Reader’s Digest Version of the Ukraine Story

ICS-CERT published an alert on the Ukrainean power outage based on a series of interviews that representatives of the US government had conducted in Ukraine. Here’s a reader’s digest version.

While the USG representatives have not been able to conduct due forensic analysis, they believe that the power outages in Ukraine were caused by a cyber attack that looked like this:

1st stage: Attackers obtain access credentials by spearphishing.

2nd stage: Attackers access HMI applications using legitimate remote access points (no malicious RAT needed to be installed), leveraging the stolen access credentials.

3rd stage: A power engineer or two on the attack team flip the right breakers to cut power to customers in online dialog (implying that no protective logic would have blocked a full power-down by deliberate command).

4th stage: Attackers mess up recovery by 1 – loading corrupted firmware to serial-to-Ethernet converters (ever heard about Boreas, or Project Basecamp?), 2 – wiping all disks they could reach, including disks on RTUs that the operators probably even didn’t know existed, 3 – shutting down UPSes via the legitimate network command interface (bad after finding oneself disconnected from the grid).

All rumor about Black Energy, no matter which version, is misleading because this sequence of events didn’t require the BE malware in particular. It didn’t even require any malicious RAT because the affected utilities were ignorant enough to install legitimate remote access points to critical systems.

So all you operators of critical infrastructure, especially those in regions that are plagued by civil unrest or faced with an army of potent adversaries, don’t provide remote access to your critical infrastructure, use products that support integrity checks for firmware, disable remote command interfaces to your UPSes even though they are so convenient, and keep your IT attack surface on critical OT components small (after all, who told you that you would need a Windows HMI on something as simple as an RTU). You know, international crisis can result from events that can be prevented by simply following basic OT security practices.