Vous êtes sur la page 1sur 29

TLPWHITE

TLP: White

Analysis of the Cyber


Attack on the
Ukrainian Power Grid
Defense Use Case
March 18, 2016

NERC|ReportTitle|ReportDate
I

Table of Contents
Preface.......................................................................................................................................................................iii
SummaryofIncidents................................................................................................................................................iv
AttackerTacticsTechniquesandProceduresDescription........................................................................................1
ICSCyberKillChainMapping.....................................................................................................................................4
DefenseLessonsLearnedPassiveandActiveDefenses.......................................................................................11
Recommendations...................................................................................................................................................18
ImplicationsandConclusion....................................................................................................................................20
AppendixInformationEvaluation...........................................................................................................................22

EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
ii

Preface

Analysis of the Cyber Attack on the Ukrainian Power Grid


Thisisananalysisbyajointteamtoprovidealessonslearnedcommunityresourcefromthecyberattackonthe
Ukrainianpowergrid.ThedocumentisbeingreleasedasTrafficLightProtocol:White(TLP:White)andmaybe
distributed without restriction, subject to copyright controls. This document, the Defense Use Case (DUC),
summarizes important learning points and presents several mitigation ideas based on publicly available
informationonICSincidentsinUkraine.TheEISACandSANSareprovidingasummaryoftheavailableinformation
compiledfrommultiplepubliclyavailablesourcesaswellasanalysisperformedbytheSANSteaminrelationto
thisevent.1ThisdocumentprovidesspecificmitigationconceptsforpowersystemSupervisoryControlandData
Acquisition(SCADA)defense,aswellasagenerallearningopportunityforICSdefenders.

Authors,workingwiththeEISAC:
RobertM.Lee,SANS
MichaelJ.Assante,SANS
TimConway,SANS

1TheSANSinvestigationintothisincidentshouldnotbeconfusedwiththeU.S.interagencyteaminvestigationoranyotherorganization

orcompanyseffortstoincludetheEISACspastreporting.SANSICSteamhasbeenanalyzingthedataontheirownsinceDecember25,
2015,andhasprovideditsanalysistothewidercommunity.ThisdocumentisprovidedtoEISACandtheNorthAmericanelectricity
sectortobenefititsmembersandthelargercriticalinfrastructurecommunity.

EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
iii

Summary of Incidents

OnDecember23,2015,theUkrainianKyivoblenergo,aregionalelectricitydistributioncompany,reportedservice
outagestocustomers.Theoutageswereduetoathirdpartysillegalentryintothecompanyscomputerand
SCADA systems: Starting at approximately 3:35 p.m. local time, seven 110 kV and 23 35 kV substations were
disconnectedforthreehours.Laterstatementsindicatedthatthecyberattackimpactedadditionalportionsof
the distribution grid and forced operators to switch to manual mode.2, 3 The event was elaborated on by the
Ukrainiannewsmedia,whoconductedinterviewsanddeterminedthataforeignattackerremotelycontrolledthe
SCADAdistributionmanagementsystem.4Theoutageswereoriginallythoughttohaveaffectedapproximately
80,000customers,basedontheKyivoblenergosupdatetocustomers.However,lateritwasrevealedthatthree
differentdistributionoblenergos(atermusedtodescribeanenergycompany)wereattacked,resultinginseveral
outagesthatcausedapproximately225,000customerstolosepoweracrossvariousareas.5,6

Shortlyaftertheattack,Ukrainiangovernmentofficialsclaimedtheoutageswerecausedbyacyberattack,and
thatRussiansecurityserviceswereresponsiblefortheincidents.7Followingtheseclaims,investigatorsinUkraine,
aswellasprivatecompaniesandtheU.S.government,performedanalysisandofferedassistancetodetermine
therootcauseoftheoutage.8BoththeEISACandSANSICSteamwasinvolvedinvariouseffortsandanalysesin
relation to this case since December 25, 2015, working with trusted members and organizations in the
community.9

Thisjointreportconsolidatestheopensourceinformation,clarifyingimportantdetailssurroundingtheattack,
offeringlessonslearned,andrecommendingapproachestohelptheICScommunityrepelsimilarattacks.This
reportdoesnotfocusonattributionoftheattack.

2https://ics.sans.org/blog/2016/01/09/confirmationofacoordinatedattackontheukrainianpowergrid
3http://news.finance.ua/ua/news//366136/hakeryatakuvalyprykarpattyaoblenergoznestrumyvshypolovynuregionuna6godyn
4http://ru.tsn.ua/ukrayina/izzahakerskoyatakiobestochilopolovinuivanofrankovskoyoblasti550406.html
5http://www.oe.if.ua/showarticle.php?id=3413
6https://icscert.uscert.gov/alerts/IRALERTH1605601

7http://www.ukrinform.net/rubriccrime/1937899russianhackersplanenergysubversioninukraine.html
8https://www.rbc.ua/rus/news/pravitelstvasshaukrainyrassmotryatotchet1454113214.html

10http://ru.tsn.ua/ukrayina/izzahakerskoyatakiobestochilopolovinuivanofrankovskoyoblasti550406.html

EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
iv

Summary of Information and Reporting

Background
OnDecember24,2015,TSN(aUkrainiannewsoutlet)releasedthereportDuetoaHackerAttackHalfofthe
IvanoFrankivsk Region is DeEnergized.10 Numerous reporting agencies and independent bloggers from the
Washington Post,SANSInstitute, NewYorkTimes,ARSTechnica,BBC,Wired,CNN,FoxNews,andthe EISAC
ReporthavefollowedupontheinitialTSNreport.11Thesesubsequentreportshavecollectivelyprovideddetails
ofacyberattackthattargetedtheUkrainianelectricsystem.TheU.S.DepartmentofHomelandSecurity(DHS)
issued a formal report on February 25, 2016, titled IRALERTH1605601.12 Based on the DHS report, three
Ukrainianoblenergosexperiencedcoordinatedcyberattacksthatwereexecutedwithin30minutesofeachother.
Theattackimpacted225,000customersandrequiredtheoblenergostomovetomanualoperationsinresponse
totheattack.

Theoblenergoswerereportedlyabletorestoreservicequicklyafteranoutagewindowlastingseveralhours.13
TheDHSreportstatesthat,whileelectricalservicewasrestored,theimpactedoblenergoscontinuetooperate
their distribution systems in an operationally constrained mode. Within the Ukrainian electrical system, these
attacksweredirectedattheregionaldistributionlevel,asshowninFigure1.

Figure1:ElectricSystemOverview

10http://ru.tsn.ua/ukrayina/izzahakerskoyatakiobestochilopolovinuivanofrankovskoyoblasti550406.html

11

EISAC:MitigatingAdversarialManipulationofIndustrialControlSystemsasEvidencedbyRecentInternationalEvents,February9,2016
(TLP=RED)
12https://icscert.uscert.gov/alerts/IRALERTH1605601
13https://www.washingtonpost.com/world/nationalsecurity/russianhackerssuspectedinattackthatblackedoutpartsof
ukraine/2016/01/05/4056a4dcb3de11e5a8420feb51d1d124_story.html

EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
v

SummaryofIncidents

SeetheAppendixforanevaluationofthecredibilityandamountoftechnicalinformationthatispubliclyavailable.

Keeping Perspective
ThecyberattacksinUkrainearethefirstpubliclyacknowledgedincidentstoresultinpoweroutages.Asfuture
attacksmayoccur,itisimportanttoscopetheimpactsoftheincident.Poweroutagesshouldbemeasuredin
scale(numberofcustomersandamountofelectricityinfrastructureinvolved)andindurationtofullrestoration.
TheUkrainianincidentsaffectedupto225,000customersinthreedifferentdistributionlevelserviceterritories
andlastedforseveralhours.Theseincidentsshouldberatedonamacroscaleaslowintermsofpowersystem
impactsastheoutageaffectedaverysmallnumberofoverallpowerconsumersinUkraineandthedurationwas
limited.Incontrast,itislikelythattheimpactedcompaniesratetheseincidentsashighorcriticaltothereliability
oftheirsystemsandbusinessoperations.

EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
vi

Attacker Tactics Techniques and Procedures Description

Directattributionisunnecessarytolearnfromthisattackandtoconsidermitigationstrategies;itisonlynecessary
tousethementalmodelofhowthecyberactorworkstounderstandthecapabilitiesandgeneralprofileagainst
which one is defending. The motive and sophistication of this power grid attack is consistent with a highly
structuredandresourcedactor.Thisactorwascoadaptiveanddemonstratedvaryingtacticsandtechniquesto
match the defenses and environment of the three impacted targets. The mitigation section of this document
provides mitigation concepts related to the attack and how to develop a more lasting mitigation strategy by
anticipatingfutureattacks.

Capability
Theattackersdemonstratedavarietyofcapabilities,includingspearphishingemails,variantsoftheBlackEnergy
3malware,andthemanipulationofMicrosoftOfficedocumentsthatcontainedthemalwaretogainafoothold
intotheInformationTechnology(IT)networksoftheelectricitycompanies.14Theydemonstratedthecapabilityto
gain a foothold and harvest credentials and information to gain access to the ICS network. Additionally, the
attackers showed expertise, not only in network connected infrastructure; such as Uninterruptable Power
Supplies(UPSs),butalsoinoperatingtheICSsthroughsupervisorycontrolsystem;suchastheHumanMachine
Interface(HMI),asshowninFigure2.

Figure2:Control&Operate:SCADAHijackingTechniques

Finally,theadversariesdemonstratedthecapabilityandwillingnesstotargetfielddevicesatsubstations,write
custom malicious firmware, and render the devices, such as serialtoethernet convertors, inoperable and

14 For a discussion around the history of the BlackEnergy 3 malware and Sandworm team see the SANS ICS webcast with iSight here:

https://www.sans.org/webcasts/analysissandwormteamukraine101597
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
1

AttackerTacticsTechniquesandProceduresDescription

unrecoverable.15Inonecase,theattackersalsousedtelephonesystemstogeneratethousandsofcallstothe
energycompanyscallcentertodenyaccesstocustomersreportingoutages.However,thestrongestcapability
oftheattackerswasnotintheirchoiceoftoolsorintheirexpertise,butintheircapabilitytoperformlongterm
reconnaissance operations required to learn the environment and execute a highly synchronized, multistage,
multisiteattack.

Thefollowingisaconsolidatedlistofthetechnicalcomponentsusedbytheattackers,graphicallydepictedin
Figure3:
Spearphishingtogainaccesstothebusinessnetworksoftheoblenergos
IdentificationofBlackEnergy3ateachoftheimpactedoblenergos
Theftofcredentialsfromthebusinessnetworks
Theuseofvirtualprivatenetworks(VPNs)toentertheICSnetwork
Theuseofexistingremoteaccesstoolswithintheenvironmentorissuingcommandsdirectlyfroma
remotestationsimilartoanoperatorHMI
Serialtoethernetcommunicationsdevicesimpactedatafirmwarelevel16
TheuseofamodifiedKillDisktoerasethemasterbootrecordofimpactedorganizationsystemsaswell
asthetargeteddeletionofsomelogs17
UtilizingUPSsystemstoimpactconnectedloadwithascheduledserviceoutage
Telephonedenialofserviceattackonthecallcenter

Figure3:UkraineAttackConsolidatedTechnicalComponents

Atvariouspointsinthepublicreportingontheattack,organizationshaveindicatedthatBlackEnergy3andKillDisk
itselfcouldbedirectlyresponsiblefortheoutage.Oneoftheitemsspecificallyhighlightedtosupportthistheory

15

http://mpe.kmu.gov.ua/minugol/control/uk/publish/article;jsessionid=CE1C739AA046FF6BA00FE8E8A4D857F3.app1?art_id=245086886
&cat_id=35109
16TolearnaboutserialtoethernetconvertersandthetypesofvulnerabilitiesthatexisttothemseeDigitalBondsBasecampreporthere:
http://www.digitalbond.com/blog/2015/10/30/basecampforserialconverters/
17http://www.symantec.com/connect/blogs/destructivedisakilmalwarelinkedukrainepoweroutagesalsousedagainstmedia
organizations
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
2

AttackerTacticsTechniquesandProceduresDescription

wasthatKillDiskdeletedaprocessonWindowssystemslinkedtoserialtoethernetcommunications.18Regardless
of the impact of the SCADA network environment, neither BlackEnergy 3 nor KillDisk contained the required
componentstocausetheoutage.Theoutageswerecausedbytheuseofthecontrolsystemsandtheirsoftware
throughdirectinteractionbytheadversary.Allothertoolsandtechnology,suchasBlackEnergy3andKillDisk,
wereusedtoenabletheattackordelayrestorationefforts.

Opportunities
Multipleopportunitiesexistedfortheadversarytoexecuteitsattack.Externaltotheoblenergosandpriortothe
attack,therewasavarietyofopensourceinformationavailable;includingadetailedlistoftypesofinfrastructure
suchasRemoteTerminalUnit(RTU)vendorsandversionspostedonlinebyICSvendors.19TheVPNsintotheICS
from the business network appear to lack twofactor authentication. Additionally, the firewall allowed the
adversarytoremoteadminoutoftheenvironmentbyutilizingaremoteaccesscapabilitynativetothesystems.
Inaddition,basedonmediareporting,theredidnotappeartobeanyresidentcapabilitytocontinuallymonitor
theICSnetworkandsearchforabnormalitiesandthreatsthroughactivedefensemeasures;likenetworksecurity
monitoring. These vulnerabilities would have provided the adversary the opportunity to persist within the
environmentforsixmonthsormoretoconductreconnaissanceontheenvironmentandsubsequentlyexecute
theattack.20

BasedonthedetailsprovidedintheDHSreport,theadversaryusedaconsistentattackapproachonallthree
impactedtargets.Theadversaryalsousedconsistenttacticstoimpactfieldcontrollableelementsandirreparably
damagefielddevices.

Whytheseoblenergosweretargetedremainsanopendebate.Basedonthepublicreporting,itisunknownifthe
targetswereselectedbasedoncommontechnologiesinuse,systemarchitectures,reconnaissanceoperations,or
service territories. Opportunitybased considerations for selecting a specific target may focus on an attackers
confidenceandabilitytocauseanICSeffect.Someexampledecisionfactorscouldinclude:
Targetswithcommonsystemsandconfigurations
Multiplesystemswithcommoncentralizedcontrolpoints
ICSimpactdurationestimates(e.g.,longtermorshortterm)
Existingcapabilitiesrequiredtoachievedesiredresults
Risklevelofperformingtheoperationandbeingdiscovered
Achievedaccessandabilitytomoveandactwithintheenvironment

18http://www.eset.com/int/about/press/articles/malware/article/esetfindsconnectionbetweencyberespionageandelectricity

outageinukraine/
19http://galcomcomp.com/index.php/ru/nashiproekty/15proekt3materialru
20http://mobile.reuters.com/article/idUSKCN0VL18E
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
3

ICS Cyber Kill Chain Mapping

TheICSCyberKillChainwaspublishedbySANSin2015byMichaelAssanteandRobertM.Leeasanadaptation
ofthetraditionalcyberkillchaindevelopedbyLockheedMartinanalystsasitappliedtoICSs.21TheICSCyberKill
ChaindetailsthestepsanadversarymustfollowtoperformahighconfidenceattackontheICSprocessand/or
causephysicaldamagetoequipmentinapredictableandcontrollableway,asdisplayedinFigure4.

Figure4:TheICSCyberKillChainwithStage1Highlighted

TheattackontheUkrainianpowergridfollowedtheICSCyberKillChaincompletelythroughoutStage1andStage
2.TheattackgainedaccesstoeachleveloftheICS,asshowninFigure5,withtheICSCyberKillChainplotted
alongsideasegmentation/hierarchymodel(e.g.,modifiedPurdueModel).CompletingStage1entailsasuccessful
cyberintrusionorbreachintoanICSsystem, butisnotcharacterizedasanICSattack.Completionof Stage 2
completedtheICSKillChain,resultinginasuccessfulcyberattackthatledtoanimpactontheoperationsofthe
ICS.Thenextsectionincludesadiscussionofthetwostagesusingcurrentlyavailableinformationfromtheattack.

21https://www.sans.org/readingroom/whitepapers/ICS/industrialcontrolsystemcyberkillchain36297

EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
4

ICSCyberKillChainMapping

Figure5:UkraineCyberAttackICSCyberKillChainandPurdueModelMapping22

ICS Cyber Kill Chain Mapping Stage 1

ThefirststepinStage1isReconnaissance.Therewerenoreportsofobservedreconnaissancehavingtakenplace
priortotargetingtheenergycompanies.However,ananalysisofthethreeimpactedorganizationsshowsthey
wereparticularlyinterestingtargetsdueto the levelsofautomationin theirdistributionsystem;enablingthe
remoteopeningofbreakersinanumberofsubstations.Additionally,thetargetingandfinalattackplanforthe
electricitycompaniesingeneralwerehighlycoordinated,whichindicatesthatreconnaissancetookplaceatsome
point.Thiswasveryunlikelytohavebeenanopportunisticattack.

ThesecondstepisWeaponizationand/orTargeting.Targetingwouldnormallytakeplacewhennoweaponization
isneeded;suchasdirectlyaccessinginternetconnecteddevices.Inthisattack,itdoesnotappearthattargeting
of specific infrastructure was necessary to gain access. Instead, the adversaries weaponized Microsoft Office
documents(ExcelandWord)byembeddingBlackEnergy3withinthedocuments.23SamplesofExcelandother
office documents have been recovered from the broader access campaign that targeted a multitude of
organizations in Ukraine; including Office documents used in the specific attack against the three electricity
companies.24,25

DuringthecyberintrusionstageofDelivery,Exploit,andInstall,themaliciousOfficedocumentsweredelivered

22Note,theexactarchitecturesoftheimpactedutilitiesarenotrepresentedinthefigure.ThePurdueModelisastandardwayofviewing

differentzonesofawellconstructedICS.
23https://securelist.com/blog/research/73440/blackenergyaptattacksinukraineemployspearphishingwithworddocuments/
24https://icscert.uscert.gov/alerts/ICSALERT1428101B
25ThoselookingforIndicatorsofCompromisefortheworddocument,commandandcontrolservers,andthemalwareshouldlooktoE
ISAC,ICSCERT,andiSightprivatereportingaswellaspublicreportingfromKasperskyLabs,ESET,andCYSCentrumreference:https://cys
centrum.com/ru/news/black_energy_2_3 and https://securelist.com/blog/research/73440/blackenergyaptattacksinukraineemploy
spearphishingwithworddocuments/
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
5

ICSCyberKillChainMapping

viaemailtoindividualsintheadministrativeorITnetworkoftheelectricitycompanies.Whenthesedocuments
wereopened,apopupwasdisplayedtouserstoencouragethemtoenablethemacrosinthedocumentasshown
inFigure6.26EnablingthemacrosallowedthemalwaretoExploitOfficemacrofunctionalitytoinstallBlackEnergy
3onthevictimsystemandwasnotanexploitofavulnerabilitythroughexploitcode.Therewasnoobserved
exploitcodeinthisincident.Thethemeofusingavailablefunctionalityinthesystemwaspresentthroughoutthe
adversaryskillchain.

Figure6:ASampleofaBlackEnergy3InfectedMicrosoftOfficeDocument27

UpontheInstallstep,theBlackEnergy3malwareconnectedtocommandandcontrol(C2)IPaddressestoenable
communication by the adversary with the malware and the infected systems. These pathways allowed the
adversarytogatherinformationfromtheenvironmentandenableaccess.Theattackersappeartohavegained
accessmorethansixmonthspriortoDecember23,2015,whenthepoweroutageoccurred.28Oneoftheirfirst
actionshappenedwhenthenetworkwastoharvestcredentials,escalateprivileges,andmovelaterallythroughout
theenvironment(e.g.,targetdirectoryserviceinfrastructuretodirectlymanipulateandcontroltheauthentication
andauthorizationsystem).Atthispoint,theadversarycompletedallactionstoestablishpersistentaccesstothe
targets. While the initial footholds were used to harvest legitimate credentials for pivoting and systematic
takeoverofITsystemsandremoteconnections,itislikelythattheattackersmovedquicklyawayfromtheirinitial
footholds and vulnerable C2s in an effort to blend into the targets systems as authorized users. With this
information,theattackerswouldbeabletoidentifyVPNconnectionsandavenuesfromthebusinessnetworkinto
theICSnetwork.Usingnativeconnectionsandcommandsallowstheattackerstodiscovertheremainderofthe
systemsandextractdatanecessarytoformulateaplanforStage2.

26ForadetailedunderstandingoftheinfectedMicrosoftOfficedocumentsandthemaliciouspayloadseeKasperskyLabswriteuphere:

https://securelist.com/blog/research/73440/blackenergyaptattacksinukraineemployspearphishingwithworddocuments/
27https://securelist.com/blog/research/73440/blackenergyaptattacksinukraineemployspearphishingwithworddocuments/
28
http://politicalpistachio.blogspot.com/2016/01/russianhackerstakedownpowergridin.html
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
6

ICSCyberKillChainMapping

Using the stolen credentials, the adversary was able to pivot


intothenetworksegmentswhereSCADAdispatchworkstations
andserversexisted.Uponentryintothenetwork,theactions
of the adversaries were consistent in theme but different in
technicalminutiabetweenthethreeimpactedoblenergoss.In
at least one of the oblenergos, the attackers discovered a
networkconnectedtoaUPSandreconfigureditsothatwhen
the attacker caused a power outage, it was followed by an
event that would also impact the power in the energy
companysbuildingsordatacenters/closets.

There is not sufficient information available to identify if any


information was exfiltrated from the environment, but the
adversary demonstrated a capability in Stage 2 that indicates
internaldiscoverywasperformed.Thisreconnaissancewould
have needed to include discovering field devices such as the
serialtoethernet devices used to interpret commands from
the SCADA network to the substation control systems.
Additionally, the three oblenergos used different distribution
managementsystems(DMSs),andtheattackerswouldhaveneededtoperformsomenetworkreconnaissance
againstthesesystemsandfindspecifictargetstoexecutetheirhighlycoordinatedattack.29
Speculation
There was not enough publicly available
information to determine how diversified
the adversarys attack was to include how
many different types of devices were
impacted at the firmware level. However,
throughpubliclyavailableinformationabout
the Ukrainian networks, as well as
knowledge of similar electric distribution
systems,itislikelythattherewasadiverse
hardwareandsoftwareenvironment.

It is suspected that the administrative and


ICSnetworkscontainedmultipleOSversions
such as Windows XP and Windows 7,
multiple types of RTUs and gateways, and
variousindustrialswitches.

ICS Cyber Kill Chain Mapping Stage 2


In most cases, the Develop stage occurs in the adversarys networks, thereby limiting any available forensic
information,buttheattackthatfollowsthisstagecanrevealalotabouttheadversarialprocess.IntheAttack
DevelopmentandTuningStageofStage2,theattackersexecutedtheDevelopstepinatleasttwoways.First,
theylearnedhowtointeractwiththethreedistinctDMSenvironmentsusingthenativecontrolpresentinthe
systemandoperatorscreens.Second,andmoreimportantly,theydevelopedmaliciousfirmwarefortheserial
toethernetdevices.30

Currently available information indicates that the malicious firmware was consistent amongst devices and
uploadedwithinshortperiodsofeachothertomultiplesites.Therefore,themaliciousuploadsoffirmwarewas
likelydevelopedpriortotheattackforquickandpredictableexecution.

EISAC and the SANS ICS team assess with high confidence that, during the Validation Stage of Stage 2, the
adversarydidTesttheir capabilitiespriortotheirdeployment. Itispossible thattheadversarieswere ableto
executethiswithpureluck,butitishighlyunlikelyandinconsistentwiththeprofessionalismobservedthroughout
therestoftheattack.Theadversarieslikelyhadsystemsintheirorganizationthattheywereabletoevaluateand
testtheirfirmwareagainstpriortoexecutingonDecember23rd.

29ThethreedifferentDMSvendorswerediscoverableviaopensourcesearching.Thenamesofthevendorsarebeingwithheldasitisnot

importanttothediscussionoftheattack.Therewerenoexploitsleveragedagainstthesevendorsbuttheyweresimplyabusedwithdirect
access.
30
http://mpe.kmu.gov.ua/minugol/control/uk/publish/article;jsessionid=CE1C739AA046FF6BA00FE8E8A4D857F3.app1?art_id=245086886
&cat_id=35109
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
7

ICSCyberKillChainMapping

DuringtheICSAttackStage,theadversariesusednativesoftwaretoDeliverthemselvesintotheenvironmentfor
directinteractionwiththeICScomponents.Theyachievedthisusingexistingremoteadministrationtoolsonthe
operatorworkstations.ThethreatactorsalsocontinuedtousetheVPNaccessintotheITenvironment.31

In final preparation for the attack, the adversaries completed the Install/Modify stage by installing malicious
softwareidentifiedasamodifiedorcustomizedKillDiskacrosstheenvironment.Whileitislikelytheattackers
thenensuredtheirmodificationstotheUPSwerereadyfortheattack,therewasnotsufficientforensicevidence
available to prove this. The last act of modification was for the adversaries to take control of the operator
workstationsandtherebylocktheoperatorsoutoftheirsystems.Figure7showsthestaticanalysisoftheKillDisk
APIimportsfollowingtheevent.

Figure7:StaticAnalysisofKillDiskIdentifyingAPIImports32

Finally,tocompletetheICSCyberKillChainandtoExecutetheICSAttack,theadversariesusedtheHMIsinthe
SCADAenvironmenttoopen thebreakers.Atleast27substations(thetotal numberisprobablyhigher)were
takenofflineacrossthethreeenergycompanies,impactingroughly225,000customers.33,34Simultaneously,the

31

http://mpe.kmu.gov.ua/minugol/control/uk/publish/article;jsessionid=CE1C739AA046FF6BA00FE8E8A4D857F3.app1?art_id=245086886
&cat_id=35109
32 This image was provided by Jake Williams of Rendition InfoSec. It is included here to note that KillDisk would not run properly in a
malwaresandboxforanalysis.Staticanalysiswasrequiredtofullyinvestigatethemalwaresample.
33http://money.cnn.com/2016/01/18/technology/ukrainehackrussia/
34
In analysis of the impact observed and on the available information on the Ukrainian distribution grid it is assessed with medium
confidencethatthepublicnumberofdisconnectedsubstations,27,isalownumber.
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
8

ICSCyberKillChainMapping

attackersuploadedthemaliciousfirmwaretotheserialtoethernetgatewaydevices.Thisensuredthatevenif
theoperatorworkstationswererecovered,remotecommandscouldnotbeissuedtobringthesubstationsback
online (We have characterized the firmware attacks against field communication devices as blowing the
bridges).
During this same period, the attackers also leveraged a remote telephonic denial of service on the energy
companys call center with thousands of calls to ensure that impacted customers could not report outages.
Initially,itseemedthatthisattackwastokeepcustomersfrominformingtheoperatorsofhowextensivethe
outageswere;however,inreviewoftheentiretyoftheevidence,itismorelikelythatthedenialofservicewas
executedtofrustratethecustomerssincetheycouldnotcontactcustomersupportorgainclarityregardingthe
outage.TheentireattackfromMarch2015December23,2015isgraphicallydepictedbelowinFigure8.

Figure8:ICSKillChainMappingChart

EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
9

ICSCyberKillChainMapping

ItisextremelyimportanttonotethatneitherBlackEnergy3,unreportedbackdoors,KillDisk,northemalicious
firmwareuploadsalonewereresponsiblefortheoutage.Eachwassimplyacomponentofthecyberattackfor
the purposes of access and delay of restoration. For example, on some systems, KillDisk made the Windows
systemsinoperablebymanipulatingordeletingthemasterbootrecord,butonothersystemsitjustdeletedlogs
andsystemevents.35,36TheactualcauseoftheoutagewasthemanipulationoftheICSitselfandthelossofcontrol
duetodirectinteractiveoperationsbytheadversary.Thelossofviewintothesystemthroughthewipingofthe
SCADAnetworksystemssimplydelayedrestorationefforts.

Insummary,Stage2consistedofthefollowingattackelements:
Supportingattacks:
o ScheduledisconnectsforUPSsystems
o Telephonicfloodsagainstatleastoneoblenergoscustomersupportline
Primaryattack:SCADAhijackwithmaliciousoperationtoopenbreakers
Amplifyingattacks:
o KillDiskwipingofworkstations,servers,andanHMIcardinsideofanRTU
o FirmwareattacksagainstSerialtoEthernetdevicesatsubstations

35https://icscert.uscert.gov/alerts/IRALERTH1605601

36https://ics.sans.org/blog/2016/01/01/potentialsampleofmalwarefromtheukrainiancyberattackuncovered

EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
10

Defense Lessons Learned Passive and Active Defenses

WereviewedthemitigationstrategiesprovidedthroughtheDHSICSCERTAlertandconsideredhowanadversary
may alter the next attack based on the mitigation taken by a target. We support many of the mitigation
recommendations provided to date. However, it is likely that the adversary will modify attack approaches in
followoncampaignsandthesemitigationstrategiesmaynotbesufficient.Inthefollowingsection,wediscuss
mitigations for the attack that took place to extract defense lessons learned. In addition, we discuss future
potentialattackermethodologiesandproviderecommendationsthatcoulddisruptsimilaradversarysoperations.
The mitigations will focus on recommendations for Architecture, Passive Defense, and Active Defense
methodologiesalongtheSlidingScaleofCyberSecurity,showninFigure9.37

Figure9:TheSlidingScaleofCyberSecurity

Spear Phishing

Ukraine Attack
Intheattack,theadversarydeliveredatargetedemailwithamaliciousattachmentthatappearedtocomefrom
atrustedsourcetospecificindividualswithintheorganizations.Initialmitigationrecommendationswouldpoint
to enduser awareness training and ongoing phishing testing. Efforts to prevent malware have often
recommendedapplicationwhitelisting,whichcanbeeffectiveinICSenvironmentsiftheICSvendorapprovesof
the use. However, based on the details of this attack, application whitelisting would have had a limited role
contained to the execution of initial dropper infections in network segments with infected workstations (e.g.,
users that received and activated infected spear phish emails) where application whitelisting may be more
challenging to implement. It is important to note that application whitelisting would not have deterred or
prevented the second stage ICS attacks that impacted the Ukrainian oblenergos. In at least one instance, the
attackerusedaremoterogueclientandapprovedOSlevelremoteadminfeaturesforothercomponentsofthe
attack.

The Next Attack


Theadversarymayconductfollowonattacksthatpursuealternativeformsofsocialengineeringcampaigns,like
targeting the organization through largescale phishing campaigns, using waterholing attacks, or conducting
directcallcampaignstousersorthehelpdesk.Theycouldalsoleveragetechnicalexploitsnotrequiringsocial
engineeringofpersonnel.

37https://www.sans.org/readingroom/whitepapers/analyst/slidingscalecybersecurity36240

EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
11

DefenseLessonsLearnedPassiveandActiveDefenses

Opportunities to Disrupt
Theadversarywilllikelymodifyattackstorespondtoincreasesorchangesinthetargetsdefenses.Defenders
need to develop anticipatory responses to attack effects. Since the social engineering components of attacks
targetedemailandinternetaccessiblecyberassets,theseassetsandthenetworkstheyresideonareuntrusted
contestedterritory.Communicationwiththeseuntrustedareasshouldbesegmented,monitored,andcontrolled.
Operate under the assumption that the environment is accessible by the adversary and ensure appropriate
defensesareinplacetoprotecttheoperationsandcontrolenvironmentfromtheadversarycontrolledbusiness
cyber assets (while some organizations inherently trust their business systems and networks, additional
enforcement and scrutiny of these systems is necessary). Consider using sandboxing technology to evaluate
documents and emails coming into the network, using proxy systems to control outbound and inbound
communicationpaths,andlimitingworkstationstocommunicateonlythroughtheproxydevicesbyimplementing
perimeteregressaccesscontrols.

Credential Theft

Ukraine Attack
In the attack, the adversary appears to have used BlackEnergy 3 to establish a foothold and utilize keystroke
loggerstoperformcredentialtheft.Asaninitialmitigationapproach,werecommendthatorganizationsobtain
theYARArulesforthelatestIOCs.ByusingtheYARAforensictool,organizationscansearchforBlackEnergy3
infections and then utilize antimalware removal tools to eliminate the malware from the infected assets.
Defendersshouldbemindfulofthetimeittakestodetectaninfectedhostastheintrudermayhavealready
moved inside the network and secured additional methods to interact and communicate with the infected
network.Organizationsshouldchangeuserandshareduserpasswords(ensurethatthesestepsareapprovedby
operationsandthevendor,andtestedforimpactstooperationsandexistingsecuritycontrols).

The Next Attack


Adversaries with persistent access will simply use a different remote access Trojan, an updated version of
BlackEnergy 3, or an alternate mode of credential attacks. To detect and mitigate adversary movement
throughoutanenvironmentandaccountmanipulation,mitigationeffortsshouldbefocusedondirectory(e.g.,
Active Directory, Domain, eDirectory, and LDAP) segmentation with organizational unit trust models. This
approachwouldallowearlydetectionandpreventsomebasicattackerapproaches.

Opportunities to Disrupt
Monitoruseraccountbehavior,networkandsystemcommunication,anddirectorylevelactivitywithafocuson
identifyingabnormalities.Implementalarmcapabilitieswithdifferentprioritylevelalarmsbasedontheriskof
thesystemsassociatedwiththealarms.ItisimportanttonotethatYARAisaforensicstoolandisnotacontinuous
monitoringsolution.

Data Exfiltration

Ukraine Attack
AftertheattackersachievedthenecessaryfreedomofmovementandactionintheITinfrastructure,theybegan
exfiltratingthenecessaryinformationanddiscoveringthehostsanddevicestodeviseanattackconcepttohijack
theSCADADMStoopenbreakersandcauseapoweroutage.Theyfollowedthiswithdestructiveattacksagainst
workstations, servers, and embedded devices that provide industrial communications in their distribution
substations.Themitigationrecommendationhereistounderstandwherethistypeofinformationexistsinside
yourbusinessnetworkandICSs.Minimizingwheretheinformationresidesandcontrollingaccessisapriorityfor
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
12

DefenseLessonsLearnedPassiveandActiveDefenses

anICSdependentorganization.

The Next Attack


AttackersmaylookdeeperintotheICSconfigurationandsettingsorcontrollerandprotection/safetylogic.Ensure
tomaintain avaulted copyofknown goodprojectfiles,controlandsafetylogic,andfirmware.Alsousingfile
integritycheckerstomonitoraccessorsampleloadedfilesforchanges.

Opportunities to Disrupt
Realizethatattackersmaybeabletodevelopadditionalattackapproachesastheyhavelearnedasystemand
mayhavestoleninformationthatallowsforthedevelopmentofmorepowerfulfutureattacks.Defendersshould
examine their detection and response capabilities. Decision makers should review their restoration plans for
attacks with the potential to go deeper into the ICS and could result in damaged equipment. Identify new
connections leaving the environment and previously unseen encrypted communications. Network Security
Monitoring(NSM)isagreatactivedefensemethodofdetectingexfiltrationandendinganadversarysattackpath
beforeitdisruptstheICS.

VPN Access

Ukraine Attack
Mitigation guidance based on the attacker approach used in this campaign recommends using twofactor
authenticationwithusertokenstostrengthenauthentication.

The Next Attack


AttackersmaybeginlookingforexistingpointtopointVPNimplementationsattrustedthirdpartynetworksor
through remote support employee connections where split tunneling is enabled. The immediate mitigation
recommendationistoimplementtrustedjumphostorintermediarysystemswithNetworkAccessControl(NAC)
enforcement.Additionally,aVPNconfigurationapproachthatdisablessplittunnelingshouldbeenforced.

Opportunitiesto Disrupt: Defendersarereminded thathavingremoteaccessthrougha trusted connectionis


advantageousforanattacker.Beginbyaskingwhyeachtrustedcommunicationpathexists,evaluatetherisk,and
eliminateeachpaththatdoesnothaveanidentifiedneedthatoutweighstheriskofhavinganattackpath.For
thosecommunicationpathsthatmustremain,considerimplementingtimeofuseaccessforusers.Implement
theabilitytodisconnectthesepathsinanautomatedwayafteradefinedperiodoftimeafteraccessingranted,
andamethodtodisconnectmanuallyifneeded.Fromapassivedefenseperspective,forcechokepointsinthe
environmentbyensuringthattheremoteVPNsenterintotheenvironmentthroughadedicatedremoteaccess
DMZ.Thisensuresthattrafficandconnectionscanbemonitoredbyactivedefendersusingtechniquessuchas
networksecuritymonitoringtoidentifyabnormalitiesindurationofconnections,numberofconnections,and
timetheconnectionsoccur.

Workstation Remote Access

Ukraine Attack
Basedonthedetailsprovided,theadversariesusedtheorganizationsworkstationsremotely(whiletheattacker
was physically remote, logically they were local to the host) to conduct Stage 2 of the attack. Mitigation
recommendationsfocusondisablingremoteaccessatthehostandattheperimeterfirewall.

EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
13

DefenseLessonsLearnedPassiveandActiveDefenses

The Next Attack


Adversariesmaymodifyattackapproachestoloadadditionalremoteaccesstools,utilizeremoteshellcapabilities,
and tunnel communications over authorized perimeter firewall communications. In response to this modified
attack approach, mitigation efforts should focus on host based application aware firewalls, application
whitelisting,andconfigurationmanagementeffortstoidentifychangesintheoperationofanasset.Application
whitelisting,ifinstalledontheoperatorHMItopreventinstallationofunauthorizedremoteaccesssoftware,will
notaidinthepreventionofauthorizedsoftware.Also,keepinmindthatspecificcontrolsystemvendorsmaynot
approveofthewhitelistingsoftware.

Opportunities to Disrupt
Asadefenderpreparesforacyberassetwithinatrustedenvironmentthatmaybecompromisedandremotely
controlled,theymustconsiderapproachestoquicklymovetoaconservativeoperationsenvironmentwherethe
abilitytoissuecontrolsignalsfromuntrustedassetsispaused.Properarchitecturewoulddictatetheabilityto
segment or disable activities such as remote connections, and unnecessary outbound communications, while
conducting active defense mechanisms; such as incident response prior to restoring operational control
capabilitiestoknowngoodassets.

Control and Operate

Ukraine Attack
AstheattackersutilizedtheoperatorHMIs,theyoperatednumeroussitesunderthecontrolofthedispatcher.
Mitigationapproachesforthisspecificactionwouldfocusonapplicationlevellogicrequiringconfirmationfrom
theoperator,orimplementAreaofResponsibility(AoR)limitationsthatonlyallowanoperatortoeffectcertain
componentsofasystem.Forexample:IfanentityimplementedAoRononeoperatorworkstationthatprovided
eastbreakercontrol,andasecondoperatorworkstationthatprovidedWestbreakercontrol,thenanadversary
positionedononeworkstationwouldbelimitedtotheAoRallowedonthatspecificworkstation.Somevendor
systemsallowforUsernamedeterminedAoR,WorkstationdeterminedAoR,and/oranintersectionmodelthat
combinesusernameandworkstationidentifierinAoRauthorization.Therearevariationsamongstvendorsystems
inhowauthenticationishandledwithinthelocalworkstation,directory,orattheapplication.

The Next Attack


Whenanattackeridentifiesaworkstationwithapplicationsecuritycontrolsinplacethatlimitstheircapabilities,
theymaymodifytheirattacktocontrolthesystemdirectlybyissuingorinjectingcontrolcommands.Mitigation
strategiesforthisapproachwouldfocusoncommunicationpathauthenticationorprotocolauthenticationthat
wouldrequirecommandstobeissuedfromanauthorizedasset.Monitoringcommunicationsessionsbetween
hostscanleadtoearlydetectionandinvestigationofsuspiciouscommunications.

Opportunities to Disrupt
Preparingforadversarialutilizationofcyberassets,orcommunicationpathstocontrolandoperateelementsof
anICSsystem,requiressystemdefenderstodeveloparesponseapproachthateliminatesentiresectionsofcyber
assetelementsandnetworksinanefforttoinhibitautomatedcontrolandactivatemanualoperationsonly.As
adversaries learn the environment, they may issue test commands and interact with the SCADA environment
without the intention to disrupt it. For mitigation purposes, defenders must talk to operators and ask about
abnormaloccurrences,andfromapassivedefenseperspective,ensurethatlogsarecollectednotonlyfromthe
hostbutalsofromtheSCADAapplications.Additionally,implementalogaggregationarchitecturethatreplicates
logfilesfromassetsintoalogcorrelationsystem.Finally,haveactivedefendersroutinelyreviewtheselogsin
conjunctionwithothermonitoringactivitythroughouttheICStoidentifyabnormalities.

EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
14

DefenseLessonsLearnedPassiveandActiveDefenses

Tools and Technology impacts

Ukraine Attack
The attackers used multiple approaches to impact communication tools, operator technology for restoration
efforts,andfacilityinfrastructureessentialtomanyoperatoractivities.Therefore,mitigationrecommendations
arevaried.Itemstofocusonare:
EstablishingfilteringandresponsecapabilitiesattelecomproviderstoactivateduringanongoingTDoS
attack
Disableremotemanagementoffielddeviceswhentheyarenotrequired.
DisconnectbuildingcontrolinfrastructuresystemsfromtheICSnetwork.
Considerthenumberofsparesrequiredforembeddedsystemstoregainrequiredcommunicationor
control/protection.

The Next Attack


Asubsequentattackmayprogressfromresourceconsumptiontoamoredirectcommunicationpathoutagethat
affects communication capabilities. To mitigate this approach, defenders need to establish alternate
communicationsinfrastructureforessentialservicecapabilities.

Afteranattackeridentifiesincreasedsecurityrequirementsforfielddevicemanagement,theymayattemptto
establishdirectaccesstoafielddevicethroughalocalassetwithconnectivityorphysicalpresenceatthesitefor
direct firmware manipulation. Mitigation strategies for this attack approach focus on electronic and physical
accesscontrolsandthedevelopmentofarapidresponsecapabilityduringanattackorincident.

Opportunities to Disrupt
Adeterminedadversarycanimpactremoteassetseitherelectronicallyorphysically.Adefendershoulddevelop
strongrecoveryandrestorationapproachestoreplacemissioncriticalcyberassetcomponents.Oneoptionisto
rely on inventory and mutual aid assistance from trusted peer organizations and/or suppliers. In cases where
specificassetsarenotimmediatelyrecoverable,itisnecessarytodeveloptheabilitytooperatethelargersystem
withoperationalislandsthatcanberecoveredinatimelymanner.

DefendersshouldhaveaccesstoandvisibilityoftheICSstobeabletoidentifyabnormalbehavioraroundfield
device interaction. For example, uploading firmware outside of a scheduled downtime should be quickly
observable.Firmwaremodificationsoverthenetworkcausespikesinnetworktrafficthatactivedefendersshould
beconsistentlylookingfor.SeeFigure10foranexampleofamaliciousfirmwareupdatetoanindustrialnetwork
switch.Evenwithoutknowingthebaselineofnormalactivity,whichdefendersshouldhave,itcanbetrivialto
spotfirmwareupdatesinnetworkdata.

EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
15

DefenseLessonsLearnedPassiveandActiveDefenses

Figure10:SampleNetworkI/ODatafromaMaliciousFirmwareUpdatetoanIndustrialEthernetSwitch38

Respond and Restore

Ukraine Attack
ThecyberattacksperformedagainstthreeUkrainianoblenergoswerewellplannedandhighlycoordinated.The
attacksconsistedofseveralmajorelementswithbothenablingandsupportingattacksegments.Theattackers
wereremoteandinteractedwithmultiplelocationswithineachoftheirtargetstoincludecentralandregional
facilities.Distributionutilitiestraditionallyhavebothcentralbusinessandengineeringoffice(s)andanumberof
branch facilities used to support line crew, meter reading, bill payment, and distributed supervisory control
operations.CertaintypesofcyberattacksdesignedtomaliciouslytakeoverandoperateaSCADADMSmaybe
bestperformedinadistributedfashionatthelowestormostdirectlevel(fromalocaldispatchandSCADAserver
outtothesubstationsthatarebeingmonitoredandcontrolled).Preparingforahightempo,multifacetedattack
isnoteasyanditrequirescarefulplanreview,testing,integrateddefense,andoperationsexercises.Rehearsing
stepstomorequicklyseverorpreventremoteaccess,tosafelyseparatetheICSsfromconnectednetworks,orto
containandisolatesuspicioushostsiscritical.

The Next Attack


The next attack may purposefully differ in its approach to throw off or defeat the defenders plans and
expectations.Itiscriticalthatdefendersexerciseandtrainagainstdifferentscenariosandbeawarethatattackers
arecoadaptiveandcreative.Itisvitaltodevelopcapabilitieswithflexibilityinmind.

Opportunities to Disrupt/Restore
OperationspersonnelmustbeinvolvedinplanningforrestorationfromasuccessfulStage2ICSattack.Concepts
to consider from an electric operations and engineering perspective include the following and are graphically
depictedinFigure11:
Cybercontingencyanalysis:Continuousanalysisandpreparingthesystemforthenextevent.
Cyberfailureplanning:Modelingandtestingcybersystemresponsetonetworkandassetoutages.
Cyber conservative operations: Intentionally eliminating planned and unplanned changes as well as
stoppinganypotentiallyimpactfulprocesses.

38ForagooddiscussiononexploitsandmaliciousfirmwareupdatesforindustrialethernetswitchesseetheresearchbyEireannLeverett,

ColinCassidy,andRobertM.LeeintheDEFCONpresentationSwitchesGetStitcheshere:
https://www.youtube.com/watch?v=yaY3rtA37Uc
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
16

DefenseLessonsLearnedPassiveandActiveDefenses

Cyberloadshed:Eliminatingunnecessarynetworksegments,communications,andcyberassetsthatare
notoperationallynecessary.
CyberRootCauseAnalysis(RCA):RCAforensicstodeterminehowanimpactfuleventoccurredandensure
itiscontained.
Cyber Blackstart: Cyber asset base configurations and bare metal build capability to restore the cyber
systemtoacriticalservicestate.
Cyber mutual aid: Ability to utilize information sharing and analysis centers (ISACs), peer utilities, law
enforcement and intelligence agencies, as well as contractors and vendors to respond to largescale
events.

Figure11:Summaryoftheopportunitiestodisrupttheattack

EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
17

Recommendations

Architecture
Recommendations:
Properlysegmentnetworksfromeachother.
Ensureloggingisenabledondevicesthatsupportit,includingbothITandOperationalTechnology(OT)
assets.
Ensurethatnetworkarchitecture,suchasswitches,aremanagedandhavetheabilitytocapturedata
fromtheenvironmenttosupportPassiveandActiveDefensemechanisms.
MakebackupsofcriticalsoftwareinstallersandincludeanMD5andSHA256digitalhashofthe
installers.
Collectandvaultbackupprojectfilesfromthenetwork.
Testthetoolsandtechnologiesthatpassiveandactivedefensemechanismswillneed(suchasdigital
imagingsoftware)ontheenvironmenttoensurethatitwillnotnegativelyimpactsystems.
Prioritizeandpatchknownvulnerabilitiesbasedonthemostcriticalassetsintheorganization.
Limitremoteconnectionsonlytopersonnelthatneedthem.Whenpersonnelneedremoteaccess,
ensurethatiftheydonotneedcontrolthattheydonothaveaccesstocontrolelements.Usetwoform
authenticationontheremoteconnections.
Consideruseofasystemeventmonitoringsystem,configuredandmonitoredspecificallyforhighvalue
ICS/SCADAsystems.

Passive Defense
Recommendations:
Applicationwhitelistingcanhelplimitadversaryinitialinfectionvectorsandshouldbeusedwhennot
tooinvasivetotheICSs.
DMZsandproperlytunedfirewallsbetweennetworksegmentswillgivevisibilityintotheenvironment
andallowdefendersthetimerequiredtoidentifyintrusions.
Establishacentrallogginganddataaggregationpointtoallowforensicevidencetobecollectedand
madeavailabletodefenders.
Implementalarmpackageprioritiesforabnormalcybereventswithinthecontrolsystem.
EnforceapasswordresetpolicyintheeventofacompromiseespeciallyforVPNsandadministrative
accounts.
Utilizeuptodateantivirusorendpointsecuritytechnologiestoallowforthedenialofknownmalware.
Configureanintrusiondetectionsystemsothatrulescanbequicklydeployedtosearchforintruders.

Active Defense
Recommendations:
TraindefenderstohuntforoddcommunicationsleavingthenetworkedenvironmentsuchasnewIP
communications.
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
18

Recommendations

Performnetworksecuritymonitoringtocontinuouslysearchthroughthenetworkedenvironmentfor
abnormalities.
PlanandtraintoincidentresponseplansthatincorporateboththeITandOTnetworkpersonnel.
Consideractivedefensemodelsforsecurityoperationssuchastheactivecyberdefensecycle.
Ensurethatpersonnelperforminganalysishaveaccesstotechnologiessuchassandboxestoquickly
analyzeincomingphishingemailsoroddfilesandextractindicatorsofcompromise(IOCs)tosearchfor
infectedsystems.
Usebackupandrecoverytoolstotakedigitalimagesfromafewofthesystemsinthesupervisory
environmentsuchasHMIsanddatahistoriansystemsevery612months.Thiswillallowabaselineof
activitytobebuiltandmaketheimagesavailableforscanningwithnewIOCssuchasnewYARArules
onemergingthreats.
TraindefendersonusingtoolssuchasYARAtoscandigitalimagesandevidencecollectedfromthe
environmentbutdonotperformthescansintheproductionenvironmentitself.

GoodarchitectureandpassivedefensepracticesbuildadefensibleICS;activedefenseprocessesestablisha
defendedICSenvironment.Counteringflexibleandpersistenthumanadversariesrequiresproperlytrainedand
equippedhumandefenders.

EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
19

Implications and Conclusion

Implications for Defenders


TheremotecyberattacksdirectedagainstUkraineselectricityinfrastructurewereboldandsuccessful.Thecyber
operationwashighlysynchronizedandtheadversarywaswillingtomaliciouslyoperateaSCADAsystemtocause
poweroutages,followedbydestructiveattackstodisableSCADAandcommunicationstothefield.Thedestructive
element is the first time the world has seen this type of attack against OT systems in a nations critical
infrastructure.Thisisanescalationfrompastdestructiveattacksthatimpactedgeneralpurposecomputersand
servers(e.g.,SaudiAramco,RasGas,SandsCasino,andSonyPictures).Severallineswerecrossedintheconduct
oftheseattacksasthetargetscanbedescribedassolelycivilianinfrastructure.Historicattacks,suchasStuxnet,
whichincludeddestructionofequipmentintheOTenvironment,couldbearguedasbeingsurgicallytargeted
againstamilitarytarget.

Infrastructuredefendersmustbereadytoconfronthighlytargetedanddirectedattacksthatincludetheirown
ICSsbeingusedagainstthem,combinedwithamplifyingattackstodenycommunicationinfrastructureandfuture
useoftheirICSs.Theelementsanalyzedintheattackindicatedthattherewasaspecificsequencetothemisuse
of the ICSs, including preventing further defender use of the ICSs to restore the system. This means that the
attackerburnedthebridgesbehindthembydestroyingequipmentandwipingdevicestopreventautomated
recovery of the system. The attacks highlight the need to develop active cyber defenses, capable and well
exercisedincidentresponseplans,andresilientoperationsplanstosurviveasophisticatedattackandrestorethe
system.

NothingabouttheattackinUkrainewasinherentlyspecifictoUkrainianinfrastructure.Theimpactofasimilar
attackmaybedifferentinothernations,buttheattackmethodology,Tactics,Techniques,andProcedures(TTPs)
observedareemployableininfrastructuresaroundtheworld.

Conclusion
We have identified five themes for defenders to focus on as they consider what this attack means for their
organization:

Theme 1
As defenders of ICSs, consider the sequence of events taken by the adversary in the months leading up to
December 23, 2015 when this cyber operation targeting Ukrainian electricity infrastructure was planned and
developed. The operation relied upon intrusions that appear to have come from a broader access campaign
conductedinthespringof2015.Inaprolongedattackcampaign,therearelikelynumerousopportunitiestodetect
anddefendthetargetedsystem.ThetwostageICScyberkillchainhelpsnotethatinanICSenvironment,there
isanincreasedwindowforthedetectionandidentificationofthemostconcerningattacktypes.

Theme 2
The cyber attacks were conducted within minutes of each other against three oblenergos, resulting in power
outagesaffectingapproximately225,000customersforafewhours.Whilethetotalnumberofcustomersacross
threeserviceterritoriesdoesnotadduptoasignificantnumberofcustomersorloadacrossUkraine,theremay
besignificanceintargetselectionorspecificloads.Onecriticalelementofthisparticularattackwasitscoordinated
natureaffectingthreetargetentitiesandthethoroughnessoftheadversarysequenceofeventsinachievingtheir
goals.Importantopportunitiesfordefenderstodisrupttheadversaryssequenceofeventswereidentified.

Theme 3
ThecyberattacksweremislabeledassolelylinkedtoBlackEnergy3andKillDisk.BlackEnergy3wassimplyatool
usedinStage1oftheattacksandKillDiskwasanamplifyingtoolusedinStage2oftheattacks.BlackEnergy3
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
20

ImplicationsandConclusion

malwarewasusedtogaininitialfootholdsintoamultitudeoforganizationswithinUkraineandnotjustthethree
impacted oblenergos. It is unknown if the adversary had planned to use this access campaign to enable their
operationorifachievingaccesswasthemotivationleadingtothedevelopmentofaconcepttoattackthepower
system.

Excessivefocusonthespecificmalwareusedinthisattack placesdefendersintoamindsetinwhichtheyare
simplywaitingforguidanceonthespecificattackcomponentssotheycaneliminatethem.Thisattackcouldhave
beenenabledbyavarietyofapproachestogainaccessandutilizeexistingassetswithinatargetenvironment.
Regardlessoftheinitialattackvector,theICStoolsandenvironmentwereultimatelyusedtoachievethedesired
effect,nottheBlackEnergy3malware.

Theme 4
The attack concept had to be able to work across multiple SCADA DMS implementations and target common
susceptibleelements,suchasstorageoverwritesforWindowsbasedoperatingsystemworkstationsandservers.
Theattackerslikelydevelopeddestructivefirmwareoverwritetechniquesafterdiscoveringaccessibleembedded
systems.Therewaslikelyasignificantamountofunobservableadversarialtestingperformedpriortointroducing
the attack into the environment. Many capabilities were demonstrated throughout this attack, and they all
providespecificlessonslearnedfordefenderstotakeactionon.

Theme 5
Informationsharingiskeyintheidentificationofacoordinatedattackanddirectingappropriateresponseactions.
Within the Ukraine, an organization with the ability to enable appropriate information sharing and provide
incident response guidance should be pursued. In the United States and other countries with established
informationsharingmechanisms,suchasISACs(InformationSharingandAnalysisCenters),thefocusshouldbe
on maintaining and improving the information provided by asset owners and operators. This increased data
sharingwillenhancesituationawarenesswithinthesector,whichwillinturnleadtoearlierattackdetectionand
facilitateincidentresponse.

Inmanyways,theUkrainianoblenergosandtheirstaff,aswellastheinvolvedUkrainiangovernmentmembers
deservecongratulations.Thisattackwasaworldfirstinmanyways,andtheUkrainianresponsewasimpressive
withallaspectsconsidered.

Astheinvestigationandanalysisoftechnicaldatacontinuesandmoreinformationregardingthisattacksurfaces,
theauthorsofthisDUCwillupdatethisreportwhereappropriateinanefforttomaintainthemostaccurateand
beneficialguidancedocumentpossibleforICSdefenders.TheEISACwillcontinuetoprovidecrediblereporting
andguidanceaswell.

EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
21

Appendix Information Evaluation

Credibility:539
TheclaimsbytheUkrainiangovernmentthatoutagesintheserviceterritoryofthetargetedelectricitycompanies
werecausedbyaseriesofcyberattackshavebeenconfirmed.Theclaimwasoriginallymetwithprivateskepticism
by the SANS ICS team as ICS organizations frequently have reliability issues and incorrectly blame cyber
mechanismssuchasmalwarefoundonthenetworkthatisunrelatedtotheoutage.Earlyreportingonincidents
isoftenrushedandstressfulwhichleadstoinaccurateclaims.However,intheUkrainiancase,thereisalarge
amountofevidenceavailable;includingmalwaresamples,interviewswithoperatorspresentduringtheincident,
andconfirmationbymultipleprivatecompaniesinvolvedintheincident.Lastly,theU.S.governmenthassince
alsoconfirmedtheattacksduetotheirowninvestigation.

ThemostrecentreportreleasedfromDHSICSCERT40citesdirectinterviewswithoperationsandinformation
technologystaffandleadershipatsixUkrainianorganizationswithfirsthandexperienceoftheevent.Basedon
theinformationprovidedinthereport,41theU.S.delegationinterviewedandconsideredinformationfromthe
three impacted organizations as well as others. The format of the interviews, and asset owner and operator
discussions,indicatedthattheteamwasnotabletoindependentlyreviewtechnicalevidenceofthecyberattack.
However,asignificantnumberofindependentreportsfromtheteamsinterviewsaswellasdocumentaryfindings
corroboratetheevents.42However,alargeamountoftechnicalinformationwasmadeavailabletothelarger
communityincludingindicatorsofcompromise,malwaresamples,technicalinformationabouttheICSitselfand
itscomponents,andsomesamplesoflogsfromtheSCADAenvironment.43Themajorityofsourcestodatehave
relieduponinitialattemptsbyUkrainianpowerentitiestoinformcustomersaboutthecauseoftheoutageand
sources derived from interviews with impacted entities. The DHS report does not attempt to assign attacker
attributionandneitherwillthisDUC.

Amount of Technical Information Available:444


A score of 4 has been assigned for the technical information available due to the fact that malware samples,
observable ICS impacts, technical indicators of compromise, and first hand interviews were available. The
investigationalsoincludedajointworkinggroupbetweentheUkrainiangovernment,impactedoblenergos,and
U.S. government representatives starting on January 18, 2016.45 This amount of information was sufficient to
confirmtheattacks.

However,itshouldbenotedthattheremaybepiecesofinformationmissingduetothelackofvisibilityinvarious
partsoftheICSnetwork.Asanexample,packetcapturesfromthenetworkduringtheattackandfielddevice

39 Credibility of the information is rated in a scale from [0] Cannot be determined, [1] Improbable, [2] Doubtful, [3] Possibly true, [4]

Probablytrue,[5]Confirmed

https://icscert.uscert.gov/alerts/IRALERTH1605601
SANSICSteammembershavebeenabletoviewtechnicaldatainbothpublicandnongovernmentprivatechannelstoconfirmthe
existenceofforensicdataandthecorecomponentsoftheanalysisbasedoffofthedata.
42
https://icscert.uscert.gov/alerts/IRALERTH1605601
40

41

43 It should be noted that many in the community would like access to internal forensic logs of the impacted oblenergos. This is an

understandablerequestbutitisextremelyrareforimpactedorganizationstomakesuchinformationpubliclyavailable.SANSICSteam
membershavebeenabletoviewtechnicaldatainbothpublicandnongovernmentprivatechannelstoconfirmtheexistenceofforensic
dataandthecorecomponentsoftheanalysisbasedoffofthedata.
44AmountofTechnicalInformationAvailableisananalystsevaluationanddescriptionofthedetailsavailabletodeconstructtheattack
providedwitharatingscalefrom[0]Nospecifics,[1]highlevelsummaryonly,[2]Somedetails,[3]Manydetails,[4]Extensivedetails,[5]
Comprehensivedetailswithsupportingevidence
45

http://mpe.kmu.gov.ua/minugol/control/uk/publish/article;jsessionid=CE1C739AA046FF6BA00FE8E8A4D857F3.
app1?art_id=245086886&cat_id=35109
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
22

AppendixInformationEvaluation

loggingwerenotavailable.Withthisinformationevenmoreaboutthetechnicalminutiaoftheattackwouldbe
available. The amount of information available as well as the willingness by the impacted oblenergos and
Ukrainiangovernmenttosharethatinformationpubliclywasthemostseentodateforaconfirmedintentional
cyberattackthatimpactedtheoperationsofanICS.

Whenconsideringthetechnicalinformationprovided,theauthorsofthisDUChaveconsideredthelargerpublic
reportingofelectricitycustomeroutageswithinUkraineasacomponentofthevalidationandevidencenecessary
todemonstratetheattackereffectstotheelectricitysystem.TheofficialpublicalertbyDHScorroboratesprior
reportingandisbasedoninterviewsandinformationexchangedwiththeimpactedorganizations.

EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
23