Crims shut off Ukraine power in wide-ranging anniversary hacks
Phishing, denial of service, and remote exploitation part of hacking banquet
Hackers of unknown origin cut power supplies in Ukraine for a second time in 12 months as part of wide-ranging attacks that hit the country in December.
The attacks were revealed at the S4x17 conference in Miami in which Honeywell security researcher Marina Krotofil offered reporters some detail into the exploitation that began 16 December and raged for four days.
She told Dark Reading attackers triggered an hour-long power black out at midnight 17 December by infecting the Pivnichna remote power transmission facility, knocking out remote terminal units and the connected circuit breakers.
Further attacks against the State Administration of Railway Transport left Ukrainians unable to purchase rail tickets and delayed payments when the Treasury and Pension Fund was compromised.
It was the second network-centric attack to knock out power supply in Ukraine. Attackers of suspected Russian origin targeted facilities in December 2015.
Those 23 December outages affected Ukraine's Prykarpattya Oblenergo and Kyivoblenergo utilities cutting power to some 80,000 customers for six hours.
Last month's attacks also used the BlackEnergy and KillDisk malware. Other hacks included highly-convincing and successful phishing attacks against an unnamed Ukrainian bank, various remote exploitation, and denial of service attacks.
The phishing attack on 14 July last year used the ancient trick of malicious Word document macros but wrapped it in high levels of obfuscation and anti-forensics.
Information Systems Security Partners head of research Oleksii Yasynskyi, who worked on dissecting the hacks, reckoned the attackers were a mix of groups specialising in different aspects of offensive security, from infrastructure to obfuscation and payload delivery.
Phishing emails numbered in the thousands. Hackers kept quiet observation for months whenever one payload was successful at breaching one of the Ukrainan assets, Krotofil told MotherBoard
Yet the attackers' origin was not disclosed, if it is known; Kiev laid blame squarely on Russia for the similar 2015 utility hacking.
Krotofil told Dark Reading the Ukraine's utilities may be seen as a test bed for attacks elsewhere, something she says is common with Russian hackers.
Alex Mathews, security evangelist lead with Russian SCADA and industrial control system outfit Positive Technologies told El Reg says vulnerabilities in critical infrastructure are easy to find and difficult to get fixed.
“It takes just two days to find a new SCADA flaw, yet almost a year to get it fixed," Mathews says. "The vulnerability of our critical infrastructure is evident.
"Those charged with protecting industrial control system and SCADA networks must acknowledge that they’re exposed to cyber threats and take steps to reduce the risk." ®
Bootnote While concerns the attacks are a test bed for further control system hacking in other countries, compromising such infrastructure cannot be done by cookie cutter hackers.
Control systems are highly specialised with proprietary and often undocumented protocols that are not ordinarily understood outside of specialist fields.
Using Ukraine as a means to hack US energy companies for example is further troubled by the variance in security controls that may exist in front of and around control systems. ®