Ukraine's power station hack is a stark warning to the rest of the world

A power outage in the Ukraine before Christmas was part of a widespread and coordinated series of cyber attacks, researchers revealed this week. Now experts say that the incident should act as a stark warning to countries around the world to protect their critical infrastructure.

The attack on the Pivnichna substation on the outskirts of the capital Kiev happened just before midnight on Dec. 17 and lasted for just over an hour before power was restored. The attack happened almost exactly 12 months after a similar attack in Ukraine saw 225,000 people left without power for up to six hours.

That incident, on Dec. 23 2015 ,was the first known hack to take a power grid offline, but the latest assault shows just how vulnerable critical national infrastructure — like power grids, communications and emergency network — are to cyber attacks.

“Western critical infrastructure organisations need to move to aggressively protect operational systems that control the flow of power, water, energy from cyber attacks,” Andrea Carcano, Founder of Nozomi Networks, told VICE News.

Roman Sologub, general manager of Information Systems Security Partners (ISSP), the Ukrainian security company conducting an investigation of the attack for state-run national energy company UkrEnergo, told VICE News he could not reveal specifics of the attack due to client confidentiality.

However at the S4 Cyber Security conference in Florida last week, Oleksii Yasnskiy, who heads up ISSP, did confirm the latest attack was the result of a cyber attack and that it was linked to the attack in 2015. “The attacks in 2016 and 2015 were not much different – the only distinction was that the attacks of 2016 became more complex and were much better organised.”

In 2015, the hackers were able to infiltrate the systems of companies responsible for distributing electricity throughout Ukraine by sending highly-tailored emails to employees with a malicious Word document attached. A similar method was used in the most recent case.

“The attackers gained remote access to the computer network of the power grid through malware,” Robert Lipovsky, senior malware researcher at ESET, told VICE News. “Once inside, they needed to familiarize themselves with the network, and gain access to the workstations controlling the electrical substations.”

The attackers could have caused a lot more damage researchers say, but instead this was “more like a demonstration of capabilities.” according to Marina Krotofil, a Ukrainian researcher for Honeywell Industrial Cyber Security Lab who is assisting with the investigation.

The assault on the power grid was just one of a series of coordinated attacks on Ukrainian government facilities following a mass phishing campaign conducted in July of last year. Having gained access to multiple systems, the hackers sat silently on the networks for months, conducting research, gathering information and compromising credentials. Then last month the hackers finally carried out attacks on several targets, including the Ministry of Finance, the State Treasury and the Pension Fund.

The researchers have not named who they believe was behind the attack, but many have pointed to Russia as a possible culprit. The attack in 2015 was linked to the Russian government, while Ukraine has said that it was the victim of thousands of cyberattacks coming from Russia in the final months of 2016.

A hacker’s playground

The researchers say Ukraine “has turned into a training playground for research and development of novel attack techniques,” and warn that countries around the world should be worried the hackers were improving their ability to counter the defensive capabilities of these systems.

“Ukraine uses equipment and security protections of the same vendors as everybody else around the world,” Krotofil told Motherboard. “If the attackers learn how to go around those tools and appliances in Ukrainian infrastructures, they can then directly go to the West.”

Carcano says the suggestion that hackers are using Ukraine as a testbed is “highly likely,” but whether or not the outages last month were tests ahead of bigger attacks, it appears clear that hackers are focusing more of their attention on the industrial control systems which are increasingly used around the world to control the more critical parts of infrastructure.

A month after the first attack on Ukraine’s power grid, unknown hackers attempted to compromise the systems of Israel’s Electricity Authority. In March, NSA Director Michael Rogers said it was a matter of “when not if” state-sponsored hackers would infiltrate U.S. critical infrastructure.

Such attacks are not just one-way of course. According to reports ahead of last year’s presidential election, U.S. agencies had penetrated Russian electrical grids so that they would be ready to retaliate for any Russian interference on election day — something which didn’t materialize.

Alex Mathews, lead security evangelist at Positive Technologies says that the only way to combat such attacks is for organizations and countries to help each other. “There is a real need for critical infrastructure owners, hardware vendors, information security experts and government officials to all work together to create industry security programs that will keep everyone safe, firmly slamming the door in the hackers face.”