Cyber attackers shut off power in Ukraine again, warning goes out to all countries

*Crews fight fire at a heat and power plant in Kyiv, Ukraine, after a Russian missile attack on October 10, 2022. Image: State Emergency Service of Ukraine*

BY KERRY TOMLINSON, AMPERE NEWS

Cyber attackers from the Russian military hacking group Sandworm used a new technique to shut off electricity in a city in Ukraine on October 10, 2022, according to a new report by security company Mandiant, now owned by Google.

This short power shutoff has not been reported previously. There are now three confirmed incidents of electricity outages caused by Russian hackers in Ukraine, including one in 2015 and one in 2016, showing that cyber attackers can do more than just digital damage.

"This is one of a very few cyber-physical attacks that successfully caused a real-world impact," said Chris Sistrunk, technical leader at Mandiant, Google Cloud.

New Firepower

The new attack shows that the Russian government-sponsored hacking teams are developing new capabilities that they can use on many different power systems in many countries, the Mandiant report said.

That means people running electric utilities everywhere should prepare, Sistrunk advised.

"Sandworm is notorious for attacking or attempting to attack U.S. infrastructure," he said in an interview with Ampere News. "All of us in the world need to keep watch of what they're doing and expect them to come back."

Sandworm stepped up its attacks on Ukraine as part of the full-scale Russian invasion starting February 24, 2022. Russian hackers attempted to cut off power to Ukrainian substations on April 8, 2022, but did not succeed, according to Ukraine’s cybersecurity agency.

What happened?

As missiles rained down on Ukraine's critical infrastructure in October 2022, Russian attackers sent digital commands to trip circuit breakers at electrical substations, leading to the power outage, the report said.

Just like in your home, if the breaker trips, the system believes there is an overload and shuts down.

Russian hackers successfully cut power at a number of substations for about 90 minutes to two hours, though the report does not say how many substations, nor which utility and city were affected.

"The event did not last very long," Sistrunk said. "But that's the good news. The bad news is you still have the rockets and bombs that really impacted the substation equipment that could not be restored right away.”

How did it happen?

Analysts believe the hackers got in through the office [IT] network, then jumped over to the more serious operational technology [OT] network that runs the equipment that controls power. The attackers snuck into the OT side through software called a hypervisor.

Once inside the OT network, the hackers used a file called an ISO file to send commands to turn off the breakers and shut off power at substations. ISO stands for 'identical storage image of optical media' and is a copy of a disk like a CD-ROM or a DVD.

The utility's control system was set up so that CD-ROMs could run without any sort of authentication, which means that a cyber attacker, once inside the system, did not need a password to send commands to the substations. That means an attacker using an ISO file like a CD-ROM could send malicious commands.

In the past, Russian cyber attackers used industrial malware to try to cause outages. This time, they used a combination of new techniques and existing software features instead.

"From a technical perspective, it was an interesting and complicated attack method," Sistrunk explained. "This new approach gives Sandworm the flexibility and opportunity to react in ways that they previously couldn't when using sophisticated ICS [industrial control systems] malware."

More destruction

Soon after, on October 12, the military hackers tried to erase the evidence and destroy computer systems with a malware known as CADDYWIPER.

CADDYWIPER is a wiper program that is designed to not only erase data but also cause maximum damage and make the computer unusable.

However, analysts say that the wiper only hit computers on the office side, not the operational side, so some evidence of the attack was preserved.

What does it mean?

The cyberattack was likely meant to demoralize Ukrainians, Sistrunk said, but appears to have been unsuccessful in that area.

"I don't think it had their intended effect. Ukraine still has a lot of morale and were able to respond to this incident and get the power restored. And they are expecting more of these attacks to happen in the future," he said.

But it does show that Russia is developing new techniques to try to take over and damage industrial systems like power plants and other critical infrastructure.

"This attack represents the latest evolution in Russia’s cyber physical attack capability, which has been increasingly visible since Russia’s invasion of Ukraine," the report said. "This indicates that the threat actor is likely capable of quickly developing similar capabilities against other OT systems from different original equipment manufacturers (OEMs) leveraged across the world."

"Given Sandworm’s global threat activity and novel OT capabilities, we urge OT asset owners to take action to mitigate this threat," the report continued.

What should utilities do?

Sistrunk recommends these tactics to protect from this kind of attack:

Segment OT networks from IT networks.
Require multi-factor authentication for administrative access.
Limit, control, and monitor remote administrative access.
Harden OT systems (especially Windows, Linux, and network devices).
Disable unnecessary or unused features. If ISOs aren’t used, then disable that capability.
Work with OT Vendors on the hardening strategy.
Have IT and OT security logging and monitoring capability that incorporates threat actors TTPs from this and other similar incidents.
Detect intrusions in the IT systems long before it impacts OT.
Have good backups (and test that the backup restorations work).
Have an OT incident response plan and practice using it with tabletop exercises, including manual restoration procedures.