On December 23, 2015, a normal day of work in the harsh winter, at 4:00 p.m. numerous users and industries no longer had the supply of electricity. The situation began to recover from 7:00 p.m. We know that this is a long time, especially for the inhabitants and industrialists. Not only because of the number of hours, but also because of the immense number of users and a large region affected. The economic damage was enormous.
However, from the point of view of response time, and due to the magnitude of the incident, the response team responded quickly. Most energy companies in all parts of the world would not have been in a position to respond in the same way in such a short time. When the vast majority would have been totally taken aback, the response team knew how to handle the situation effectively. News of the incident began to spread throughout the world’s media.
Before the end of the year, it was already the most resonant Industrial Cybersecurity incident of the year. The research agencies of Industrial Cybersecurity were surprised and at the same time interested in collaborating with the research. What happened? And How did it happen? While the analysis and expertise continue, even to this day, several issues are already very clear.
1. BlackEnergy malware infected several computers in the IT Network. BlackEnergy (also known as DarkEnergy) is a malware that has existed since 2008 and each of its modules has been mutating over time. In this incident, the third variant of BlackEnergy was used as an attack vector and has given attackers access to the computers of power distribution companies, and the ability to communicate remotely to them. It has not been detected that this malware has reached the operating stations of the Control Systems.
However, it is certain that the intruders have managed to obtain and steal information from the Interconnected Electrical System. One of BlackEnergy’s modules, known as KillDisk, was used to deny access to corporate computers as one of several distraction and delay measures on the same day of the incident. Previous reports, they revealed, that in the month of March attempts to enter the electricity companies with the second version of BlackEnergy would have been detected. In the month of July, the alert of these attacks would have been ceased. It should have been taken as a warning and not as an action that was already controlled.
2. An attack affected at the same time the Telephony system of several of the companies. Another simultaneous attack affected the communications and telephony system of several energy companies, possibly a denial of service (DoS), prevented the help desk of the energy transport companies from receiving the complaints of the affected users. This situation is already giving clear evidence that the Incident was absolutely planned.
The power outages began quite some time before companies became aware of what was really going on. One of the providers even placed messages on their Websites informing their visitors that the company was having problems with the power supply in several locations, but they could not need an hour of restoration. The situation was critical, and they didn’t know what was happening. The blows came from all sides.
3. Several of the Sub-station Control Systems were compromised. When the response teams went to re-establish the control systems of each of the power sub-stations, they realized that the Field Control Systems, PLCs and RTUs, had also been compromised. Subsequently, it was found that the firmware of the devices were corrupted or modified, and their configurations had been altered. The control systems of 16 sub-stations were found in these conditions. Another clear evidence that the incident occurred was no coincidence. The electric power distribution companies of western Ukraine had been victims of an intentional attack, with high motivation and advanced technical knowledge of Control Systems.
4. The Operating Stations of some SCADA Systems were accessed remotely. An operator, minutes before making his shift change, recounted how suddenly a ghost took control of his workstation, and began to act on the sub-stations. In just a few seconds, he witnessed how the supposed ghost just left a large number of users and industries without power. This ghost was able to circumvent verification and confirmation processes of the operator’s actions.
The Operator had no time or possibility to do anything to prevent it. It wasn’t a ghost! Remote access through VPN links had been breached. They were operating the SCADA from the outside, and the Hackers were in control of the system. The operated could no longer see what was happening. Their Access Keys did not work. The same security measures of the system itself had blocked the Operators from being able to access. A Control System operator located in Prykarpattyaoblenergo, while he was performing his paperwork to finish his work shift, suddenly observed how the cursor of his System Operation Station, suddenly shifted towards a corner of the screen. Quickly, the cursor began to perform a series of actions on the screen and maneuvers in the sub-stations.
The ghost operator selected a substation, went directly to it without wasting time, knowing exactly where it should itch, selected the substation, gave the order to shut down. The SCADA System has a confirmation sequence, as is typical for SCADA systems of the Electric type (Select Before Operate, and others), gave the order to shut down, confirmed the sequence, as an expert and so on with the 30 sub-stations of that operator.
The one-line diagrams and different screens are not easy to understand, and you must have a knowledge of the Electrical Networks. The operator tried to stop this process, but could do nothing. The worst had already begun, even before this incident. Numbers of users were suffering the consequences of power outages even before the operator incident. This was not all. At the same time, similar incidents were happening in other control centers of other energy companies. The number of sub-stations that were being put out of service was multiplying rapidly.
A little more than three months after the incident occurred and after knowing only some of the results of the investigations that were known, through the different investigation agencies, there is no doubt that it was a Cyberattack … planned, elaborated and executed with great effectiveness. Perhaps those responsible would think that the damage they would cause would be much greater. The efficient response in the Recovery of the Incident by the Response team made the losses not even much greater. What would have happened if the incident continued throughout the night? Those responsible were not opportunists. They knew perfectly well what they were doing, and they had it absolutely premeditated.
They were strategic, detail-oriented and planned for months. Multiple attacks orchestrated with synchronize as an authentic choreography. When most people hold malware accountable, it is clear that behind this incident there was significant logistics and motivation. Given these facts, the malware could have been a distraction to hide the real vectors of the attack. In fact, no malware was found in the control systems or in the SCADA Operation Stations. The protections installed on the systems to prevent entry from the corporate network have proven to be effective.
However, the activist group faced with this situation did not give up and looked for other ways to enter the control systems. The different perspectives of the attacks. When some believe that all these damages were caused by a hacker or a group of hackers from IT Networks, we know that reaching the low level of control, this is not possible. Changes to firmware and in the configuration and programming of the Control Systems are not possible to make simply by accessing the Operating Room or the SCADA Room, as one of the operators related, or through the BlackEnergy Malware found in the IT Networks.
Especially in an Electric SCADA with networks of several years, where to access the firmware of field devices, make modifications without this arousing suspicion without generating events, It is not possible. There is no doubt that there was an intelligence task, there was planning, and even more, there was a knowledge not only of the Electricity Grid of the region but also of the SCADA, PLCs, RTUs, communications and their vulnerabilities. It is also known that the loss of the SCADA system, in a well-conceived system, does not generate the fall in the supply of energy. To do this, PLCs and RTUs should be reached.