Cybersecurity Follow-up Discussion: Cyber-Attack Against Ukrainian Critical Infrastructure
ICS-CERT Alert (IR-ALERT-H-16-056-01)
This week, we thought that our readers might be interested in looking closer at the critical infrastructure attack against the Ukrainian Power Distribution Facilities Oblenergos, and hearing more information on how such attacks can be mitigated.
While there were other facilities that were intruded upon but did not suffer any damage or loss of service, the Oblenergos facilities did have outages affecting about 225,000 customers and suffered physical damage to their switchgear and Industrial Control Systems (ICS).
The attack vector for the cyberattacks was accomplished initially through Microsoft Office using malicious email attachments which installed a Remote Access Trojan (RAT) on the initially infected machines. It is thought that some machine/network credentials could have been gotten through the use of the BlackEnergy malware, however none of the other BlackEnergy exploits appeared to be used in the attack, so this part of the attack reconstruction is unsubstantiated and is only speculation.
Once the RAT was installed, undetected reconnaissance was employed for some period of time in order to understand the control systems and the Industrial Control Systems, and make an inventory of equipment that could be exploited simultaneously and quickly. Additionally plans appear to have been developed that would cause physical damage in order to inhibit the restoration repair efforts following the attack.
The attack included using KillDisk to destroy the master boot records of the HMIs and also software that was used to overwrite the BIOS of the Serial-to-Ethernet appliances after scheduling several disconnects of the Uninterruptable Power Supplies (UPS) through their management interface.
The attacks on the three facilities occurred within 30 minutes of each other and required several independent actors in order to simultaneously coordinate the attack and manipulate the RATs, operating systems, and Industrial Control Systems to make the attack successful.
There are several takeaways from the analyses of these attacks, and they are reiterated in the US-CERT Alert (see the link below) under the section, “Mitigation”.
1) Procure genuine software and license it properly.
2) Update the software and hardware to current security patch levels of the products.
3) Use Authorization and Authentication to know who is logged on and connected to any network.
4) As security requirements change, make sure to change or augment technology as required to maintain your minimum security profiles.
5) Create a security profile using available tools (e.g., ICS-CERT C-SET tool for example) and create a formal Risk Assessment and operational Mitigation Strategy after understanding your security profile needs following a Gap Analysis.
6) Whitelisting may assist in creating a higher security level for the enterprise and systems.
7) Do not connect Industrial Control System components directly to the Internet.
8) Segregate business and control system networks and pass data through a proxy or properly designed gateway.
9) Do not use vendor “backdoors” or maintain modems for their use.
10) Initiate the use of modern common security technologies including, but not limited to firewalls, portals for public facing services, and best-practices for wireless access services.
11) Immediately initiate a formal cybersecurity investigation upon the discovery of anything that may be considered anomalous within the ICS.
This attack likely had political motivation, however what is certain is that an insider agent or insider knowledge was used in initiating or aiding in the attack. Security procedures should be reviewed.
InduSoft recommends building your control systems with all of these points as design goals. Additionally, we have published two free eBooks (any donations for them go to the Eastern New Mexico University Foundation) available on Smashwords.com at http://www.smashwords.com/books/view/509999 and http://www.smashwords.com/books/view/510004. Both books provide you with design guidance and use of Cybersecurity evaluation tools needed to make your projects successful. Additionally, the latter eBook, Framework for Cybersecurity is a class textbook used by ENMU for a Cybersecurity Certificate course taught by Professor Stephen Miller.
The entire alert (IR-ALERT-H-16-056-01) published by ICS-CERT is available and can be freely viewed by the public.