December 2015 witnessed cyber attack on Ukrainian Power station which led to a shut down of power services to at least 80,000 customers supported by 30 substations. But after a serious probe, it is now revealed that malware just provided a foothold for key access to power station network as it allowed the hackers to open circuit breakers that cut power to the station.
SANS Industrial Control Systems (SANS ICS) which looks into cyber security issues of Industrial Control Systems said the attacks demonstrated “great” planning and coordination. It also disclosed that tensions between Ukraine and Russia have been high since Russia annexed Crimea in 2014 and this could have acted as a strong motive for the latter to attack the former’s power utility.
Experts have warned for years that public utilities are vulnerable to cyber attacks and December 23rd, 2016’s attacks on Ukraine are the most prominent example yet of those fears coming to fruition.
SANS ICS discovered that the cyber attacks were carried out on two service providers Prykarpattyaoblenergo and Kyivoblenergo. The probe revealed that while malware was used to gain access to networks, the attackers also used direct intervention to try to mask their actions to the power systems operators. The hackers also conducted denial of service attacks on utility phone systems to block complaints from affected customers.
Several Security companies have analyzed malicious programs called Black Energy 3 and a component called KillDisk which were allegedly used in the attacks.
Another cyber security firm iSight Partners of Dallas said that the same malware was used in the past by a group with strong Russian interests nicknamed the Sandworm Team. This clearly indicates that the attack was carried out by Russia.
Globally noted security firm Symantec said that KillDisk aims to make a computer unusable by overwriting the Master Boot Record, the first sector of a PCs hard drive that the computer looks to before loading the operating system. It can also overwrite files with junk data.
Symantec also went a little forward by saying that KillDisk wouldn’t have been compatible with the type of SCADA (Supervisory Control and data acquisition) systems used by utilities. But it may have been employed to wipe other files that would have helped to restore systems.
After the attack, Ukraine power companies chose to manually close the circuit breakers within three to six hours which led to a quick recovery of services. So, this smart response led to restoration of services after 8 hours blackout.