When the US government demonstrated in 2007 how hackers could take down a power plant by physically destroying a generator with just 21 lines of code, many in the power industry dismissed the demo as far-fetched. Some even accused the government of faking the so-called Aurora Generator Test to scare the public.
That attack would certainly require a lot of skill and knowledge to pull off, but hackers don't need to destroy mega-size equipment to plunge a community into darkness. The recent hack of electric utilities in Ukraine shows how easy it can be to cut electricity, with the caveat that taking down the grid isn't always the same as keeping it down.
In the run-up to holidays last month, two power distribution companies in Ukraine said that hackers had hijacked their systems to cut power to more than 80,000 people. The intruders also sabotaged operator workstations on their way out the digital door to make it harder to restore electricity to customers. The lights came back on in three hours in most cases, but because the hackers had sabotaged management systems, workers had to travel to substations to manually close breakers the hackers had remotely opened.
Days after the outage, Ukrainian officials appeared to blame Russia for the attack, saying that Ukraine's intelligence service had detected and prevented an intrusion attempt "by Russian special services" against Ukraine's energy infrastructure. Last week, speaking at the S4 security conference, former NSA and CIA spy chief Gen. Michael Hayden warned that the attacks were a harbinger of things to come for the US, and that Russia and North Korea were two of the most likely culprits if the US power grid were ever hit.
If hackers were responsible for the outages in Ukraine, these would be the first known blackouts ever caused by a cyberattack. But just how accurate are the news reports? How vulnerable are US systems to similar attacks? And just how solid is the attribution that Russia did it?
To separate fact from speculation, we've collected everything we know and don't know about the outages. This includes new information from a Ukrainian expert involved in the investigation, who says at least eight utilities in Ukraine were targeted, not two.
Around 5:00 p.m. on Dec. 23, as Ukrainians were finishing their workday, the Prykarpattyaoblenergo electric utility in Ivano-Frankivsk Oblask, a region in Western Ukraine, posted a note on its web site saying it was aware that power was out in the region's main city, Ivano-Frankivsk. The cause was still unknown, and the company urged customers not to call its service center, since workers had no idea when power might be restored.
Half an hour later, the company posted another note saying the outage had begun around 4 p.m. and was more widespread than previously believed; it had actually affected eight provinces in the Ivano-Frankivsk region. Ukraine has 24 regions, each of which has 11 to 27 provinces, with a different power company serving each region. Although electricity was by then restored to the city of Ivano-Frankivsk, workers were still trying to get power to the rest of the region.
Then the company made the startling revelation that the outage was likely caused by "interference by outsiders" who gained access to its control system. The company also said that due to a barrage of calls, its call center was having technical difficulties.
Around the same time, a second company, Kyivoblenergo, announced that it also had been hacked. The intruders disconnected breakers for 30 of its substations, killing electricity to 80,000 customers. And, it turned out, Kyivoblenergo had received a flood of calls, too, according to Nikolay Koval, who was head of Ukraine's Computer Emergency Response Team until he left in July and is assisting the companies in investigating the attacks. Instead of coming from local customers, Koval told WIRED that the calls appeared to come from abroad.
It took weeks before more details came out. In January, Ukrainian media said the perpetrators hadn't just cut power; they had also caused monitoring stations at Prykarpattyaoblenergo to go "suddenly blind." Details are scarce, but the attackers likely froze data on screens, preventing them from updating as conditions changed, making operators believe power was still flowing when it wasn't.
To prolong the outage, they also evidently launched a telephone denial-of-service attack against the utility's call center to prevent customers from reporting the outage. TDoS attacks are similar to DDoS attacks that send a flood of data to web servers. In this case, the center's phone system was flooded with bogus calls to prevent legitimate callers from getting through.
Then at some point, perhaps once operators became aware of the outage, the attackers "paralyzed the work of the company as a whole" with malware that affected PCs and servers, Prykarpattyaoblenergo wrote in a note to customers. This likely refers to a program known as KillDisk that was found on the company's systems. KillDisk wipes or overwrites data in essential system files, causing computers to crash. Because it also overwrites the master boot record, infected computers can't reboot.
"The operators' machines were completely destroyed by those erasers and destroyers," Koval told WIRED.
Altogether, it was a multi-pronged attack that was well orchestrated.
"The capabilities used weren't particularly sophisticated but the logistics, planning, use of three methods of attack, coordinated strike against key sites, etc. was extremely well sophisticated," says Robert M. Lee, a former Cyber Warfare Operations Officer for the US Air Force and co-founder of Dragos Security, a critical infrastructure security company.
Only two admitted being hacked. But Koval says "we are aware of six more companies. We witnessed hacks in up to eight regions of Ukraine. And the list of the attacked may be far bigger than we are aware of."
Koval, who is now CEO of the Ukrainian security firm CyS Centrum, says it's not clear if the other six also experienced blackouts. It's possible they did but that operators fixed them so quickly customers weren't affected, and therefor the companies never disclosed it.
Also unclear. During the time he headed the Ukrainian CERT, Koval's team helped thwart an intrusion at a different power company. The breach began in March, 2015, with a spear-phishing campaign, and was still in early stages when Koval's team helped stop it in July. No power outage occurred, but they did find malware known as BackEnergy2 on systems, so-called for its use in past attacks against utilities in multiple countries, including the US. BlackEnergy2 is a trojan that opens a backdoor onto systems and is modular in nature so that plug-ins with additional capability can be added.
Why is this important? Because the KillDisk component found on Prykarpattyaoblenergo systems is used with BlackEnergy3, a more sophisticated variant of BlackEnergy2, possibly tying together the two attacks. Hackers have used BlackEnergy3 as a first-stage reconnaissance tool on networks in other intrusions in Ukraine, Koval says, and then installed BlackEnergy2 on specific computers. BlackEnergy3 has more capability than the earlier variant, so it's used first to get into networks and search for specific systems of interest. Once an interesting machine is found, BlackEnergy2, which is more of a pinpoint tool, is used to explore specific systems on the network.
Likely, no. The mechanics of the outage are clear---breakers on the grid somehow opened---but known variants of BlackEnergy3 aren't capable of doing that, and no other malware that is capable has been found on the Ukranian machines. Koval says the hackers likely used BlackEnergy3 to get into the utilities' business networks and maneuver their way to the production networks where they found operator stations. Once they were on those machines, they didn't need malware to take down the grid; they could simply control the breakers like any operator.
"It's very easy to get access to an operator's PC," Koval says, though it takes time to find them. The BlackEnergy attackers he tracked in July were very good at lateral movement through networks. "Once they hack and penetrate, they own all the network, all the key nodes," he says.
There has been speculation that KillDisk caused the outage when it wiped data from control systems. But SCADA systems don't work that way, notes Michael Assante, director of SANS ICS, which conducts cybersecurity training for power plant and other industrial control workers. "You can lose a SCADA system... and you never have a power outage," he says.
Given the political climate, Russia makes sense. Tensions have been high between the two nations since Russia annexed Crimea in 2014. And right before the outages, pro-Ukrainian activists physically attacked a substation feeding power to Crimea, causing outages to the region Russia annexed. Speculation suggests that the recent blackouts in Western Ukraine were retaliation for that.
But as we've said before, attribution is a tricky business and can be used for political purposes.
The security firm iSight Partners, also thinks Russia is the culprit because BlackEnergy has been used before by a cybercriminal group iSight calls the Sandworm Team, which it believes is tied to the Russian government. That tie, however, is based only on the fact that the group's hacking campaigns appear to align with the interests of Putin's regime---targets have included Ukrainian government officials and members of NATO, for example. iSight also believes the BlackEnergy KillDisk module is (http://www.isightpartners.com/2016/01/ukraine-and-sandworm-team/).
But other security firms, like ESET, are less sure Russia is behind BlackEnergy, noting that the malware has undergone "significant evolution" since it appeared in 2010 and has targeted different industries in many countries. "There is no definite way of telling whether the BlackEnergy malware is currently operated by a single group or several," Robert Lipovsky, senior malware researcher at ESET, said recently.
This week Ukrainian authorities accused Russia of another hack---this one targeting the network of Kiev's main airport, Boryspil. There was no damage, however, and the accusation is based on the possibility that the airport found malware on its systems (that may be the same or related to BlackEnergy) and the command-and-control server used with the malware has an IP address in Russia.
Yes, to a degree. "Despite what's been said by officials in the media, every bit of this is doable in the US grid," says Lee. Though he says "the impact would have been different and we do have a more hardened grid than Ukraine." But recovery in the US would be harder because many systems here are fully automated, eliminating the option of switching to manual control if the SCADA systems are lost, as the Ukrainians did.
One thing is clear, the attackers in Ukraine could have done worse damage than they did, such as destroying power generation equipment the way the Aurora Generator Test did. How easy that is to do is up for debate. "But it certainly is within the specter of possibility," says Assante, who was one of the architects of that government test.
What the Ukrainian hackers did, he says, "is not the limit of what someone could do; this is just the limit of what someone chose to do."