Responding to another Ukrainian power attack
Almost exactly one year after the attack on three Ukrainian distribution substations, another campaign has targeted the country’s power transmission system. Ukrainian officials have attributed the attack to Russian perpetrators once again. Richard Piggin shares his thoughts on how this represents an escalation of cyber attack sophistication against a nation’s critical national infrastructure.
The most recent campaign is reported to have commenced on 6 December, continuing through to 20 December. Vsevolod Kovalchuk, a director at the Ukrainian national energy company Ukrenergo, told Reuters that the 200 megawatt interruption was equivalent to approximately a fifth of Kiev's night time energy consumption, and that the scale of the interruption was very rare.
The automation was shut down in the Pivnichna power transmission substation located north of Kiev. The remote terminal units (RTUs) opened circuit breakers, causing a power outage that lasted for 75 minutes. Power was restored manually, with full restoration early the following morning. Power loss was reported in northern Kiev and on the eastern bank of the Dnieper River and the surrounding area.
The Ukrenergo director described ‘external influences’ effecting workstations and SCADA (supervisory control and data acquisition) servers, and anomalies with transmission network data. Although investigations are ongoing, in the meantime researchers have confirmed significant similarities to the power outage a year earlier. This includes phishing attacks, with malware embedded in Microsoft document macros, and traces of BlackEnergy 3 malware used in the attacks targeting Ukraine Government organisations.
Oleksii Yasnskiy of ISSP labs, distinguished the more recent attacks, using significant obfuscation: “Being more complex and better organised.”
Marina Krotofil, a security researcher at Honeywell Industrial Cyber Security Lab contrasted the previous damaging attack: “They could do many more things, but obviously they didn’t have this as an intent. It was more like a demonstration of capabilities.”
Ukrainian media and security researchers have also reported further cyber-attacks including distributed denial of service (DDoS) attacks on the Defence Ministry, government sites, financial sector, railways, ports and electrical power transmission.
The electricity sector in particular and governments as a whole will be disturbed with the escalation illustrated by further attacks. Particularly the attack on a power transmission substation, with the potential for much greater impact than previous attacks on distribution sub-stations. Whether or not this is perceived as a demonstration or testing of capability, it raises concerns. Given the motivation to attack critical infrastructure with apparent impunity and in contravention of international law, the intent highlights the need for effective cyber security and well developed incident response planning.
Lessons will be drawn from both Ukraine attacks, including the methodologies utilised by the perpetrators and the opportunities to disrupt different stages of the attack. It is highly likely the investigation will indicate perpetrator presence on target networks and use of remote access to disrupt the substation automation. The capability demonstrated emphasises the importance of understanding normal network activity and recognising abnormalities. Both attacks also underline the need for mature incident response plans, which are regularly updated, tested and reviewed.