The people who carried out last month's first known hacker-caused power outage used highly destructive malware to gain a foothold into multiple regional distribution power companies in Ukraine and to delay restoration efforts once electricity had been shut off, a newly published analysis confirms.
The malware known as BlackEnergy allowed the attackers to gain a foothold on the power-company systems, said the report, which was published by a member of the SANS industrial control systems team. The still-unknown attackers then used that access to open circuit breakers that cut power. After that, they likely used a wiper utility called KillDisk to thwart recovery efforts and then waged denial-of-service attacks to prevent power-company personnel from receiving customer reports of outages. In Saturday's report, SANS ICS Director Michael J. Assante wrote:
The attackers demonstrated planning, coordination, and the ability to use malware and possible direct remote access to blind system dispatchers, cause undesirable state changes to the distribution electricity infrastructure, and attempt to delay the restoration by wiping SCADA servers after they caused the outage. This attack consisted of at least three components: the malware, a denial of service to the phone systems, and the missing piece of evidence of the final cause of the impact. Current evidence and analysis indicates that the missing component was direct interaction from the adversary and not the work of malware. Or in other words, the attack was enabled via malware but consisted of at least three distinct efforts.
The report stresses there's no evidence BlackEnergy or its recently developed KillDisk component was the direct cause of the outage, which so far has been shown to affect about 80,000 customers. The analysis also cautioned that evidence showing some past BlackEnergy infections relied on booby-trapped Microsoft Office documents to spread are no indication such a vector was used in the recent Ukrainian power-grid attacks. Still, this weekend's report leaves little doubt the blackout was the result of a highly coordinated hacker attack that relied on BlackEnergy as a key ingredient.