Ukrainian investigators have confirmed that last month’s power outage in the country was the result of a cyberattack by the same group that struck in December 2015, claiming they may be practising for major attacks elsewhere.
The attack last month was smaller scale than the 2015 blitz which left around 230,000 people without power. It occurred at the Pivnichna substation outside the capital Kiev, sources told Motherboard.
They claimed the same attackers are responsible for other cyber campaigns launched at the same time against the country’s rail provider and Ministry of Finance.
The hackers also used some of the same tactics in both power station attacks, overwriting the firmware on remote terminal units (RTUs), thereby causing them to malfunction and forcing engineers to physically restore power, the report claimed.
It’s not known what malware was employed in this latest attack, although the group is said to have used expertly crafted spearphishing emails to access key systems in this and the related attacks.
Marina Krotofil, a researcher at Honeywell Industrial Cyber Security Lab, who helped with the investigation, told the website that the attack was not meant to have a lasting impact on infrastructure.
"They could do many more things, but obviously they didn't have this as an intent. It was more like a demonstration of capabilities,” she’s reported as saying.
“Ukraine uses equipment and security protections of the same vendors as everybody else around the world. If the attackers learn how to go around those tools and appliances in Ukrainian infrastructures, they can then directly go to the West."
While the researchers have yet to attribute the attacks to a particular party, Ukrainian intelligence blamed the 2015 outage on the Kremlin, which would make sense given the ongoing conflict between the two countries, and Russia’s significant muscle in this area.
Researchers at iSight Partners claimed early last year that Russian hacking group Sandworm team was responsible for the 2015 outage, armed with BlackEnergy destructive malware.
Experts agreed with the theory that the Ukraine is being used as a testbed for attacks on other countries.
“This illustrates that there are adversaries, with both intent and ability, to launch attacks and cause damage to the critical infrastructure of every country around the globe, and this threat must not be ignored,” argued Nozomi Networks founder Andrea Carcano.
“Cyber resiliency through defence in-depth measures is needed, and that includes network segmentation, firewalls and visibility solutions. All protectors must re-examine their ICS cybersecurity programs carefully and arm themselves with technology that will enable them to detect and respond to attacks, in real time, if they’re to keep the attackers out and the power on.”