ukranian power grid attack “black energy” · faq: blackenergy blackenergy apt attacks in...
TRANSCRIPT
Ukranian Power Grid Attack“Black Energy”
POSC 3350: April 7, 2017
Garrett Henderson, James Cheatham, Josh Senft, Cole Leininger,
Travis Frank
The Power Grid: Understanding the problemOverview
Power Grid:
An electric grid is a
distributed system
designed to deliver
electricity efficiently from
multiple sources to
customers.
Grid design
Power generation- Power
plants
Power Transmission-High
voltage between plants
Power distribution-
substations and lines to
the curbside
Attack Surface
The distributed nature of
system controls makes for
a large attack surface.
Use of dial-up modems
and internet connectivity,
give attackers
opportunities that are not
usually available in other
systems.
Grid overview
Black Energy: Understanding the Weapon (Oleksiuk Dmytrio)Black Energy 3
Malware: Trojan horse &
Spyware
Vector: Rogue Software
(MS Word & Excel
Macros)
Impact:
● Scans for systems
● Delivers Payload
Black Energy 2
Malware: Backdoor &
Rootkit
Vector: BlackEnergy3
route
Impact:
● Open to hacker
● Remote Control
● Increase Privileges
KillDisk
Objective: Worm
Vector: BlackEnergy3
Impact:
● Corrupts Data
● Crashes Systems
● Paralyzes Response
ActorsAttacker: Sandworm
Russian based hacker and espionage group
Motive: Ukrainian-activist physical attack on
Crimean substation & 2014 Russian
Annexation of Crimea
Known Capabilities:
● High degree of success in systems
infiltration.
● Activities also include espionage,
harassment and denial of service attacks.
● Known to have spied on NATO and an
United States org in previously
Responders: Energy Companies
Involved Companies:
Prykarpattyaoblenergo, Kyivoblenergo,
Chernivtsioblenergo
Ukrainian Response Units: Department of
Cyber Police, Ivano-Frankivsk Patrol Police
Post Incident, cyber analyst groups
including US DHS, E-ISAC, and ICS
investigated the hack.
Attack PlanReconnaissance ● ID valuable & available targets
Weaponization ● BlackEnergy3(Black Energy2 &KillDisk)
Delivery ● Spearphishing via Microsoft Word & Excel
Exploitation ● BlackEnergy3 Systems Scan
Installation ● BlackEnergy2 secures foothold
Command and Control ● Backdoor & Remote Access
Actions on Objectives ● SCADA Control
Exploitation ● Power Shutdown & System Wipe
Related Images (Same Source)
Related Images (Same Source)
The Attack
Response
Immediate response
● Manual mode, inhibit controls, constrained
operations
Mid term response
● Cyber Asset Restoration, Electric System
restoration
Identification/
Awareness
● System monitoring
Post-event analysis,
changes, etc.
● Forensics, Information sharing, System
hardening and prep.
Cost AnalysisImplications of Attack
● No reported financial estimate
● No loss of life or hardware
● Dangers
○ Attack in December (28.2, -32.3) F
● First publicly known attack on electrical
grid
● Increase in Ukrainian-Russian Tensions
25
ImprovementsUkrainian Government
● Security Architecture Revision
● End-User cybersecurity training
● Backup Systems (Tech, Comms
Power)
● National Security Alert
○ Protect Generation Equipment
● Emergency Response Protocols
○ Priority Analysis
○ Traffic Control (Ground & Air)
○ Mobile Communications
○ Frequent Patrols
United States
● Security Architecture Revision
○ Emergency manual switch
● Increased Red-Team Initiatives
● Consider Air-Gap in Automation
● Network isolation possibility
● Have safe zones set up and secured
Sources● “Is this the future of cyberwarfare?” - Al Jazeera
● “Attackers use Word Docs to deliver Black Energy malware” - Security Week
● “Ukranian power attack a wake-up call, says Canadian utility CIRO”
● “Alert: Cyber-Attack Against Ukranian Critical Infrastructure” - ICSCERT
● “BlackEnergy trojan strikes again: Attacks Ukranian electric power industry”
● “BlackEnergy malware activity spiked in runup to Ukraine power grid takedown”
● FAQ: BlackEnergy
● BlackEnergy APT Attacks in Ukraine employ spearphishing with Word docs
● Analysis of the cyber attack on the Ukranian Power Grid
● First known hacker-caused power outage signals troubling escalation
● NSA Chief warns BlackEnergy attack on US power grid ‘a matter of when…’
● Everything we know about Ukraine’s Power Plant Hack
What happened?On December 23, 2015, Ukrainian power companies experienced unscheduled power outages impacting a large number of customers in Ukraine.
Power outages were caused by remote cyber intrusions at three regional electric power distribution companies (Oblenergos) impacting approximately 225,000 customers.
Public reports indicate that the BlackEnergy (BE) malware was discovered on the companies’ computer networks.
According to company personnel, the cyber-attacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities.
During the cyber-attacks, malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections.
The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access.
All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack.
The AttackThe infection vector used in these attacks is Microsoft Office files containing malicious macros. Using a spearphishing campaign to try to get users to run these macros, the attackers were able to gain access. This is a prime example of how important user education on cybersurety is. Once inside the system the attackers were able to explore, escalate privileges and deploy backdoors and other software such as killdisk which was used to wipe systems.
However, experts believe the malware is not directly responsible for the outages, and instead it only helped attackers cover their tracks and make it more difficult to restore service.
7 110 kV and 23 35 Kv substations disconnected for 3 hrs
Energy Team Outline1. Context
a. Issue (Explain cyberattacks on power grid)
b. BlackEnergy (What is it, what does it do, how, what can it be used for)
c. Incident (What Happened, when, where)
i. Timeline
2. Analysis
a. Actors, Motives, Capabilities
b. Responders & Responses (What government agencies provided first response? Follow on support?)
c. Factors
d. Concerns & Damages (impact on critical infrastructure and general population)
3. Security Development
a. What were the long-run lessons learned and political/social/economic consequences
b. How has community resiliency been increased in the impact area?
Context
Analysis
Security Development