US report confirms Ukraine power outage caused by cyberattack

A Homeland Security unit said the cyberattack was "synchronized and coordinated," and was likely carried out "following extensive reconnaissance of the victim networks."
Written by Zack Whittaker, Contributor

TEC-6 power plant in Kiev, Ukraine. (Image: Wikimedia Commons)

A "synchronized and coordinated" cyberattack in December left parts of western Ukraine without power, US officials have confirmed.

The cyberattack, which left more than 225,000 customers in the dark two days before Christmas last year, was caused by remote intrusions at three regional electric power distribution companies, according to a report by Homeland Security.

Hackers thought to be associated with a Russian hacking group are said to have used malware to attack and destroy data on hard drives, and then flooding phone lines with a denial-of-service attack. Ukraine's energy ministry also suggested earlier this month that the attack was linked to hackers based in Russia, falling short of outright accusing the Kremlin of orchestrating the attack.

Relations between the two counties stand fraught after Russia annexed the Crimean peninsula in March 2014 amid an escalation of violence in the country.

Homeland Security did not speculate on who was behind the attack, but noted that its assessment was based on interviews with six organizations impacted by the blackout pending a further technical analysis.

According to the report:

"The cyber-attack was reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks. According to company personnel, the cyber-attacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities. During the cyber-attacks, malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections. The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access.
All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack. The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable. It was further reported that in at least one instance, Windows-based human-machine interfaces (HMIs) embedded in remote terminal units were also overwritten with KillDisk. The actors also rendered Serial-to-Ethernet devices at substations inoperable by corrupting their firmware. In addition, the actors reportedly scheduled disconnects for server Uninterruptable Power Supplies (UPS) via the UPS remote management interface. The team assesses that these actions were done in an attempt to interfere with expected restoration efforts."

The report noted that BlackEnergy malware was found on the networks of each of the three companies, which were delivered through specifically-targeted spearphishing emails containing malicious Microsoft Office attachments.

The attackers may have used that initial attack to gain user credentials to the impacted systems, but the report warned the information was still under review.

An earlier study showed that 82 percent of vulnerabilities in Microsoft Office can be mitigated by removing administrative access to the computer.

Editorial standards