Techie on the ground disputes BlackEnergy Ukraine power outage story

False flags?

False flag operations are covert ops deliberately mounted to deceive observers into thinking that a particular group or foreign country carried out hostile actions that were in fact nothing to do with them. Such false flag ops are among the dark arts of statecraft and can be used to justify wars or push particular political policies.

Well-established incidents of false flag ops include the Reichstag fire, which the Nazis used to justify the repression of their political opponents in the 1930s, and the Gulf of Tonkin Incident, where supposed North Vietnamese aggression served as a pretext for subsequent US air strikes, lighting the touch paper on what became the Vietnam War in the process.

In a follow-up email, Illia noted that the “Ukrainian mass media and officials prefer to make hasty conclusions. As I wrote before in the comment - if any strange situation happens - blame the Russians."

A Ukrainian president spokesman blamed the Russians the day after the virus was detected.

He said something like "We have information that [the] virus [came] from Russia”, according to Illia, who described this as a “hasty conclusion” at best.

He said it was a wider question about whether actually caused the reported power outages in the Ukraine, even after reviewing ESET’s research and local research (in Russian) about BlackEnergy incidents against several Ukrainian companies.

[Was the] SCADA system ... connected to local network or even to Internet? Which system [did] they use - WinCC or something else?

As I understand, the system had been infected with BlackEnergyLite in 12th of May, 2014 [via] an email. The funniest part is that system had been accidentally infected, when the main targets were six railway companies in Ukraine.

The date for attack on Prikarpattyaoblenergo [was reported as] around 22 December, a professional celebration for all the energy workers [corporate work parties are traditionally held the week before Christmas], and just days before Christmas makes sense.

But Illia has doubts about suggestions that a denial of service attack against energy firm call centres was also in play. “I think the call centre had been overloaded simply because of quantity of callers. At the official site of energy company I have found, that 103 townships had [suffered] blackout[s] during the attack, and 183 townships had [suffered] blackout[s] partially,” he said. “Of course the quantity of calls was catastrophic.”

Other factors in the supposedly state-sponsored attack against power distribution system in the Ukraine raise numerous questions for Illia.

BlackEnergyLite (or BlackEnergy3) can download the main BlackEnergy2 with hardcoded proxies from a local network nodes of victim system. OK, that's how they got access, but how [did] they turn off all the telemetrics of the whole energy company?

How [was] that telemetrics system configured? Why did the company renew the energy supply with the hands on local township's substations? I mean - is the system configured correctly? If BlackEnergy is just a data remover… how can it turn off the system? Or [did one of the miscreants] work as a SCADA-operator and had learned before [about] the system [they were to] target?

Illia concluded: “Many Ukrainians will tell you that they don't think about such level of automatization in our energy industry. So for me the situation becomes stranger and stranger.” ®

Updated to add at 09:47 UTC, 28/01/16

ESET's Robert Lipovsky disagreed with our man on the ground's assessment of the attack, in particular the suggestion that electricity utilities were infected by accident.

"These attacks against electricity distribution companies weren’t accidental," Lipovsky said. "There were several intentional targets that we know of: electricity distribution companies, railway companies, Boryspil Airport in Kiev, news media companies."

He also clarified the timeline of the assault.

The mentioned emails from May 12, 2014 related to earlier BlackEnergy attacks mentioned at the 2014 Virus Bulletin conference (full presentation here).

He added: "Emails sent to electricity distribution companies (or at least one of the email campaigns that we’re aware of) are from March 24, 2015."

Lipovsky also provided a update on the latest findings on ESET's ongoing research into the high profile attack in Ukraine:

As we suspected, after having successfully infiltrated the target network, the attackers gained remote access to critical systems. We believe that is how the outages were actually triggered. BlackEnergy and the other trojans (Win32/KillDisk, Win32/SSHBearDoor, a modified version of an open-source gcat backdoor that we detect as Python/Agent.N) that we’ve detected were all used in the attacks.