Hackers have allegedly brought down the power grid in Ivano-Frankovsk, Ukraine, marking the first time such an attack has been successfully carried out in the wild.
According to the local news agency TSN, on 23 December more than half of the residents of the region were left without electricity for several hours.
Specialists in industrial control systems have been analyzing the malware sample and tentatively identified it as BlackEnergy, a strain that has been deployed against targets in Ukraine last year.
Digital attacks against physical infrastructure have been long predicted by security professionals, but until now, the most notorious example of such an attack was Stuxnet, a virus that sabotaged a uranium enrichment facility in Iran back in 2009. It was later reported that Stuxnet was jointly developed by the US and Israel intelligence agencies.
According to TSN, anonymous hackers managed to take control of the mechanical systems that were updated to be managed remotely – presumably via the programmable logic controllers (PLCs), basic computers responsible for automation of industrial processes.
After being infected by malware, grid sub-stations owned by local energy provider Prikarpatjeoblenergo suddenly started shutting down. Power was restored around six hours later, when some of the systems were switched into a full “manual mode”. Getting rid of the infection itself was a bigger challenge.
Samples of the apparent malware were then shared with several major cybersecurity and threat intelligence vendors, including the SANS Institute, iSIGHT Partners, ESET and Trend Micro - however at the time of writing none have published a definitive analysis.
Meanwhile the press center of the Security Service of Ukraine was quick to blame Russian intelligence agencies for the attack.
The team at ESET came to the conclusion that the malware is part of BlackEnergy – a Trojan family previously detected in the systems of several energy companies operating in Ukraine. According to Symantec, it was also used in the summer 2015 to attack Ukrainian media organizations.
ESET went on to suggest that BlackEnergy could have been used to plant a KillDisk (aka Disakil) component onto the targeted computers to wipe stored data and render them inoperable.
However, the company stopped short of saying that it was KillDisk that caused the outages in Ivano-Frankovsk – just that it was a likely scenario.
“Our analysis of the destructive KillDisk malware detected in several electricity distribution companies in Ukraine indicates that it is theoretically capable of shutting down critical systems,” ESET’s Robert Lipovsky and Anton Cherepanov wrote in a blog post.
“However, there is also another possible explanation. The BlackEnergy backdoor, as well as a recently discovered SSH backdoor, themselves provide attackers with remote access to infected systems. After having successfully infiltrated a critical system with either of these trojans, an attacker would, again theoretically, be perfectly capable of shutting it down. In such case, the planted KillDisk destructive trojan would act as a means of making recovery more difficult.”
Opinion: It’s fairly strange that even after getting a sample of code, the cyber security industry is unable to confirm if the BlackEnergy strain was used in the attack.
Some researchers cite unconnected events in Ukraine, while others translate “telephone flood” as a DDoS attack, even though it might just as well be unhappy customers ringing about their electricity.
Add a dose of geopolitics and good old-fashioned propaganda, and you can see why reporting on the subject is difficult. More than a week after the attack, we still have no idea what actually happened.