The power outages in Ukraine on 23 December 2015 were a result of cyberattacks at three regional power companies, the US Department of Homeland Security (DHS) revealed recently. The outages affected about 225,000 customers.
Prior to the disclosure made by the US government, Ukraine's energy ministry had said hackers carried out the attack using a Russian-based internet service provider to make calls among themselves. The ministry did not hold the Russian government responsible for the attack.
The DHS said the cyberattack at each of the power distribution companies occurred at intervals of 30 minutes, while affecting multiple central and regional facilities. The malicious operation was conducted by external hackers using either remote administration tools at the operating systems or industrial remote control system (ICS) software through VPN connections. The hackers managed to get access to the credentials prior to the cyberattacks.
The three power companies claim the attackers executed KillDisk malware, which erases selected files on compromised systems and corrupts the master boot record, leaving the system non-functional.
"The actors also rendered Serial-to-Ethernet devices at substations inoperable by corrupting their firmware. In addition, the actors reportedly scheduled disconnects for server Uninterruptable Power Supplies (UPS) via the UPS remote management interface. The team assesses that these actions were done in an attempt to interfere with expected restoration efforts," said the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
The power firms said they were infected with BlackEnergy (BE) malware, delivered through phishing emails with Microsoft Office attachments. DHS suspects BE might have been used to gain initial access to get the system credentials.
The investigation was carried out by a team that comprised of representatives from the National Cybersecurity and Communications Integration Center (NCCIC)/ICS-CERT, US Computer Emergency Readiness Team (US-CERT), Department of Energy, Federal Bureau of Investigation and the North American Electric Reliability Corporation, who travelled to Ukraine.
The ICS-CERT recommends that companies take defensive measures to withstand any future malicious cyber activities. "Organisations should develop and exercise contingency plans that allow for the safe operation or shutdown of operational processes in the event that their ICS is breached. These plans should include the assumption that the ICS is actively working counter to the safe operation of the process," it suggested.