Reference no: EM132757514
The Cyberattack on Ukraine Assignment
After Russia annexed Crimea from Ukraine in 2014, authorities started nationalizing Ukrainian-owned energy companies in Crimea. In late 2015, Ukrainian supporters physically attacked electrical power distribution centers, plunging two million Crimeans in the dark.
Each of Ukraine's 24 regions is served by a different electric company. On December 23, 2015, the Ukrainian power grid experienced a cyberattack. The activists simultaneously attacked three power distribution substations, cutting power to some 230,000 Ukrainians.
The multistage, targeted cyberattack actually started in the spring of 2015. Let's take a look at how the cyberattack unfolded.
The Spear-Phishing Attack. In the first stage, the attackers launched a spear-phishing attack on IT staff and system administrators at three of the power distribution companies in Ukraine. The attack sent e-mails to employees that contained a malicious Word file. If an employee clicked on the document, a popup window told them to enable macros for that file. If they did so, a malicious software program named BlackEnergy3 infected their computers and allowed the hackers entry into their system.
Reconnaissance. The spear-phishing attack allowed the intruders to access the power distribution companies' corporate networks. However, the intruders still had to gain access to the supervisory control and data acquisition (SCADA) networks that actually operated the power grid, but the power companies had competently separated those networks from corporate networks with a firewall. Therefore, the attackers had to search the corporate networks and gain entry to the Windows Domain Controllers. From there, the hackers gathered employee login credentials from the user accounts. Some of these login credentials were used by employees to access virtual private networks (VPNs) to remotely log in to the SCADA network. The attackers now had access to the SCADA networks.
Disabling the uninterruptible power supply. The attackers now rejigged the supply of uninterruptible power to the three systems' control centers. They wanted to cut power to the operators as well as the customers.
Disabling the converters. The attackers then coded malicious software to supersede the actual software on converters at power company substation control systems. (These converters handle data from the SCADA network to the substations.) Disabling the converters stopped employees from transmitting remote commands to reestablish power after it was cut. The converters could not work and could not be recovered. This situation meant that the power companies could not recover until they obtained new converters and incorporated them into the power system. (Note: Power companies in the United States use the same type of converters as those used in Ukraine.)
Denial-of-service attack. The attackers now targeted customer call centers, initiating a telephone denial-of-service attack. That meant that customers could not call in to report the blackout when it occurred. The attack jammed up the distribution centers' call centers with thousands of false calls, blocking actual customers from getting through. This denial-of-service attack allowed the attackers more time to work on their attack because not only were substation employees seeing false information on their hijacked computers, but they were receiving no phone calls reporting power outages.
Causing the blackout. On December 23, the attackers used the commandeered VPNs to access the SCADA networks and deactivate the uninterruptible power supply that they had already reconfigured. Then they removed substations from the power grid.
Deploying KillDisk. Lastly, the attackers deployed software called KillDisk to complete their path of destruction. KillDisk deletes or overwrites essential system files from operators' computers to disable them as well. Because KillDisk also wipes the master boot file, operators could not reboot the crashed computers.
About half the homes in Ukraine's Ivano-Frankivsk region lost power. The cybercriminals also simultaneously attacked a large mining company and a major railway. The incidents seem to have been politically motivated, meant to disable Ukrainian critical infrastructure in a strike, according to security analysts at Trend Micro (www.trendmicro.com).
Homes and businesses in the impacted areas only lost power from one to six hours. However, more than two months later, the control centers were still not completely back online. Electricity was still being delivered, but employees had to manually operate the power substations.
The attack caused only digital damage; if the substations had been physically damaged, it would have taken much longer to restore power. In 2007, the U.S. government showed how criminals could remotely destroy a power generator through a SCADA attack with just 21 lines of malicious code.
Infrastructure personnel can learn many lessons from the attack. Ukraine's power generation control systems were unexpectedly more robust than some in the United States. The reason is that the Ukrainian SCADA networks were separated from the business networks with excellent firewalls. However, the Ukrainian control systems still had security weaknesses. For example, employees remotely accessing the SCADA network were not prompted to use two-factor authentication, which enabled the hackers to steal login information and gain entry to the SCADA systems.
Another lesson is that in the United States many power systems lack manual backups. That is, if criminals were to attack automated SCADA systems in the United States, it would be much more difficult to bring the grid back online.
This first-ever successful attack of a power grid's computers is a dire safety warning for other such systems across the world. Experts in industrial control systems at the Sans Institute (www.sans.org) say the hack of the Ukrainian power grid was the first time that cybercriminals have managed to directly bring down a power grid.
In December 2016, Ukraine was attacked again. Reports alleged that a group of Russians attacked computers at a control center of a power supplier in Kiev. The attackers apparently used phishing attacks on workers, enabling the intruders to grab login information and disable substations. The shutdown affected some 20 percent of Kiev's nighttime electrical use.
Sources: Compiled from J. Condliffe, "Ukraine's Power Grid Gets Hacked Again, a Worrying Sign for Infrastructure Attacks," MIT Technology Review, December 22, 2016; E. Markowitz, "After Ukraine Cyberattacks, FBI and DHS Urge U.S. Power Companies to Develop Better Safety Protocols," International Business Times, April 21, 2016; "FBI, DHS Issue Warning about Increasing Cyber Threat to Nation's Power Grid after Downplaying It in January," Cyberwar.news, April 12, 2016; B. Gertz, "FBI Warns of Cyber Threat to Electric Grid," The Washington Free Beacon, April 8, 2016; K. Zetter, "Inside the Cunning, Unprecedented Hack of Ukraine's Power Grid," Wired, March 3, 2016; D. Voltz, "U.S. Government Concludes Cyber Attack Caused Ukraine Power Outage," Reuters, February 25, 2016; W. Ashford, "Ukraine Cyber Attacks Beyond Power Companies, Says Trend Micro," Computer Weekly, February 12, 2016; J. Robertson and M. Riley, "How Hackers Took Down a Power Grid," Bloomberg BusinessWeek, January 14, 2016; M. Heller, "Russian Actors Accused of Attacking Ukraine with BlackEnergy Malware," TechTarget, January 4, 2016; D. Goodin, "First Known Hacker-Caused Power Outage Signals Troubling Escalation," Ars Technica, January 4, 2016; J. Cox, "Malware Found Inside Downed Ukrainian Grid Management Points to Cyberattack," Motherboard, January 4, 2016.
Questions
Describe what the Ukrainian power distribution companies did correctly to try to prevent such attacks.
Describe what other actions that the Ukrainian power distribution companies did incorrectly, or did not at all, in order to try and prevent such attacks.
What lessons can other power companies gain from the Ukrainian cyberattack?
Explain the following 10 types of deliberate attacks (for each item, please do not write more than 5 lines).
Information extortion
Sabotage and vandalism
Identity theft
Phisihing attack
Distributed denial-of-service (DDoS) attack
Back door
Supervisory control and data acquisition (SCAND) attacks
Cyberterrorism and cyberwarfare