Details of an unprecedented hacking of the Ukrainian electric network

Original author: Kim Zetter
  • Transfer

On Wednesday, December 23, 2015 at 15:30, residents of Ivano-Frankivsk in western Ukraine were preparing for the end of the working day and were going to go home along the cold winter streets. At the control center of the Prikarpatyeoblenergo enterprise , which distributes electricity in the region, dispatchers almost completed their shift. But when one of them tidied up the papers on the table before completing work, the cursor on the computer screen moved out of place.

The dispatcher saw the cursor purposefully move to the control buttons for the circuit breakers at the regional substation, then pressed the button to open the window with the switches to bring the substation offline. A dialog box appeared on the screen with a request to confirm the operation, and the operator looked dumbfounded as the cursor slid into this window and pressed the confirmation button. He knew that somewhere in the area outside the city, thousands of houses had just lost their light.

The dispatcher grabbed the mouse and desperately tried to regain control, but the cursor did not respond to his manipulations. He independently moved in the direction of another switch, and the current authorization session in the control panel unexpectedly interrupted. The dispatcher tried to hastily log in again, but his password no longer worked: the attackers changed it. He could only look helplessly at the screen, where the unknown turned off the substation switches, one after another, stopping the work of about 30 of them. They did not stop there. In addition to Prikarpatyeoblenergo, two more energy enterprises were attacked at the same time, so the total number of disabled substations was twice as large, and 230,000 residents were left without electricity. And as if that weren’t enough, the hackers still turned off the backup power sources,

Brilliant plan

The hackers who hacked Ukraine’s energy enterprises - the world's first confirmed case of power outages - were not some opportunists testing their abilities. As a result of a thorough investigation of the incident, new details were revealed: it is clear that there are qualified and secretive strategists behind the attack, who carefully planned the attack for many months, first conducting reconnaissance, examining the victim’s networks, fetching the controller’s credentials, and then launching a synchronous attack on three control center.

“It was a brilliant attack,” said Robert M. Lee, who assisted in the investigation, a former cyber operations officer in the US Air Force, and co-founder of Dragos Security, a company that specializes in protecting critical infrastructure. - Speaking of the sophistication of hacking, many people always focus on the malware that was used. But for me, the sophistication of the attack lies in the level of logistics and planning of the operation ... and in what happens during it. And there was really exquisite work. ”

Ukraine immediately indicated Russia as the initiator of the attack. Robert Lee shied away from calling a country, but he said that there is a clear distinction between the various stages of the operation, which implies the participation of hackers of different levels at different stages. Therefore, it is likely that the attack was carried out with the cooperation of several completely different participants - perhaps cybercriminals and state-scale players.

“It must be a well-funded, well-trained team ... But it is not necessarily at the state level,” he said. Perhaps at first low-level cybercriminals gained initial access to the network, and then transferred control to more experienced federal-level hackers.

One way or another, but a successful attack on the energy network raises the question of the security of such networks in the United States, experts say. Surprisingly, Ukrainian management systems are better protected from such an attack than American ones, because they are well separated by firewalls from business networks. But even such protection was not enough, because employees remotely log into the SCADA (Supervisory Control and Data Acquisition) network, from where the electrical subsystems are controlled. There is no two-factor authentication, so that knowing the credentials of the dispatcher, attackers can take control of the electrical substation control systems.

Electricity supply in Ukrainian cities was restored within one to six hours. But even more than two months after the attack, the control centers did not return to normal operation, a recent US report said . Computer security experts from Ukraine and the USA say that hackers replaced firmware on critical equipment in 16 substations, and now they do not respond to commands from the center. Electricity is supplied, but the switches must be controlled in manual mode.

When attacking the American network, everything can end more sadly, because many American substations do not have redundant manual control systems, that is, in case of such sabotage it will be much more difficult to restore the energy supply.

Attack Timeline

Several US agencies have assisted Ukraine in investigating the attack, including the FBI and the US Department of Homeland Security. The consultants included experts Robert Lee and Michael J. Assante, both of whom teach computer security courses at the Washington SANS Institute . They were pleasantly surprised that Ukrainian energy companies have an advanced system of firewalls and system logs that helped recreate the chronology of events - this is not often seen when investigating attacks on commercial companies, and even less often when attacking critical infrastructure.

According to Lee and the Ukrainian expert who participated in the investigation, preparations for the attack began last spring with a phishing campaign aimed at the IT staff of energy companies and system administrators. There are 24 regions in Ukraine, 11-27 districts in each region. Each region has its own company that manages the distribution of electricity in the network. Phishing emails with a Word document in the attachment were sent to employees of three of these companies. When you start the document, a window appears asking you to enable macros. If the user did this, then a program called BlackEnergy3 was installed on the computer with a backdoor for remote access. Vulnerabilities in Word and installing Trojans through macros is an ancient technique that has recently become popular again .

A phishing attack only allowed intruders to access the corporate network. To get into the SCADA system, you had to break through the firewall. For several months, hackers conducted intelligence. They gained access to Windows domain controllers, which control user-domain interactions, including user login processes, authentication, and directory searches. From there, they took the credentials of employees, including passwords from VPN services that were used by employees remotely to access the SCADA system. Having penetrated SCADA, hackers began to slowly prepare for an attack.

First, they changed the configuration of uninterruptible power supplies (UPS), which provided backup power in two control centers in order to turn off the light at the same time for both residents of the country and dispatchers at the enterprise. This is a egregious and aggressive action that can be interpreted as a “big fuck you” to energy companies, Lee said.

Each company has its own electricity distribution network, and at the intelligence stage, hackers carefully examined these networks. Then they wrote the original firmware versions for serial-to-Ethernet converters in substations. These devices transmit commands from the control center to the substation. The failure of the converter makes remote control of the substation impossible. “Malicious firmware upgrade for a specific operation nevernot used before, comments Robert Lee. - In terms of attack, this is very cool. I mean, really great work. "

By the way, the same serial-to-Ethernet converter models are also used in American substations.

Armed with malicious firmware, the hackers were ready to launch an attack.

At about 15:30 on December 23, they logged in to the SCADA system using someone else's passwords via VPN and sent commands to disable the preconfigured UPS. Then they began to open access to substations and turn them off one by one. Right before this, a TDoS phone attack was organized on call centers of energy companies, so that consumers could not get through and inform the dispatchers prematurely of a blackout. Robert Lee notes that telephone DDoS shows a high level of complexity and planning for the entire operation. “What sophisticated hackers do is make concerted efforts, even taking into account unlikely scenarios, to ensure that they eliminate all possible problems,” he says.

Carrying out TDoS gave attackers a little more time. Until dispatchers notice strange activity on computers, some substations will already be turned off. Experts say that in the event of a politically motivated Russian attack against Ukraine, telephone DDoS performs another task: to undermine citizens' confidence in Ukrainian energy companies and the government.

After turning off the power at the substations, hackers replaced the firmware on the serial-to-Ethernet converters installed there. Upon completion of the operation, they launched a malware called KillDisk to erase files and MBR on computers in the control centers.

Installed logic bombs started KillDisk on a timer 90 minutes after the start of the attack, that is, at about 17:00. It was at this time that Prikarpatyeoblenergo published a message on its website with information about what was already known to citizens: electricity in several areas was cut off and an investigation is being conducted into the causes of the failure.

Half an hour later, when KillDisk completed its dirty business, Prikarpatyeoblenergo published another message: the reason for the failure was called a hacker attack.


Whoever is behind organizing the blackout in Ukraine is the first of its kind attack, which creates an ominous precedent for the safety of electrical networks around the world. The Prikarpatyeoblenergo dispatcher might not know what threatens the flickering of the mouse cursor on the screen that day. But now all those responsible for energy supply in the world have received a warning. This attack was relatively short and soft. The following may not be the case.

Also popular now: