Question

The Cyberattack on Ukraine

After Russia annexed Crimea from Ukraine in 2014, authorities started nationalizing Ukrainian-owned energy companies in Crimea. In late 2015, Ukrainian supporters physically attacked electrical power distribution centers, plunging two million Crimeans in the dark.

Each of Ukraine's 24 regions is served by a different electric company. On December 23, 2015, the Ukrainian power grid experienced a cyberattack. The activists simultaneously attacked three power distribution substations, cutting power to some 230,000 Ukrainians.

The multistage, targeted cyberattack actually started in the spring of 2015. Let's take a look at how the cyberattack unfolded.

The Spear-Phishing Attack. In the first stage, the attackers launched a spear-phishing attack on IT staff and system administrators at three of the power distribution companies in Ukraine. The attack sent e-mails to employees that contained a malicious Word file. If an employee clicked on the document, a popup window told them to enable macros for that file. If they did so, a malicious software program named BlackEnergy3 infected their computers and allowed the hackers entry into their system.

Reconnaissance. The spear-phishing attack allowed the intruders to access the power distribution companies' corporate networks. However, the intruders still had to gain access to the supervisory control and data acquisition (SCADA) networks that actually operated the power grid, but the power companies had competently separated those networks from corporate networks with a firewall. Therefore, the attackers had to search the corporate networks and gain entry to the Windows Domain Controllers. From there, the hackers gathered employee login credentials from the user accounts. Some of these login credentials were used by employees to access virtual private networks (VPNs) to remotely log in to the SCADA network. The attackers now had access to the SCADA networks.

Disabling the uninterruptible power supply. The attackers now rejigged the supply of uninterruptible power to the three systems' control centers. They wanted to cut power to the operators as well as the customers.

Disabling the converters. The attackers then coded malicious software to supersede the actual software on converters at power company substation control systems. (These converters handle data from the SCADA network to the substations.) Disabling the converters stopped employees from transmitting remote commands to reestablish power after it was cut. The converters could not work and could not be recovered. This situation meant that the power companies could not recover until they obtained new converters and incorporated them into the power system. (Note: Power companies in the United States use the same type of converters as those used in Ukraine.)

Denial-of-service attack. The attackers now targeted customer call centers, initiating a telephone denial-of-service attack. That meant that customers could not call in to report the blackout when it occurred. The attack jammed up the distribution centers' call centers with thousands of false calls, blocking actual customers from getting through. This denial-of-service attack allowed the attackers more time to work on their attack because not only were substation employees seeing false information on their hijacked computers, but they were receiving no phone calls reporting power outages.

Causing the blackout. On December 23, the attackers used the commandeered VPNs to access the SCADA networks and deactivate the uninterruptible power supply that they had already reconfigured. Then they removed substations from the power grid.

Deploying KillDisk. Lastly, the attackers deployed software called KillDisk to complete their path of destruction. KillDisk deletes or overwrites essential system files from operators' computers to disable them as well. Because KillDisk also wipes the master boot file, operators could not reboot the crashed computers.

About half the homes in Ukraine's Ivano-Frankivsk region lost power. The cybercriminals also simultaneously attacked a large mining company and a major railway. The incidents seem to have been politically motivated, meant to disable Ukrainian critical infrastructure in a strike, according to security analysts at Trend Micro (www.trendmicro.com).

Homes and businesses in the impacted areas only lost power from one to six hours. However, more than two months later, the control centers were still not completely back online. Electricity was still being delivered, but employees had to manually operate the power substations.

The attack caused only digital damage; if the substations had been physically damaged, it would have taken much longer to restore power. In 2007, the U.S. government showed how criminals could remotely destroy a power generator through a SCADA attack with just 21 lines of malicious code.

Infrastructure personnel can learn many lessons from the attack. Ukraine's power generation control systems were unexpectedly more robust than some in the United States. The reason is that the Ukrainian SCADA networks were separated from the business networks with excellent firewalls. However, the Ukrainian control systems still had security weaknesses. For example, employees remotely accessing the SCADA network were not prompted to use two-factor authentication, which enabled the hackers to steal login information and gain entry to the SCADA systems.

Another lesson is that in the United States many power systems lack manual backups. That is, if criminals were to attack automated SCADA systems in the United States, it would be much more difficult to bring the grid back online.

This first-ever successful attack of a power grid's computers is a dire safety warning for other such systems across the world. Experts in industrial control systems at the Sans Institute (www.sans.org) say the hack of the Ukrainian power grid was the first time that cybercriminals have managed to directly bring down a power grid.

In December 2016, Ukraine was attacked again. Reports alleged that a group of Russians attacked computers at a control center of a power supplier in Kiev. The attackers apparently used phishing attacks on workers, enabling the intruders to grab login information and disable substations. The shutdown affected some 20 percent of Kiev's nighttime electrical use.

Sources: Compiled from J. Condliffe, “Ukraine's Power Grid Gets Hacked Again, a Worrying Sign for Infrastructure Attacks,” MIT Technology Review, December 22, 2016; E. Markowitz, “After Ukraine Cyberattacks, FBI and DHS Urge U.S. Power Companies to Develop Better Safety Protocols,” International Business Times, April 21, 2016; “FBI, DHS Issue Warning about Increasing Cyber Threat to Nation's Power Grid after Downplaying It in January,” Cyberwar.news, April 12, 2016; B. Gertz, “FBI Warns of Cyber Threat to Electric Grid,” The Washington Free Beacon, April 8, 2016; K. Zetter, “Inside the Cunning, Unprecedented Hack of Ukraine's Power Grid,” Wired, March 3, 2016; D. Voltz, “U.S. Government Concludes Cyber Attack Caused Ukraine Power Outage,” Reuters, February 25, 2016; W. Ashford, “Ukraine Cyber Attacks Beyond Power Companies, Says Trend Micro,” Computer Weekly, February 12, 2016; J. Robertson and M. Riley, “How Hackers Took Down a Power Grid,” Bloomberg BusinessWeek, January 14, 2016; M. Heller, “Russian Actors Accused of Attacking Ukraine with BlackEnergy Malware,” TechTarget, January 4, 2016; D. Goodin, “First Known Hacker-Caused Power Outage Signals Troubling Escalation,” Ars Technica, January 4, 2016; J. Cox, “Malware Found Inside Downed Ukrainian Grid Management Points to Cyberattack,” Motherboard, January 4, 2016.

• Questions ( 1 point * 3 = 3 points)

1. Describe what the Ukrainian power distribution companies did correctly to try to prevent such attacks.
2. Describe what other actions that the Ukrainian power distribution companies did incorrectly, or did not do at all, in order to try and prevent such attacks.
3. What lessons can other power companies gain from the Ukrainian cyberattack?

• Explain the following 10 types of deliberate attacks (for each item, please do not write more than 5 lines). (0.2 point * 10 = 2 points)

1. Espionage and trespass
2. Information extortion
3. Sabotage and vandalism
4. Identity theft
5. Phisihing attack
6. Distributed denial-of-service (DDoS) attack
7. Back door
8. Supervisory control and data acquisition (SCAND) attacks
9. Cyberterrorism and cyberwarfare

Answer 1

Part 1) Ukrainian Power Distribution Companies successfully separated supervisory control and data acquisition network that operated the power grid from the company's corporate network through excellent firewalls. Companies also used VPN to remotely log in to the SCADA network making it safer.
Ukrainian companies also had a manual backup system which allowed them to bring back the power online fast.

Part 2) Some issues are:
Employees remotely accessing the SCADA network were not asked to use two-factor authentication which enabled the hackers to steal login information and gain entry into the system.
There don't seem to be clear guidelines for preventing phishing attacks followed by employees

Part 3)
The attack was the first-ever successful attack on a power grid system across the world.
The first lesson is to separate the SCADA network from the business network with excellent firewalls. Also additional security i.e. two-factor authentication must be used to allow employees remotely accessing the SCADA network. Employees must follow internationally accepted safety practices to prevent such attacks. Phishing attacks target humans as a security flaw and power companies need to beef up their security not just from digital perspective but also from human angle.
Another lesson is to have a manual backup to digital systems. These systems are crucial to prevent such an attack to cripple the power grid for an extended period.

Part 4)
A) The act of obtaining information usually by a foreign country or an external company is called espionage. Here hackers work involved with espionage as a group of Russian hackers were bringing down the power grid of Ukraine.
B) Trespass is when you enter someone else's property without permission. In this case, the hackers trespassed digitally into the power companies network with malicious intent to bring down the power grid.
C) Information extortion is an online crime where some digital property like data, website, computer system, etc are held to ransom. Typical extortion happens in the form of ransomware where you need to pay for the ransomware to release your digital property. Another example is denial of service attack where the system is overloaded with fake calls or fake network requests so that many legitimate requests are dropped.
D) Sabotage is a process which results in the disruption of normalcy, however in a digital context cyber sabotage means disrupting digital processes, in the above example the disruption of Power Grid. Similarly cyber vandalism is a deliberate damage to the computer system which in the above example was bringing down the computer system responsible for the power grid.
E) Identity theft is a cyber-attack your personal or financial information is stolen for the purpose of using it to gain access to some to private digital property or to make a transaction. In this case stealing employee credentials to gain access to the power grid network was identity theft.
F) Phishing attack in cyber-crime where victims are lured to provide sensitive data and contacted via Email text message or on call. Example the hackers used fishing to email the employee virus that gave them access to the network.
G) DDoS attack is the is a cyber-attack to make a service unavailable to legitimate users by bombarding it with fake requests. For example the calls to power customer service was disrupted by hackers to prevent customers from reporting.
H) Back door is a method of bypassing the authentication needs in a computer service or network. In the above example the hackers used a back door to get access to the SCADA network to bring down the power grid.
I) Supervisory Control and Data Acquisition attacks
SCADA attacks are attacks on the hardware and software system that allows organisations to control process digitally. In the above scenario the attack on the power grid is a SCADA attack
J) Cyberterrorism and cyber-warfare
These are the actions by a terrorist organization or a nation state organization that attack a nations digital resources to cause harm or to gain information. In this case of power grid attack Russia waged cyber-warfare on Ukraine.