with monitoring and analytics[^2] # Preparation - Disaster recovery exercises[^2] - Peer site security reviews[^2] - Test Application whitelisting[^2] - Preloaded disk drives to quickly provision and reboot[^2] - Comprehensive defense strategies[^2] # Resources [^1]: [Who turned out the lights in the Ukraine? 2015 Black Energy attack](https://www.youtube.com/watch?v=I5SI-pUbq-g) [^2]: [CYBER-ATTACK AGAINST UKRAINIAN POWER PLANTS](https://garylehman.net/wp-content/uploads/2016/01/Cyber-Attack-Against-Ukrainian-Power-Grid-Implications.pdf) [^3]: [BlackEnergy](https://en.wikipedia.org/wiki/BlackEnergy)