What Can We Learn From Russian Attacks Against Ukrainian Power Companies?

The U.S. Dept. of Homeland Security (DHS) released a report about the December 23, 2015, Ukrainian power company outages caused by cyber-attacks.

Why should you care? These were targeted, effective, remote attacks against infrastructure operations to cause outages in subsidiary systems, as well as to demonstrate power.

As Financial Services consolidate their digital operations into ever-larger data centers — owned or third party — and migrate software and data to third party ‘cloud’ services — still more data center concentration — the risks associated with attacks against infrastructure are growing. Data centers are highly automated webs of complex power, heat management, monitoring, data communications, and access control infrastructure. Because of commercial data center consolidation, remote access to infrastructure systems is a given. If Financial Services enterprises’ infrastructures were the target of talented cyber-attack conceptually analogous to those against Ukrainian power company infrastructures, there would be serious negative consequences.

During those Ukrainian cyber-attacks, remote hostile actors used either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections to operate electric power flow controls. The hostile actors appeared to use a number of legitimate credentials during the cyber-attack to facilitate remote access.
These actors also wiped some systems by executing the KillDisk malware to render systems inoperable as they finished their attack.
They also corrupted firmware supporting Serial-to-Ethernet devices at substations.
Finally, they scheduled disconnects for server Uninterruptable Power Supplies (UPS) via the UPS remote management interface in an attempt to interfere with expected restoration efforts.
The targeted power companies also reported that they had been infected with BlackEnergy malware — reportedly delivered via spear phishing emails with malicious Microsoft Office attachments. Researchers suspect that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials

Exhibit continuous due diligence in your selection and management over your data communications infrastructure & data centers. Protect them against all channels of unauthorized access. The threat of remote catastrophe or simply serious, serious outage is real.

REFERENCES:
Alert (IR-ALERT-H-16-056-01)
Cyber-Attack Against Ukrainian Critical Infrastructure
Original release date: February 25, 2016
https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01

Hackers did indeed cause Ukrainian power outage, US report concludes
DHS officials say well-coordinated hack cut power to 225,000 people.
by Dan Goodin – Feb 26, 2016 1:14pm CST
http://arstechnica.com/security/2016/02/hackers-did-indeed-cause-ukrainian-power-outage-us-report-concludes/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: