Cyberattack on Ukraine grid: here’s how it worked and perhaps why it was done

Growing sophistication
BlackEnergy started as a malware system for launching denial-of-service (DoS) attacks, which are designed to prevent legitimate users from accessing a server by any one of a number of possible mechanisms. BlackEnergy has since evolved into an effective system for data exfiltration, or the unauthorized transfer of data from a computer. Such a transfer may be manual and carried out by someone able to access the computer, or it may be automated and carried out through malicious programming placed on the computer being attacked.

About two years ago, a new version of BlackEnergy began to appear with new functions that included stealing passwords, covertly taking screenshots, gaining persistent access to command and control channels and destroying hard drives.

More recently, security software maker ESET found evidence of several new features, including a wiper component dubbed KillDisk. A wiper is software designed to erase portions of a disk and can be used to cover up evidence of an attack. In the Ukraine attack, it is not clear if Blackenergy was used, but some of its components were present; in particular, there is evidence of KillDisk.

Some experts contend that this may not technically have been be a cyberattack. The malware allowed attackers to manually intervene in the grid’s operation; by contrast, the Stuxnet software inflicted damage on industrial machines as was.

Regardless, there was a sophisticated attack that required coordination of different types of malware, which appear to have enabled the attack.

Worries over disabling nuclear plants
The Ukrainian power grid has several attributes that cause some special concern.

The bulk of the power production at any time is provided by nuclear power plants, which provide most of the steady “baseload” power to supply electricity through most of the day.

To meet fluctuations in demand — for instance, increases in power use in the morning as people begin their day – grid operators in Ukraine primarily rely on coal power plants. They do not have many avenues to import power from other countries to meet spikes and dips in demand.

This situation means that if an cyberattack causes a power outage, Ukraine grid operators may not be able to respond rapidly enough and export an excess in the flow of power, which would lead to grid instabilities and the need to shut down nuclear reactors.

There is also the issue of cooling of reactors in the event of a power outage. The cooling pumps in the nuclear reactors in Ukraine are dependent on AC power input from the grid, thereby making them susceptible in the event that backup diesel generators cannot be started.

Broader concerns
Could this happen in the West? In short, yes. U.S. utilities use software products from various major vendors which have been the targets of a Sandworm BlackEnergy campaign.

Thus far, there doesn’t seem to have been any financial benefit from the attack. What’s more, when attackers use malware, they expose their methodology, which makes it possible for security people to develop protections for that line of attack. So we have to wonder what they had to gain from the exercise.

If they have nothing to gain in the short term, like robbing banks while the grid is down, did they gain valuable experience for their next, more effective attack?

The ability to hack into a utility to throw switches (breakers) at substations, as was done in Ukraine, opens up the possibility of more serious types of attacks, as was demonstrated by the Aurora Test. In that controlled experiment, circuit breakers associated with a generator were opened and closed using software in a way that resulted in permanent damage to equipment.

While it’s hard to know the attackers’ intentions for sure, it appears likely that the Ukraine power grid was attacked with at least the help of the BlackEnergy malware, increasing the technological potential for disrupting power grids in general.

This incident underscores the need for diligence and the increased effort in cybersecurity that we are seeing in the government and private sectors. The continuously increasing dependence on the power grid is driving the need for cybersecurity to be part of the design of all new systems.

Michael McElfresh is Adjunct Professor of Electrical Engineering, Santa Clara University. This article is published courtesy of The Conversation (under Creative Commons-Attribution/No derivative).