Ukraine’s Power System Hacking: Coordinated in More than One Way?

[original graphic: outsidethebeltway.com]

[original graphic: outsidethebeltway.com]

Analysis by industrial control team SANS determined hacking of Ukrainian electrical power utilities reported on 23-DEC-2015 was a coordinated attack. It required multiple phases to achieve a sustained loss of electricity to roughly 80,000 customers. SANS reported they “are confident” the following events occurred:

  • The adversary initiated an intrusion into production SCADA systems
  • Infected workstations and servers
  • Acted to “blind” the dispatchers
  • Acted to damage the SCADA system hosts (servers and workstations)
  • Action would have delayed restoration and introduce risk, especially if the SCADA system was essential to coordinate actions
  • Action can also make forensics more difficult
  • Flooded the call centers to deny customers calling to report power out

An investigation is still underway, and the following are still subject to confirmation:

  • The adversaries infected workstations and moved through the environment
  • Acted to open breakers and cause the outage (assessed through technical analysis of the Ukrainian SCADA system in comparison to the impact)
  • Initiated a possible DDoS on the company websites

The part that piques my attention is the defeat of SCADA systems by way of a multiphased attack — not unlike Stuxnet. Hmm…

Another interesting feature of this cyber attack is its location. It’s not near sites of militarized hostilities along the border with Russia. where many are of Russian ethnicity, but in the western portion of Ukraine.

More specifically, the affected power company served the Ivano-Frankivsk region, through which a large amount of natural gas is piped toward the EU. Note the map included above, showing the location and direction of pipelines as well as their output volume. Were the pipelines one of the targets of the cyber attack, along with the electricity generation capacity in the region through which the pipes run? Was this hack planned and coordinated not only to take out power and slow response to the outage but to reduce the pipeline output through Ukraine to the EU?

Blogger since 2002, political activist since 2003, geek since birth. Opinions informed by mixed-race, multi-ethnic, cis-female condition, further shaped by kind friends of all persuasions. Sci-tech frenemy, wannabe artist, decent cook, determined author, successful troublemaker. Mother of invention and two excessively smart-assed young adult kids. Attended School of Hard Knocks; Rather Unfortunate Smallish Private Business School in Midwest; Affordable Mid-State Community College w/evening classes. Self-employed at Tiny Consulting Business; previously at Large-ish Chemical Company with HQ in Midwest in multiple marginalizing corporate drone roles, and at Rather Big IT Service Provider as a project manager, preceded by a motley assortment of gigs before the gig economy was a thing. Blogging experience includes a personal blog at the original blogs.salon.com, managing editor for a state-based news site, and a stint at Firedoglake before landing here at emptywheel as technology’s less-virginal-but-still-accursed Cassandra.
12 replies
  1. bloopie2 says:

    They sure did pick an interesting place to do their work. I’m curious, where did this map come from? I ask because I WAS going to post this comment: “These days it’s hard, in the US, to get online maps of infrastructure; you can’t even find one for the pedestrian tunnels in Grand Central North.” But THEN I searched Google Images for “map of US gas pipelines” and hit the motherlode; they’re everywhere (the maps, that is). No chance stopping that type of information from getting into the wrong hands, it seems.

    • P J Evans says:

      Look up the NPMS public map viewer, for a version of infrastructure that most people don’t even know exists. The closest you can get is about 1:24000 (USGS 7.5-minute quad scale), so you won’t get real detail.

      I get nervous about the hydrogen pipelines that exist in a few places.

  2. bloopie2 says:

    And this, I love: “I could download operator graphics to my system, modify them and then upload those modified graphics to the operator,” Langill said. “Idaho National Labs has shown that to be a very effective attack vector to fake out the operator.” Isn’t that what Matt Damon did in Ocean’s Eleven? A very old trick.

  3. milkshake says:

    The obvious retaliation for Krimean power cut, by someone who knew what he was doing. The linked article mentions the power grid operators switching to manual controls, managing complete power restoration within 4-6 hours.

    I presume the infrastructure in Ukraine dates mostly from Soviet Union days; a more sophisticated/automated power grid in US would be more difficult to restore as quickly. Also, if the attackers were to use SCADA modifying attack to overload and physically damage the key parts of the grid – the substations, for example – the repairs could take many weeks

  4. scribe says:

    You’re not mentioning how, before the warfare on Ukraine’s eastern border, every year or two the Russians would pick a fight over gas transit fees for Siberian gas traversing Ukraine on its way to heat Western European homes. That fight, it seemed, inevitably took place during the week between Christmas and New Years, when not much else was going on and, the Germans especially, families were all snuggled in their homes against the winter with nothing but sports and saccharine movies on the TV. That was when Putin would turn off the heat.
    .
    I see this as just a high-tech, pushbutton execution of the same thing.

    • Rayne says:

      scribe — I didn’t get into the history of Russian-Ukraine gas disputes because I could have written a book. Simpler to assume anybody interested would just look this up.

      I also looked at this particular event as one-off — it’s out of contract, there’s been no grousing about payment/delivery in December, but there’s definitely an uptick in tensions between Russia and the west. I don’t think this event fits the same mold.

  5. bevin says:

    “… before the warfare on Ukraine’s eastern border, every year or two the Russians would pick a fight over gas transit fees for Siberian gas traversing Ukraine on its way to heat Western European homes. ”

    Pick a fight? As I recollect it these disputes arose when Ukraine set out to re-negotiate transit fees.

    The current situation, in which Ukraine has just, with IMF assistance, refused to pay a $3 billion due to Russia, is one in which it would be completely irrational for Russia (Putin as you put it) to engage in any illegality.

    What is not in question is that Ukraine is in a state close to anarchy in which the state either cannot or will not control the crimes of various fascist militias and ‘jihadi’ groups.

  6. scribe says:

    There for a few years, every winter between Christmas and New Years, the Russians and Ukrainians would get into a pissing contest and the Russians would turn off the gas. There would be an elaborate game of “who shot John”, a lot of blame flung around, hue and cry everywhere cold, all followed by a renegotiation of the tariff and the gas would come back on.

    • Rayne says:

      scribe — if you mean this outage fits the pre-Christmas mold, sure, I’ll give you that. But when would a power outage — or natural gas throttling — hurt the population in Ukraine or EU the most? Hello, Christmas, insert hack.

  7. TBob says:

    Now I’m not a nuclear scientist, but considering the the recent hacking activity, this looks bad:
    Zero Hedge-“…Two days ago we reported of the odd coincidence of a 2nd emergency shutdown at Ukraine’s Zaporozhye Nuclear reactor – Europe’s largest nuclear power plant…”.

    I recall reading a related piece at Club Orlov ( http://cluborlov.blogspot.com/2015/12/on-19th-day-of-christmas.html#more ) concerning the possible fate all power reactors in the Ukraine this winter.

    Holy 19 smoking-Fukashimas, Creped Crusader!

    • Rayne says:

      TBob — Sure looks like I need to do a timeline of events with a map, to see if this is a rolling tit-for-tat asymmetric war inside Ukraine. A hybridized nuclear war, played like Hot-Potato-Nuclear-Plant-Russian-Roulette. This is definitely not the usual pipeline extortion.

Comments are closed.