pixel_dreams - Fotolia
The cyber attacks that downed two power suppliers in Ukraine in December 2015 were not isolated, but part of a multi-stage, targeted attack on the Ukrainian industrial network, say researchers.
A key element of the cyber attacks was the BlackEnergy Trojan used to deploy a destructive disk-wiping component, known as a “KillDisk”.
Around half the homes in Ukraine’s Ivano-Frankivsk region plunged into darkness for several hours; but researchers at security firm Trend Micro also discovered that a major mining company and large railway operator – part of the national railway system – were also targeted.
These attacks appear to have been aimed at crippling Ukrainian public and criticial infrastructure in a politically motivated strike, according to Kyle Wilhoit, senior threat researcher at Trend Micro.
In hunting for additional infections or malware samples related to attacks on the power companies, Wilhoit and his colleagues found samples of BlackEnergy and KillDisk that may have been used against the mining and rail companies.
“The possible infections in the mining and railway organisations appear to use some of the same BlackEnergy and KillDisk infrastructure that were seen in the two power facilities attacks,” Wilhoit wrote in a blog post.
Read more about industrial control system security
- Industrial control systems should be securely managed by the enterprise, specifically when suppliers need access to them.
- Targeted attacks on industrial control systems are the biggest threat to critical national infrastructure, says Kaspersky Lab.
- Hackers have been penetrating industrial control systems for at least a decade for extortion, yet little is known about how they gain access.
Malware and timing overlap
One sample from the mining company, he said, appears to have been used in November 2015 to infect its target, while another sample had exactly the same functionality and used the same communication infrastructure as the samples seen in the Ukrainian power utility attack.
In the case of the railway company, the researchers found indications of the same KillDisk malware used against the power companies and the mining company.
“This appears to be the only spillover from the Ukrainian power utility infection. However, we have no proof showing that BlackEnergy was present on the railway systems, it could be assumed that it was likely present somewhere in their network,” said Wilhoit.
The researchers believe the same actors were responsible for all four attacks because of the overlap between the malware used, infrastructure, naming conventions, and the timing of the attacks.
“This proves that BlackEnergy has evolved from being just an energy sector problem to a threat that organisations in all sectors—public and private—should be aware of and be prepared to defend themselves from,” said Wilhoit.
Weapons testing theory
The researchers believe the attacks may have wanted to destabilise Ukraine through a substantial or persistent disruption involving power, mining and transportation facilities.
Another possibility, said Wilhoit, is that they have deployed the malware to different critical infrastructure systems to determine whic- is the easiest to infiltrate and subsequently wrestle control over.
A related theory is that the infections in the mining and train companies may have just been preliminary infections, where the attackers are just attempting to test the code base.
“Whichever is the case, attacks against industrial control systems (ICS) should be treated with extreme seriousness because of the dire real-world repercussions,” said Wilhoit.
Ed Cabrera, vice-president of cyber security strategy at Trend Micro, said the co-ordination and sophistication of these attacks suggested a “menacing pattern” to disable Ukraine’s critical infrastructure supply chain.
“By permeating both public and private sectors, these destructive efforts are going far beyond what was originally detected,” he said.
Networked holistic defences needed
According to Cabrera, government and privately owned critical infrastructure organisations, regardless of size, need to properly assess destructive malware threats and vulnerabilities they face, in addition to those of their supply chain partners.
“Protection of highly networked dependent infrastructure requires highly networked, holistic defences," he said, adding that these attacks reiterate the real-world repercussions of critical infrastructure attacks, and the need for cyber security measures to be taken, regardless of the nature or size of an industrial control system.