Breaking the Cyber Kill Chain: Lessons Learned From the Ukrainian Power Grid Hack

July 25, 2016 · steveverbanic · · Comments

In December 2015, a shocking and unprecedented attack took place at three separate power distribution centers in Western Ukraine. These facilities, responsible for controlling and directing electricity to hundreds of thousands of nearby residents, found themselves the target of what could be one of the most sophisticated cyber attacks in history.

What Happened?

At the end of a regular workday, 230,000 Ukrainians found themselves suddenly left without power and unable to even call the local power substation. At the main control center, operators found themselves locked out of their systems, over thirty power substations taken offline and backup power to the stations disabled, leaving the operators to attempt restoring power in complete darkness. Simultaneously, a telephone-denial-of-service attack prevented customers from calling in to report the outage and made communication impossible.

Each step of the attack was carefully planned and executed with unprecedented precision. The attackers actually went so far as to write and upload operation-specific malicious firmware updates for the control station’s serial-to-Ethernet converter, preventing operators from opening or closing circuit breakers. Even months after the attack, the power station’s operators are still forced to open and close these breakers manually.

What Was Learned

The attack started, as the overwhelming majority of attacks do, with an email phishing campaign. Employees opened emails that appeared to be from trusted sources, but which contained a malicious Word document that gave hackers entrance to the network.

Months of reconnaissance and keylogging followed, leading to the theft of employee login credentials. This was followed by the exfiltration of hardware data needed to write and upload the malicious firmware code, all before operators even knew an attack had taken place.

Since there is no evidence that Ukraine’s software infrastructure was any less secure than that of an American power distribution facility (or even that of the average business), it stands to reason that anyone could be targeted by cybercriminals for motives they may never even know. Mitigating this risk means looking at each step of the attack:

  • Spear Phishing—Training employees to resist social engineering tactics and recognize phishing attempts is key to preventing unauthorized entry
  • Credential Theft—Monitoring network activity and user behavior to identify abnormalities, along with two-step authentication, can catch suspicious activity during the information gathering stage of a cyberattack.
  • Data Exfiltration—Network security monitoring is a great active defense method for detecting the funneling of hardware data to unauthorized sources. Encryption protects the integrity of any information that does get out.
  • VPN Access—The Ukrainian VPN utilized trusted connections that made complete control possible once one part of its system was compromised. Utilizing less trusted connections can help quarantine attacks when they occur.
  • Remote Access—Once an attacker gains control to a workstation, there needs to be methods for isolating compromised systems while disabling inbound communications and pausing any control signals coming from untrusted sources.

While these steps may not prevent the next attack, they can mount a defense resilient enough to mitigate damage. SLAIT Consulting can work with organizations to identify vulnerabilities and deploy advanced security technology to break the kill chain.  Learn more about our security services.   Contact us today to learn more!