A few days before Christmas, several thousand homes in the historic city of Ivano-Frankivsk in Ukraine lost power. Normally such an event would be considered a mere inconvenience for Ukrainians battling the region's harsh winter, but this was much more significant. For the first time ever known, hackers proved capable of completely knocking a power station offline.
Ars Technica interviewed John Hultquist, head of cyber espionage intelligence for iSIGHT Partners, a security firm, about the significance of the incident. Hultquist said the powerful malware that infected three major power authorities in Ukraine was "a milestone" for how hackers can impact infrastructure like power grids that keep life chugging along. Hultquist said there have been "targeted destructive events against energy before," like oil companies, "but never the event which causes the blackout."
Does this sound like the plot of Life Free of Die Hard to you? It should — but this time, it's real.
Ars reported that security researchers identified the malicious software used to target the Ukrainian stations as the BlackEnergy Trojan, a backdoor virus that renders targeted has been in use by hackers for almost nine years. Hackers keep updating and adding new features to BlackEnergy to render it super-destructive. One example: BlackEnergy can make an infected computer "unbootable." Once it goes down, that is, you can't get it back up again.
How could such vicious code get into the guts of computers controlling the vital power and water infrastructure that services entire populations? It's likely through an email-based hacking technique called spear-phishing. Security experts writing for ESET.com described the way this happens:
The attack scenario is simple: the target gets a spear-phishing email that contains an attachment with a malicious document. The Ukrainian security company CyS Centrum published two screenshots of emails used in BlackEnergy campaigns, where the attackers spoofed the sender address to appear to be one belonging to Rada (the Ukrainian parliament). The document itself contains text trying to convince the victim to run the macro in the document. This is an example where social engineering is used instead of exploiting software vulnerabilities. If victims are successfully tricked, they end up infected with BlackEnergy Lite.
Once inside a system, BlackEnergy deploys its own internal killer app, KillDisk. The attack against the Ukrainian systems, according to analysts cited by Ars Technica, could have been the result of KillDisk shutting the power stations that power Ivano-Frankivsk down cold—that, or a separate component of BlackEnergy gave hackers full remote control and they simply flipped an off switch..
Infrastructure attacks and industrial espionage have long been part of warfare, but this level of sophisticated attack is relatively unheard of. And while the United States and Israel collaborated on Stuxnet, a cyber weapon that eventually infiltrated Iranian power systems and disabled nuclear reactors, the attacks on Ukraine's power grid mark the first known instance of malware being used to disrupt a utility on a relatively large scale.
The Ukraine power system take-downs seem to signal a warning to any country dependent on large-scale infrastructure: lock your essential systems tight now, because your neighborhood could be the one that mysteriously goes dark tomorrow.
h/t Ars Technica