Experts compete to find Ukraine grid hack 'smoking gun'

Following article has been re-published with the permission of Energy Wire 
(original text available at http://www.eenews.net/energywire/stories/1060031555/)

Experts compete to find Ukraine grid hack 'smoking gun'Blake Blake Sobczak, E&E reporter
Published: Monday, February 1, 2016

A six-hour blackout in western Ukraine has continued to puzzle investigators weeks after the lights came back on.

The Dec. 23 power outage in Ukraine's Ivano-Frankivsk region was minor by most standards, severing electricity to 80,000 households. Half a world away, windstorms were busy knocking out power to more than twice as many utility customers in northern Michigan.

But Ukraine's outage that day resulted from a complex attack combining malware, a flood of telephone calls and, perhaps, a few unwitting accomplices in grid control centers.

Ukrainian officials are dissecting the BlackEnergy strain of malware found to have infected energy, media and government organizations across the country. Authorities haven't yet offered a detailed account of Dec. 23's events, so security researchers have pieced together their own -- sometimes competing -- versions of what happened.


"We are still missing data, or maybe the authorities didn't share all the data they had," said Udi Shamir, chief security officer of SentinelOne, which has published one of the more detailed analyses of a new BlackEnergy malware variant. "The amount of people who really know what's happened ... they're really outnumbered compared to the researchers, and nobody's going to talk about it -- not in the public, not for now."

The million-dollar question for cybersecurity experts is: How did the attackers in Ukraine actually manage to cause the outage?

As Sean McBride, lead analyst for critical infrastructure at cybersecurity firm iSIGHT Partners Inc., put it at a conference last month, "We've got the dead body and the bullet hole, but no gun."

Sniffers and phishers
In its report last week, SentinelOne uncovered a "sniffer" module in BlackEnergy that shows attackers were interested in gathering login credentials and other pertinent information from industrial control systems. But researchers, including Shamir, largely agree that the BlackEnergy malware itself did not directly cause the outage. Questions also remain as to how BlackEnergy spread among power distributors in Ukraine, infecting enough machines to allow for a relatively far-ranging impact when attackers pulled the trigger.

The initial entry point into victim companies, including Ukrainian electricity provider Prykarpattyaoblenergo, appears to have been a targeted "phishing" email with a malicious Word document attached.

But Shamir said he isn't so sure employees were duped by a Microsoft Office document, suggesting instead that the unknown hackers may have had help on the inside from at least one of several utilities affected. That's because the attack vector used was more than a year and a half old, a relic from an earlier BlackEnergy campaign that also targeted energy systems in Ukraine.

If the Microsoft Office vulnerabilities really hadn't been addressed in that time -- meaning an employee could have been legitimately fooled -- "I think the people in Ukraine need to raise some very hard questions to their [computer emergency response team], because it's very alarming," Shamir said.

Analysts at Kaspersky Lab, who offered an in-depth look at the malicious Word document recovered from targeted computers, weren't surprised by the campaign's continued success.

"In general, we are seeing the use of Word documents with macros becoming more popular in [advanced, persistent] attacks," said Costin Raiu, director of Kaspersky's global research and analysis team. "For instance, recently we observed the Turla APT group using documents with macros to launch a similar type of attack. This leads us to believe that many of these attacks are successful and that this is why their popularity is increasing."

Cyber confusion?
Knowing how attackers probably got in, however, doesn't answer how they were able to shut off power, if at all. There's a huge difference between leveraging a compromised Word document to gain a foothold on a computer network, and then moving laterally along that network and reaching all the way into industrial controls, observers say.

Robert M. Lee, one of the first researchers to cite evidence that the Ukrainian power outage involved a cyberattack, has said he's moderately confident that attackers used BlackEnergy as their entry point to more critical networks.

What they did after that first step is less certain, however, according to multiple sources examining the evidence available from the attack. The hackers could have remotely hijacked the human-machine interfaces that offer windows to physical grid components, or they could have deployed some as-yet-undiscovered module for tripping breakers on the power grid. It's possible that the "smoking gun" researchers are looking for automatically destroyed itself after damaging the control systems.

All of the experts contacted by EnergyWire shared their thoughts with the caveats that what triggered the outage is still unknown and that their theories are just that -- subject to change as new evidence emerges.

Joel Langill, a specialist in control system cybersecurity and author of the SCADAhacker blog, said he thinks "malware could have been used to cause events that would have led to human decisions being made incorrectly."

In other words, he said, BlackEnergy's presence, coupled with a denial of service attack on telephone networks used for reporting outages, created an atmosphere of "cyber confusion" that may have triggered the temporary blackouts.

But even if malware didn't directly cause customers to lose power in Ukraine, Langill said utilities don't yet have reason to rest easy.

"Maybe this was a trial run, to see a proof-of-concept -- whether or not it could happen," he said. "Until we really understand the sequence of the attack, people aren't really going to understand what to do, and that's where I get a little nervous."

'One plus one plus one'
One of the best ways to recover from the new spate of BlackEnergy infections was published by the U.S. Industrial Control Systems Cyber Emergency Response Team in fall 2014.

While no evidence has emerged to suggest U.S. utilities have fallen victim to new BlackEnergy attacks, the industry has taken the Ukraine case as an opportunity to re-emphasize good security practices for grid operators. ICS-CERT even dusted off its old notice to add new information from the Ukraine threat.

"We are continuing to monitor what's going on there and look for those lessons learned," said Scott Aaronson, managing director for national security policy at the Edison Electric Institute, which represents investor-owned utilities in North America.

Aaronson pointed out how "hard" it is for researchers to put together the disparate clues and say with certainty that a cyberattack took place.

"What we know is that there was a power outage just before Christmas in Ukraine, there was a denial of service that happened in close relation to that, and malware was found on the Ukrainian utilities' systems," Aaronson said. "One plus one plus one does not necessarily equal three."

Cyberattack or not, he said, "the fact is, the power went out and they had to respond -- and we would do the same thing here."

-------------------------------------------------------------
Want to read more stories like this?
Click here to start a free trial to E&E -- the best way to track policy and markets.

ABOUT ENERGYWIRE – THE TRANSFORMATION OF THE ENERGY SECTOR
EnergyWire is written and produced by the staff of E&E Publishing, LLC. EnergyWire is designed to bring readers deep, broad and insightful coverage of the transformation of the energy sector. EnergyWire focuses on the business, environmental and political issues surrounding the rapidly expanding unconventional energy industry and the numerous factors -- from expanding natural gas use to renewables and more -- that are altering the traditional electric utility industry. EnergyWire publishes daily at 9:00 a.m.