[2024]Digital Global Overview Report 2024 Meltwater.pdf
CPS - Week 1.pptx
1. Week 1 Assignment:
Ukraine Power Grid Cyber
Attack
Andres Brito (1007641) | Li Xinyue (1007389) | Mayukh Borana (1007395) |
Suhasini (1007497)
Singapore University of Technology and Design
51.503 Secure Software Engineering
1
2. Contents
1. Introduction
a. Facts, dates, characters
b. The story of the attack: how and who
c. Consequences of the attack
2. Kinematics of Attack
a. Thread model
3. Analysis
a. Would traditional perimeter defenses mitigate such a threat?
b. Missing Defense Approaches
4. Conclusions
a. How to detect or prevent another similar attacks
b. Takeaways
2
4. Facts, Dates, Characters
Date 23 December 2015.
Suspected Actor The Sandworm Group. The Ukrainian state security service (SBU)
blamed Russia for the attack.
Target Ukrainian Energy Company substations. In the case of the
Prykarpattyaoblenergo substation, hackers successfully brought
the network offline.
Target System Microsoft Windows-based systems.
Purpose The hackers intended to test a remote cyber operation directed
against Ukraine’s critical energy infrastructure. 4
5. Facts, Dates, Characters cont.
Method - The first part of the attack is believed to harness an updated version of the
BlackEnergy malware.
- The malicious code was sent through emails with malicious attachments, targeting
specific individuals within the different energy companies in order to retrieve
administrator credentials and gain access to the energy substation networks.
- During the second part of the attack, the actors activated a KillDisk destructive
malware, which was able to wipe parts of computers’ hard drives and prevent the
systems from rebooting, ultimately leading to the power outages.
- Eventually, the hackers launched a TDoS attack (telephony denial of service)
directed against the customers call center, preventing the callers from reporting
the outage.
5
6. The story of the attack - How
Stage 1: Spear Phishing
● In March 2015, malicious actors used spear phishing to compromise hosts that would allow them access to target
networks.
● Emails sent contained a Microsoft Excel spreadsheet or Microsoft Word document. Opening and enabling them led to
the installation of the BlackEnergy3 malware on that computer.
● Multiple users were compromised.
Stage 2: Malware Used to Explore and Move in Network
● With the malware, reconnaissance and enumeration of the compromised network occurred for months.
● In April 2015, malicious actors installed additional backdoor malware on the compromised machines.
Stage 3: Credentials Obtained
● The Active Directory server was one of the compromised computers, possibly leading to a brute force attacks on the
passwords stored there.
6
7. The story of the attack - How (cont.)
Stage 5: Compromise and Reconnaissance of HMI Computers
● Access to one of the computers provided credentials for remote access to the HMI application, which in turn
allowed the hackers to interact remotely with the control system.
Stage 6: Manipulate Circuit Breakers
● The hackers opened the breakers, took control of the computers at a control center and remotely shutdown
the substation.
● An employee at the center tried to take control of the computer but he was unsuccessful as he was logged
out of his account by the hackers who changed his password.
Stage 4: Virtual Private Network Tunnel Created
● With the credentials obtained (username/password), the hackers used an encryption tunnel (VPN) to establish a
presence on the networks.
● Standard remote access tools were used to gain access to the control system network HMIs.
7
8. The story of the attack - How (cont.)
Stage 7: Additional Attack Actions
● Telephony Denial-of-service: A TDoS attack was launched against customers to prevent them from calling to report the
outage.
● UPS Remote Access and Shutdown: Shortly before the attack began, the hackers used UPS remote management
interfaces to schedule a shutdown of the UPSs for the computer servers. This was done to interfere with incident
response and restoration efforts.
Stage 8: Execute KillDisk on Target Computers
● The KillDisk malware was used to erases selected files on target systems and corrupts the master boot record, which
renders the systems inoperable.
Social
Engineering
Gained
entry to
the
network
+
Spear
Phishing
Key factors that caused the attack to happen 8
9. The story of the attack - Who
Alleged Russian
Cybermilitary unit with the
purpose of cyberespionage
and cyberwarfare
Attributed with using
BlackEnergy targeted attacks.
BlackEnergy3 is a tool used by
Sandworm for cyber espionage
in the Ukraine power grid attack
Responsible for the
December 2015 Ukraine
power grid attack.
9
10. Consequences of the attack
● It is considered to be the first known successful cyberattack on a power grid.
● Hackers were able to successfully compromise information systems of three energy
distribution companies in Ukraine and temporarily disrupt electricity supply to the end
consumers.
● Most affected were consumers of Prykarpattyaoblenergo: The attack resulted in power
outages for 30 substations were switched off, and about 230 thousand people were left
without electricity for a period from 1 to 6 hours.
10
11. Consequences of the attack cont.
● The malware disconnected electrical substations, causing the blackout.
● To restore the normal activity of the substations manual intervention by on-site operators was
necessary, including switching the dispatch control center from “automatic to manual mode”, as
the hackers had infected the SCADA’s manufacturer firmware.
● However, once restored, the impacted infrastructures kept on functioning under constrained
operations.
● According to the CISO at security company SentinelOne, this group had very good intelligence as
they knew how to engineer the highest probability that someone will click a malicious link and
activate the BlackEnergy malware - in most attacks, it is the human factor that leads to the
infiltration.
11
12. Kinematics of the cyberattack
Step 1: Malware in the mail! (BlackEnergy)
● The malware used in the Ukraine power grid attack in 2015 was called "BlackEnergy." It was a malicious software that
was specifically designed to target industrial control systems (ICS) and was used to disrupt the power grid in Ukraine.
● BlackEnergy was delivered through a spear-phishing email that contained a malicious attachment, which when
opened, installed the malware on the target's computer. The malware was capable of compromising and controlling
the systems that were responsible for controlling the power grid, causing widespread power outages in Ukraine.
● BlackEnergy was a sophisticated malware that was well-designed to hide its presence and avoid detection. It used a
variety of techniques, such as code obfuscation, rootkit functionality, and encrypted communication, to evade security
systems and hide its presence on the infected system.
● The attack on the Ukraine power grid was a significant event in the world of cyber security, as it was one of the first
instances of a successful attack on a critical infrastructure that resulted in widespread power outages. The incident
highlighted the importance of securing industrial control systems and the need for better security measures to
protect against similar attacks in the future.
12
13. ● The diagram is a simplified
view of the network
architectures (i.e., Internet,
IT, OT) and will help depict
each step of the
cyberattack.
● The hacker is shown as the
"black hat guy" at the top
right side.
● The hacker used the utility's
IT connection to the Internet
as the channel to prepare
and eventually trigger the
cyberattack.
13
14. Step 2: Attack preparation, network scans, and advanced persistent threat (APT)
● The BlackEnergy malware was remotely controlled to collect data, hop from one host to
another, detect vulnerabilities, and even make its way onto the OT network and perform
similar "reconnaissance" activities.
● Forensic data analysis about this phase is incomplete, because the hacker did some
cleaning up and wiped out several disks during the actual attack. Nevertheless, prior
analysis of BlackEnergy, as well as reasonable considerations about the standard process
used for cyberattacks, makes the following reconstitution probable with reasonable
confidence.
14
15. Step 3: Triggering the cyberattack
● In the afternoon two days before Christmas, as stated by an operator, the mouse moved on the human-machine interface (HMI)
and started switching off breakers remotely.
● When the local operator attempted to regain control of the supervision interface, he was logged off and could not log in again,
because the password had been changed.
● The whole attack only lasted for a couple of minutes. The hacker used the preinstalled malware to remotely take control of the
HMI and switch off most of the switchgears of the grids. Additional malware, in particular the custom-developed exploit, was used
to prevent the operator from regaining control of the network by wiping out many disks (using KillDisk) and overwriting the
Ethernet-to-serial gateway firmware with random code, thus turning the devices into unrecoverable pieces of scrap.
● Additional "bonus" activities included performing a distributed denial-of-service attack on the call center, preventing customers
from contacting the distributor, and switching off the uninterruptible power supply to shut down the power on the control center
itself.
● This step was obviously aimed at switching off the power for hundreds of thousands of western Ukrainian subscribers connected
to the grid. However, most of the effort was spent making sure that the power would not be switched on again: all specific
malwares were developed with that objective. Once triggered, the only way for the operator to prevent that issue was to stop the
attack as it was performed.
15
16. Would traditional perimeter defenses mitigate
such a threat?
Even though the network in Ukraine’s distribution centers were segregated with a firewall, the
attackers were still able to steal employees’ credentials and gain access to systems controlling
the breakers. This shows us that having a firewall as the only security system would not be able
to mitigate threats from cyber attacks.
Other traditional perimeter defenses such as the Intrusion Detection System (IDS) and Intrusion
Prevention System (IPS) may be able to mitigate this issue. Even if attackers get past the firewall,
they can be detected and stopped by the IPS. If they are able to reach an end-user computer and
try to install malware, IPS can detect and remove it with an antivirus. If the firewall had a 2 factor
authentication security system, the threat of such an attack could have been mitigated.
16
17. IDS and IPS Perimeter Defense Systems
Intrusion Detection System (IDS)
● A reactive measure.
● It can weed out malware (such as
BlackEnergy3 and KillDisk) and detect
social engineering (such as spear
phishing) assaults that manipulate
users into revealing sensitive
information (employees’ credentials).
Intrusion Prevention System (IPS)
● A proactive approach.
● Drops malicious packets, blocks
offending IPs and alerts security
personnel to potential threats.
It is evident that traditional perimeter defence systems such as IDS, IPS, or firewalls
coupled with authentication security systems can mitigate the threat of such attacks
but not completely eliminate it.
17
18. Missing Defense Approaches
The absence of the following elements in the Ukraine’s networks allowed the attackers to succeed:
1. Employees’ cyber security awareness.
a. Identify suspicious emails and files.
1. An ICS Network securely configured.
a. Separate credentials for ICS and Business networks.
b. Network Security Monitoring (NSM) → identify new connections and encrypted
communications.
1. Better control over remote access functionality.
a. Only operator with logging, and automatic signed out.
b. Multi-factor authentication.
1. Credentials monitoring.
a. Network unusual activities, network traffic.
18
19. Detection and prevention of a similar attack
Detection and prevention of the Ukraine power grid attack in 2015 required a multi-layered approach, involving both technical and
non-technical measures. Some of the key measures that could have been used to detect and prevent the attack include:
1. Endpoint security: Installing anti-virus and anti-malware software on all endpoints and keeping them up to date would have
helped detect and prevent the delivery of BlackEnergy.
2. Email security: Implementing email filtering and anti-spam measures, as well as training employees on how to identify and
avoid phishing emails, would have helped prevent the delivery of the malicious email that carried the malware.
3. Network security: Deploying firewalls, intrusion detection systems, and other network security measures would have helped
detect and prevent the spread of the malware within the network.
4. Patch management: Keeping all software and systems up to date with the latest patches and security updates would have
helped prevent vulnerabilities from being exploited.
5. Backups and recovery: Regularly backing up critical data and having a robust disaster recovery plan in place would have
helped minimize the impact of the attack and enable a faster recovery.
6. Monitoring and logging: Implementing comprehensive monitoring and logging of all systems and network activity would have
provided visibility into the attack and helped with incident response and recovery.
7. Physical security: Implementing physical security measures, such as access control and video surveillance, would have
helped secure the physical systems and components of the power grid.
It's worth noting that cyber attacks are constantly evolving, and there is no single measure that can provide complete protection
against them. However, implementing a combination of technical and non-technical measures, and regularly reviewing and
updating them, can help reduce the risk of successful attacks and minimize the impact if an attack does occur. 19
20. Takeaways
● In 2015, Ukrainian Energy Company substations were targeted and successfully taken down
by the Sandworm Group.
● This attack was not the result of a single vulnerability, but a handful of small network and
design shortcomings.
● From this experience, we learned that effective cyber security must includes people,
hardware, software, policies, and procedures, regardless the purpose of the network.
● Events like this one have to be prevented to ensure the security and safety of the
population.
● The positive outcome of this attack is the reaction of the energy companies. After this
incident, they evaluated their security postures and consider implementing the suggested
approaches discussed in this presentation.
20
21. References
Don, J. (n.d.). Lessons learned from a forensic analysis of the Ukrainian Power Grid cyberattack. Lessons Learned From a Forensic Analysis of the
Ukrainian Power Grid Cyberattack. Retrieved February 2, 2023, from https://blog.isa.org/lessons-learned-forensic-analysis-ukrainian-power-grid-
cyberattack-malware
Intrusion Detection & Prevention: Systems to detect & prevent attacks: Imperva. Learning Center. (2019, December 29). Retrieved February 2, 2023,
from https://www.imperva.com/learn/application-security/intrusion-detection-prevention/
Kaspersky Lab, “Newly discovered BlackEnergy spear-phishing campaign targets Ukrainian entities”, (28 January 2016), Kaspersky.
Krigman, A. (2020, October 22). Cyber Autopsy Series: Ukrainian Power Grid Attack Makes History. https://www.globalsign.com/en/blog/cyber-
autopsy-series-ukranian-power-grid-attack-makes-
history#:~:text=The%20company's%20computer%20and%20SCADA,was%20malware%20known%20as%20BlackEnergy.
Mikova, T. (2018). Cyber Attack on Ukraine Power Grid. https://is.muni.cz/th/uok5b/BP_Mikova_final.pdf
Vijayan, J. (2022, April 13). Russian Group Sandworm Foiled in Attempt to Disrupt Ukraine Power Grid. https://www.darkreading.com/attacks-
breaches/-russian-group-sandworm-s-attempt-to-disrupt-ukraine-power-grid-foiled
Ukraine cyber-induced power outage: Analysis and practical mitigation ... (n.d.). Retrieved February 2, 2023, from
https://na.eventscloud.com/file_uploads/aed4bc20e84d2839b83c18bcba7e2876_Owens1.pdf
Zetter, Kim (3 March 2016). "Inside the cunning, unprecedented hack of Ukraine's power grid". Wired. San Francisco, California, USA. ISSN 1059-
1028. Archived from the original on 2021-02-08. Retrieved 2021-02-08.
Lee, Robert, Michael Assante, and Tim Conway. “Analysis of the Cyber Attack on the Ukrainian Power Grid.” Electricity Information Sharing and
Analysis Center & SANS Industrial Control Systems, March 18, 2016.
http://www.nerc.com/pa/CI/ESISAC/Documents/E‐ISAC_SANS_Ukraine_DUC_18Mar2016.pdf.
21