Académique Documents
Professionnel Documents
Culture Documents
TLP: White
NERC|ReportTitle|ReportDate
I
Table of Contents
Preface.......................................................................................................................................................................iii
SummaryofIncidents................................................................................................................................................iv
AttackerTacticsTechniquesandProceduresDescription........................................................................................1
ICSCyberKillChainMapping.....................................................................................................................................4
DefenseLessonsLearnedPassiveandActiveDefenses.......................................................................................11
Recommendations...................................................................................................................................................18
ImplicationsandConclusion....................................................................................................................................20
AppendixInformationEvaluation...........................................................................................................................22
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
ii
Preface
Authors,workingwiththeEISAC:
RobertM.Lee,SANS
MichaelJ.Assante,SANS
TimConway,SANS
1TheSANSinvestigationintothisincidentshouldnotbeconfusedwiththeU.S.interagencyteaminvestigationoranyotherorganization
orcompanyseffortstoincludetheEISACspastreporting.SANSICSteamhasbeenanalyzingthedataontheirownsinceDecember25,
2015,andhasprovideditsanalysistothewidercommunity.ThisdocumentisprovidedtoEISACandtheNorthAmericanelectricity
sectortobenefititsmembersandthelargercriticalinfrastructurecommunity.
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
iii
Summary of Incidents
OnDecember23,2015,theUkrainianKyivoblenergo,aregionalelectricitydistributioncompany,reportedservice
outagestocustomers.Theoutageswereduetoathirdpartysillegalentryintothecompanyscomputerand
SCADA systems: Starting at approximately 3:35 p.m. local time, seven 110 kV and 23 35 kV substations were
disconnectedforthreehours.Laterstatementsindicatedthatthecyberattackimpactedadditionalportionsof
the distribution grid and forced operators to switch to manual mode.2, 3 The event was elaborated on by the
Ukrainiannewsmedia,whoconductedinterviewsanddeterminedthataforeignattackerremotelycontrolledthe
SCADAdistributionmanagementsystem.4Theoutageswereoriginallythoughttohaveaffectedapproximately
80,000customers,basedontheKyivoblenergosupdatetocustomers.However,lateritwasrevealedthatthree
differentdistributionoblenergos(atermusedtodescribeanenergycompany)wereattacked,resultinginseveral
outagesthatcausedapproximately225,000customerstolosepoweracrossvariousareas.5,6
Shortlyaftertheattack,Ukrainiangovernmentofficialsclaimedtheoutageswerecausedbyacyberattack,and
thatRussiansecurityserviceswereresponsiblefortheincidents.7Followingtheseclaims,investigatorsinUkraine,
aswellasprivatecompaniesandtheU.S.government,performedanalysisandofferedassistancetodetermine
therootcauseoftheoutage.8BoththeEISACandSANSICSteamwasinvolvedinvariouseffortsandanalysesin
relation to this case since December 25, 2015, working with trusted members and organizations in the
community.9
Thisjointreportconsolidatestheopensourceinformation,clarifyingimportantdetailssurroundingtheattack,
offeringlessonslearned,andrecommendingapproachestohelptheICScommunityrepelsimilarattacks.This
reportdoesnotfocusonattributionoftheattack.
2https://ics.sans.org/blog/2016/01/09/confirmationofacoordinatedattackontheukrainianpowergrid
3http://news.finance.ua/ua/news//366136/hakeryatakuvalyprykarpattyaoblenergoznestrumyvshypolovynuregionuna6godyn
4http://ru.tsn.ua/ukrayina/izzahakerskoyatakiobestochilopolovinuivanofrankovskoyoblasti550406.html
5http://www.oe.if.ua/showarticle.php?id=3413
6https://icscert.uscert.gov/alerts/IRALERTH1605601
7http://www.ukrinform.net/rubriccrime/1937899russianhackersplanenergysubversioninukraine.html
8https://www.rbc.ua/rus/news/pravitelstvasshaukrainyrassmotryatotchet1454113214.html
10http://ru.tsn.ua/ukrayina/izzahakerskoyatakiobestochilopolovinuivanofrankovskoyoblasti550406.html
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
iv
Background
OnDecember24,2015,TSN(aUkrainiannewsoutlet)releasedthereportDuetoaHackerAttackHalfofthe
IvanoFrankivsk Region is DeEnergized.10 Numerous reporting agencies and independent bloggers from the
Washington Post,SANSInstitute, NewYorkTimes,ARSTechnica,BBC,Wired,CNN,FoxNews,andthe EISAC
ReporthavefollowedupontheinitialTSNreport.11Thesesubsequentreportshavecollectivelyprovideddetails
ofacyberattackthattargetedtheUkrainianelectricsystem.TheU.S.DepartmentofHomelandSecurity(DHS)
issued a formal report on February 25, 2016, titled IRALERTH1605601.12 Based on the DHS report, three
Ukrainianoblenergosexperiencedcoordinatedcyberattacksthatwereexecutedwithin30minutesofeachother.
Theattackimpacted225,000customersandrequiredtheoblenergostomovetomanualoperationsinresponse
totheattack.
Theoblenergoswerereportedlyabletorestoreservicequicklyafteranoutagewindowlastingseveralhours.13
TheDHSreportstatesthat,whileelectricalservicewasrestored,theimpactedoblenergoscontinuetooperate
their distribution systems in an operationally constrained mode. Within the Ukrainian electrical system, these
attacksweredirectedattheregionaldistributionlevel,asshowninFigure1.
Figure1:ElectricSystemOverview
10http://ru.tsn.ua/ukrayina/izzahakerskoyatakiobestochilopolovinuivanofrankovskoyoblasti550406.html
11
EISAC:MitigatingAdversarialManipulationofIndustrialControlSystemsasEvidencedbyRecentInternationalEvents,February9,2016
(TLP=RED)
12https://icscert.uscert.gov/alerts/IRALERTH1605601
13https://www.washingtonpost.com/world/nationalsecurity/russianhackerssuspectedinattackthatblackedoutpartsof
ukraine/2016/01/05/4056a4dcb3de11e5a8420feb51d1d124_story.html
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
v
SummaryofIncidents
SeetheAppendixforanevaluationofthecredibilityandamountoftechnicalinformationthatispubliclyavailable.
Keeping Perspective
ThecyberattacksinUkrainearethefirstpubliclyacknowledgedincidentstoresultinpoweroutages.Asfuture
attacksmayoccur,itisimportanttoscopetheimpactsoftheincident.Poweroutagesshouldbemeasuredin
scale(numberofcustomersandamountofelectricityinfrastructureinvolved)andindurationtofullrestoration.
TheUkrainianincidentsaffectedupto225,000customersinthreedifferentdistributionlevelserviceterritories
andlastedforseveralhours.Theseincidentsshouldberatedonamacroscaleaslowintermsofpowersystem
impactsastheoutageaffectedaverysmallnumberofoverallpowerconsumersinUkraineandthedurationwas
limited.Incontrast,itislikelythattheimpactedcompaniesratetheseincidentsashighorcriticaltothereliability
oftheirsystemsandbusinessoperations.
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
vi
Directattributionisunnecessarytolearnfromthisattackandtoconsidermitigationstrategies;itisonlynecessary
tousethementalmodelofhowthecyberactorworkstounderstandthecapabilitiesandgeneralprofileagainst
which one is defending. The motive and sophistication of this power grid attack is consistent with a highly
structuredandresourcedactor.Thisactorwascoadaptiveanddemonstratedvaryingtacticsandtechniquesto
match the defenses and environment of the three impacted targets. The mitigation section of this document
provides mitigation concepts related to the attack and how to develop a more lasting mitigation strategy by
anticipatingfutureattacks.
Capability
Theattackersdemonstratedavarietyofcapabilities,includingspearphishingemails,variantsoftheBlackEnergy
3malware,andthemanipulationofMicrosoftOfficedocumentsthatcontainedthemalwaretogainafoothold
intotheInformationTechnology(IT)networksoftheelectricitycompanies.14Theydemonstratedthecapabilityto
gain a foothold and harvest credentials and information to gain access to the ICS network. Additionally, the
attackers showed expertise, not only in network connected infrastructure; such as Uninterruptable Power
Supplies(UPSs),butalsoinoperatingtheICSsthroughsupervisorycontrolsystem;suchastheHumanMachine
Interface(HMI),asshowninFigure2.
Figure2:Control&Operate:SCADAHijackingTechniques
Finally,theadversariesdemonstratedthecapabilityandwillingnesstotargetfielddevicesatsubstations,write
custom malicious firmware, and render the devices, such as serialtoethernet convertors, inoperable and
14 For a discussion around the history of the BlackEnergy 3 malware and Sandworm team see the SANS ICS webcast with iSight here:
https://www.sans.org/webcasts/analysissandwormteamukraine101597
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
1
AttackerTacticsTechniquesandProceduresDescription
unrecoverable.15Inonecase,theattackersalsousedtelephonesystemstogeneratethousandsofcallstothe
energycompanyscallcentertodenyaccesstocustomersreportingoutages.However,thestrongestcapability
oftheattackerswasnotintheirchoiceoftoolsorintheirexpertise,butintheircapabilitytoperformlongterm
reconnaissance operations required to learn the environment and execute a highly synchronized, multistage,
multisiteattack.
Thefollowingisaconsolidatedlistofthetechnicalcomponentsusedbytheattackers,graphicallydepictedin
Figure3:
Spearphishingtogainaccesstothebusinessnetworksoftheoblenergos
IdentificationofBlackEnergy3ateachoftheimpactedoblenergos
Theftofcredentialsfromthebusinessnetworks
Theuseofvirtualprivatenetworks(VPNs)toentertheICSnetwork
Theuseofexistingremoteaccesstoolswithintheenvironmentorissuingcommandsdirectlyfroma
remotestationsimilartoanoperatorHMI
Serialtoethernetcommunicationsdevicesimpactedatafirmwarelevel16
TheuseofamodifiedKillDisktoerasethemasterbootrecordofimpactedorganizationsystemsaswell
asthetargeteddeletionofsomelogs17
UtilizingUPSsystemstoimpactconnectedloadwithascheduledserviceoutage
Telephonedenialofserviceattackonthecallcenter
Figure3:UkraineAttackConsolidatedTechnicalComponents
Atvariouspointsinthepublicreportingontheattack,organizationshaveindicatedthatBlackEnergy3andKillDisk
itselfcouldbedirectlyresponsiblefortheoutage.Oneoftheitemsspecificallyhighlightedtosupportthistheory
15
http://mpe.kmu.gov.ua/minugol/control/uk/publish/article;jsessionid=CE1C739AA046FF6BA00FE8E8A4D857F3.app1?art_id=245086886
&cat_id=35109
16TolearnaboutserialtoethernetconvertersandthetypesofvulnerabilitiesthatexisttothemseeDigitalBondsBasecampreporthere:
http://www.digitalbond.com/blog/2015/10/30/basecampforserialconverters/
17http://www.symantec.com/connect/blogs/destructivedisakilmalwarelinkedukrainepoweroutagesalsousedagainstmedia
organizations
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
2
AttackerTacticsTechniquesandProceduresDescription
wasthatKillDiskdeletedaprocessonWindowssystemslinkedtoserialtoethernetcommunications.18Regardless
of the impact of the SCADA network environment, neither BlackEnergy 3 nor KillDisk contained the required
componentstocausetheoutage.Theoutageswerecausedbytheuseofthecontrolsystemsandtheirsoftware
throughdirectinteractionbytheadversary.Allothertoolsandtechnology,suchasBlackEnergy3andKillDisk,
wereusedtoenabletheattackordelayrestorationefforts.
Opportunities
Multipleopportunitiesexistedfortheadversarytoexecuteitsattack.Externaltotheoblenergosandpriortothe
attack,therewasavarietyofopensourceinformationavailable;includingadetailedlistoftypesofinfrastructure
suchasRemoteTerminalUnit(RTU)vendorsandversionspostedonlinebyICSvendors.19TheVPNsintotheICS
from the business network appear to lack twofactor authentication. Additionally, the firewall allowed the
adversarytoremoteadminoutoftheenvironmentbyutilizingaremoteaccesscapabilitynativetothesystems.
Inaddition,basedonmediareporting,theredidnotappeartobeanyresidentcapabilitytocontinuallymonitor
theICSnetworkandsearchforabnormalitiesandthreatsthroughactivedefensemeasures;likenetworksecurity
monitoring. These vulnerabilities would have provided the adversary the opportunity to persist within the
environmentforsixmonthsormoretoconductreconnaissanceontheenvironmentandsubsequentlyexecute
theattack.20
BasedonthedetailsprovidedintheDHSreport,theadversaryusedaconsistentattackapproachonallthree
impactedtargets.Theadversaryalsousedconsistenttacticstoimpactfieldcontrollableelementsandirreparably
damagefielddevices.
Whytheseoblenergosweretargetedremainsanopendebate.Basedonthepublicreporting,itisunknownifthe
targetswereselectedbasedoncommontechnologiesinuse,systemarchitectures,reconnaissanceoperations,or
service territories. Opportunitybased considerations for selecting a specific target may focus on an attackers
confidenceandabilitytocauseanICSeffect.Someexampledecisionfactorscouldinclude:
Targetswithcommonsystemsandconfigurations
Multiplesystemswithcommoncentralizedcontrolpoints
ICSimpactdurationestimates(e.g.,longtermorshortterm)
Existingcapabilitiesrequiredtoachievedesiredresults
Risklevelofperformingtheoperationandbeingdiscovered
Achievedaccessandabilitytomoveandactwithintheenvironment
18http://www.eset.com/int/about/press/articles/malware/article/esetfindsconnectionbetweencyberespionageandelectricity
outageinukraine/
19http://galcomcomp.com/index.php/ru/nashiproekty/15proekt3materialru
20http://mobile.reuters.com/article/idUSKCN0VL18E
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
3
TheICSCyberKillChainwaspublishedbySANSin2015byMichaelAssanteandRobertM.Leeasanadaptation
ofthetraditionalcyberkillchaindevelopedbyLockheedMartinanalystsasitappliedtoICSs.21TheICSCyberKill
ChaindetailsthestepsanadversarymustfollowtoperformahighconfidenceattackontheICSprocessand/or
causephysicaldamagetoequipmentinapredictableandcontrollableway,asdisplayedinFigure4.
Figure4:TheICSCyberKillChainwithStage1Highlighted
TheattackontheUkrainianpowergridfollowedtheICSCyberKillChaincompletelythroughoutStage1andStage
2.TheattackgainedaccesstoeachleveloftheICS,asshowninFigure5,withtheICSCyberKillChainplotted
alongsideasegmentation/hierarchymodel(e.g.,modifiedPurdueModel).CompletingStage1entailsasuccessful
cyberintrusionorbreachintoanICSsystem, butisnotcharacterizedasanICSattack.Completionof Stage 2
completedtheICSKillChain,resultinginasuccessfulcyberattackthatledtoanimpactontheoperationsofthe
ICS.Thenextsectionincludesadiscussionofthetwostagesusingcurrentlyavailableinformationfromtheattack.
21https://www.sans.org/readingroom/whitepapers/ICS/industrialcontrolsystemcyberkillchain36297
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
4
ICSCyberKillChainMapping
Figure5:UkraineCyberAttackICSCyberKillChainandPurdueModelMapping22
ThefirststepinStage1isReconnaissance.Therewerenoreportsofobservedreconnaissancehavingtakenplace
priortotargetingtheenergycompanies.However,ananalysisofthethreeimpactedorganizationsshowsthey
wereparticularlyinterestingtargetsdueto the levelsofautomationin theirdistributionsystem;enablingthe
remoteopeningofbreakersinanumberofsubstations.Additionally,thetargetingandfinalattackplanforthe
electricitycompaniesingeneralwerehighlycoordinated,whichindicatesthatreconnaissancetookplaceatsome
point.Thiswasveryunlikelytohavebeenanopportunisticattack.
ThesecondstepisWeaponizationand/orTargeting.Targetingwouldnormallytakeplacewhennoweaponization
isneeded;suchasdirectlyaccessinginternetconnecteddevices.Inthisattack,itdoesnotappearthattargeting
of specific infrastructure was necessary to gain access. Instead, the adversaries weaponized Microsoft Office
documents(ExcelandWord)byembeddingBlackEnergy3withinthedocuments.23SamplesofExcelandother
office documents have been recovered from the broader access campaign that targeted a multitude of
organizations in Ukraine; including Office documents used in the specific attack against the three electricity
companies.24,25
DuringthecyberintrusionstageofDelivery,Exploit,andInstall,themaliciousOfficedocumentsweredelivered
22Note,theexactarchitecturesoftheimpactedutilitiesarenotrepresentedinthefigure.ThePurdueModelisastandardwayofviewing
differentzonesofawellconstructedICS.
23https://securelist.com/blog/research/73440/blackenergyaptattacksinukraineemployspearphishingwithworddocuments/
24https://icscert.uscert.gov/alerts/ICSALERT1428101B
25ThoselookingforIndicatorsofCompromisefortheworddocument,commandandcontrolservers,andthemalwareshouldlooktoE
ISAC,ICSCERT,andiSightprivatereportingaswellaspublicreportingfromKasperskyLabs,ESET,andCYSCentrumreference:https://cys
centrum.com/ru/news/black_energy_2_3 and https://securelist.com/blog/research/73440/blackenergyaptattacksinukraineemploy
spearphishingwithworddocuments/
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
5
ICSCyberKillChainMapping
viaemailtoindividualsintheadministrativeorITnetworkoftheelectricitycompanies.Whenthesedocuments
wereopened,apopupwasdisplayedtouserstoencouragethemtoenablethemacrosinthedocumentasshown
inFigure6.26EnablingthemacrosallowedthemalwaretoExploitOfficemacrofunctionalitytoinstallBlackEnergy
3onthevictimsystemandwasnotanexploitofavulnerabilitythroughexploitcode.Therewasnoobserved
exploitcodeinthisincident.Thethemeofusingavailablefunctionalityinthesystemwaspresentthroughoutthe
adversaryskillchain.
Figure6:ASampleofaBlackEnergy3InfectedMicrosoftOfficeDocument27
UpontheInstallstep,theBlackEnergy3malwareconnectedtocommandandcontrol(C2)IPaddressestoenable
communication by the adversary with the malware and the infected systems. These pathways allowed the
adversarytogatherinformationfromtheenvironmentandenableaccess.Theattackersappeartohavegained
accessmorethansixmonthspriortoDecember23,2015,whenthepoweroutageoccurred.28Oneoftheirfirst
actionshappenedwhenthenetworkwastoharvestcredentials,escalateprivileges,andmovelaterallythroughout
theenvironment(e.g.,targetdirectoryserviceinfrastructuretodirectlymanipulateandcontroltheauthentication
andauthorizationsystem).Atthispoint,theadversarycompletedallactionstoestablishpersistentaccesstothe
targets. While the initial footholds were used to harvest legitimate credentials for pivoting and systematic
takeoverofITsystemsandremoteconnections,itislikelythattheattackersmovedquicklyawayfromtheirinitial
footholds and vulnerable C2s in an effort to blend into the targets systems as authorized users. With this
information,theattackerswouldbeabletoidentifyVPNconnectionsandavenuesfromthebusinessnetworkinto
theICSnetwork.Usingnativeconnectionsandcommandsallowstheattackerstodiscovertheremainderofthe
systemsandextractdatanecessarytoformulateaplanforStage2.
26ForadetailedunderstandingoftheinfectedMicrosoftOfficedocumentsandthemaliciouspayloadseeKasperskyLabswriteuphere:
https://securelist.com/blog/research/73440/blackenergyaptattacksinukraineemployspearphishingwithworddocuments/
27https://securelist.com/blog/research/73440/blackenergyaptattacksinukraineemployspearphishingwithworddocuments/
28
http://politicalpistachio.blogspot.com/2016/01/russianhackerstakedownpowergridin.html
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
6
ICSCyberKillChainMapping
Currently available information indicates that the malicious firmware was consistent amongst devices and
uploadedwithinshortperiodsofeachothertomultiplesites.Therefore,themaliciousuploadsoffirmwarewas
likelydevelopedpriortotheattackforquickandpredictableexecution.
EISAC and the SANS ICS team assess with high confidence that, during the Validation Stage of Stage 2, the
adversarydidTesttheir capabilitiespriortotheirdeployment. Itispossible thattheadversarieswere ableto
executethiswithpureluck,butitishighlyunlikelyandinconsistentwiththeprofessionalismobservedthroughout
therestoftheattack.Theadversarieslikelyhadsystemsintheirorganizationthattheywereabletoevaluateand
testtheirfirmwareagainstpriortoexecutingonDecember23rd.
29ThethreedifferentDMSvendorswerediscoverableviaopensourcesearching.Thenamesofthevendorsarebeingwithheldasitisnot
importanttothediscussionoftheattack.Therewerenoexploitsleveragedagainstthesevendorsbuttheyweresimplyabusedwithdirect
access.
30
http://mpe.kmu.gov.ua/minugol/control/uk/publish/article;jsessionid=CE1C739AA046FF6BA00FE8E8A4D857F3.app1?art_id=245086886
&cat_id=35109
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
7
ICSCyberKillChainMapping
DuringtheICSAttackStage,theadversariesusednativesoftwaretoDeliverthemselvesintotheenvironmentfor
directinteractionwiththeICScomponents.Theyachievedthisusingexistingremoteadministrationtoolsonthe
operatorworkstations.ThethreatactorsalsocontinuedtousetheVPNaccessintotheITenvironment.31
In final preparation for the attack, the adversaries completed the Install/Modify stage by installing malicious
softwareidentifiedasamodifiedorcustomizedKillDiskacrosstheenvironment.Whileitislikelytheattackers
thenensuredtheirmodificationstotheUPSwerereadyfortheattack,therewasnotsufficientforensicevidence
available to prove this. The last act of modification was for the adversaries to take control of the operator
workstationsandtherebylocktheoperatorsoutoftheirsystems.Figure7showsthestaticanalysisoftheKillDisk
APIimportsfollowingtheevent.
Figure7:StaticAnalysisofKillDiskIdentifyingAPIImports32
Finally,tocompletetheICSCyberKillChainandtoExecutetheICSAttack,theadversariesusedtheHMIsinthe
SCADAenvironmenttoopen thebreakers.Atleast27substations(thetotal numberisprobablyhigher)were
takenofflineacrossthethreeenergycompanies,impactingroughly225,000customers.33,34Simultaneously,the
31
http://mpe.kmu.gov.ua/minugol/control/uk/publish/article;jsessionid=CE1C739AA046FF6BA00FE8E8A4D857F3.app1?art_id=245086886
&cat_id=35109
32 This image was provided by Jake Williams of Rendition InfoSec. It is included here to note that KillDisk would not run properly in a
malwaresandboxforanalysis.Staticanalysiswasrequiredtofullyinvestigatethemalwaresample.
33http://money.cnn.com/2016/01/18/technology/ukrainehackrussia/
34
In analysis of the impact observed and on the available information on the Ukrainian distribution grid it is assessed with medium
confidencethatthepublicnumberofdisconnectedsubstations,27,isalownumber.
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
8
ICSCyberKillChainMapping
attackersuploadedthemaliciousfirmwaretotheserialtoethernetgatewaydevices.Thisensuredthatevenif
theoperatorworkstationswererecovered,remotecommandscouldnotbeissuedtobringthesubstationsback
online (We have characterized the firmware attacks against field communication devices as blowing the
bridges).
During this same period, the attackers also leveraged a remote telephonic denial of service on the energy
companys call center with thousands of calls to ensure that impacted customers could not report outages.
Initially,itseemedthatthisattackwastokeepcustomersfrominformingtheoperatorsofhowextensivethe
outageswere;however,inreviewoftheentiretyoftheevidence,itismorelikelythatthedenialofservicewas
executedtofrustratethecustomerssincetheycouldnotcontactcustomersupportorgainclarityregardingthe
outage.TheentireattackfromMarch2015December23,2015isgraphicallydepictedbelowinFigure8.
Figure8:ICSKillChainMappingChart
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
9
ICSCyberKillChainMapping
ItisextremelyimportanttonotethatneitherBlackEnergy3,unreportedbackdoors,KillDisk,northemalicious
firmwareuploadsalonewereresponsiblefortheoutage.Eachwassimplyacomponentofthecyberattackfor
the purposes of access and delay of restoration. For example, on some systems, KillDisk made the Windows
systemsinoperablebymanipulatingordeletingthemasterbootrecord,butonothersystemsitjustdeletedlogs
andsystemevents.35,36TheactualcauseoftheoutagewasthemanipulationoftheICSitselfandthelossofcontrol
duetodirectinteractiveoperationsbytheadversary.Thelossofviewintothesystemthroughthewipingofthe
SCADAnetworksystemssimplydelayedrestorationefforts.
Insummary,Stage2consistedofthefollowingattackelements:
Supportingattacks:
o ScheduledisconnectsforUPSsystems
o Telephonicfloodsagainstatleastoneoblenergoscustomersupportline
Primaryattack:SCADAhijackwithmaliciousoperationtoopenbreakers
Amplifyingattacks:
o KillDiskwipingofworkstations,servers,andanHMIcardinsideofanRTU
o FirmwareattacksagainstSerialtoEthernetdevicesatsubstations
35https://icscert.uscert.gov/alerts/IRALERTH1605601
36https://ics.sans.org/blog/2016/01/01/potentialsampleofmalwarefromtheukrainiancyberattackuncovered
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
10
WereviewedthemitigationstrategiesprovidedthroughtheDHSICSCERTAlertandconsideredhowanadversary
may alter the next attack based on the mitigation taken by a target. We support many of the mitigation
recommendations provided to date. However, it is likely that the adversary will modify attack approaches in
followoncampaignsandthesemitigationstrategiesmaynotbesufficient.Inthefollowingsection,wediscuss
mitigations for the attack that took place to extract defense lessons learned. In addition, we discuss future
potentialattackermethodologiesandproviderecommendationsthatcoulddisruptsimilaradversarysoperations.
The mitigations will focus on recommendations for Architecture, Passive Defense, and Active Defense
methodologiesalongtheSlidingScaleofCyberSecurity,showninFigure9.37
Figure9:TheSlidingScaleofCyberSecurity
Spear Phishing
Ukraine Attack
Intheattack,theadversarydeliveredatargetedemailwithamaliciousattachmentthatappearedtocomefrom
atrustedsourcetospecificindividualswithintheorganizations.Initialmitigationrecommendationswouldpoint
to enduser awareness training and ongoing phishing testing. Efforts to prevent malware have often
recommendedapplicationwhitelisting,whichcanbeeffectiveinICSenvironmentsiftheICSvendorapprovesof
the use. However, based on the details of this attack, application whitelisting would have had a limited role
contained to the execution of initial dropper infections in network segments with infected workstations (e.g.,
users that received and activated infected spear phish emails) where application whitelisting may be more
challenging to implement. It is important to note that application whitelisting would not have deterred or
prevented the second stage ICS attacks that impacted the Ukrainian oblenergos. In at least one instance, the
attackerusedaremoterogueclientandapprovedOSlevelremoteadminfeaturesforothercomponentsofthe
attack.
37https://www.sans.org/readingroom/whitepapers/analyst/slidingscalecybersecurity36240
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
11
DefenseLessonsLearnedPassiveandActiveDefenses
Opportunities to Disrupt
Theadversarywilllikelymodifyattackstorespondtoincreasesorchangesinthetargetsdefenses.Defenders
need to develop anticipatory responses to attack effects. Since the social engineering components of attacks
targetedemailandinternetaccessiblecyberassets,theseassetsandthenetworkstheyresideonareuntrusted
contestedterritory.Communicationwiththeseuntrustedareasshouldbesegmented,monitored,andcontrolled.
Operate under the assumption that the environment is accessible by the adversary and ensure appropriate
defensesareinplacetoprotecttheoperationsandcontrolenvironmentfromtheadversarycontrolledbusiness
cyber assets (while some organizations inherently trust their business systems and networks, additional
enforcement and scrutiny of these systems is necessary). Consider using sandboxing technology to evaluate
documents and emails coming into the network, using proxy systems to control outbound and inbound
communicationpaths,andlimitingworkstationstocommunicateonlythroughtheproxydevicesbyimplementing
perimeteregressaccesscontrols.
Credential Theft
Ukraine Attack
In the attack, the adversary appears to have used BlackEnergy 3 to establish a foothold and utilize keystroke
loggerstoperformcredentialtheft.Asaninitialmitigationapproach,werecommendthatorganizationsobtain
theYARArulesforthelatestIOCs.ByusingtheYARAforensictool,organizationscansearchforBlackEnergy3
infections and then utilize antimalware removal tools to eliminate the malware from the infected assets.
Defendersshouldbemindfulofthetimeittakestodetectaninfectedhostastheintrudermayhavealready
moved inside the network and secured additional methods to interact and communicate with the infected
network.Organizationsshouldchangeuserandshareduserpasswords(ensurethatthesestepsareapprovedby
operationsandthevendor,andtestedforimpactstooperationsandexistingsecuritycontrols).
Opportunities to Disrupt
Monitoruseraccountbehavior,networkandsystemcommunication,anddirectorylevelactivitywithafocuson
identifyingabnormalities.Implementalarmcapabilitieswithdifferentprioritylevelalarmsbasedontheriskof
thesystemsassociatedwiththealarms.ItisimportanttonotethatYARAisaforensicstoolandisnotacontinuous
monitoringsolution.
Data Exfiltration
Ukraine Attack
AftertheattackersachievedthenecessaryfreedomofmovementandactionintheITinfrastructure,theybegan
exfiltratingthenecessaryinformationanddiscoveringthehostsanddevicestodeviseanattackconcepttohijack
theSCADADMStoopenbreakersandcauseapoweroutage.Theyfollowedthiswithdestructiveattacksagainst
workstations, servers, and embedded devices that provide industrial communications in their distribution
substations.Themitigationrecommendationhereistounderstandwherethistypeofinformationexistsinside
yourbusinessnetworkandICSs.Minimizingwheretheinformationresidesandcontrollingaccessisapriorityfor
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
12
DefenseLessonsLearnedPassiveandActiveDefenses
anICSdependentorganization.
Opportunities to Disrupt
Realizethatattackersmaybeabletodevelopadditionalattackapproachesastheyhavelearnedasystemand
mayhavestoleninformationthatallowsforthedevelopmentofmorepowerfulfutureattacks.Defendersshould
examine their detection and response capabilities. Decision makers should review their restoration plans for
attacks with the potential to go deeper into the ICS and could result in damaged equipment. Identify new
connections leaving the environment and previously unseen encrypted communications. Network Security
Monitoring(NSM)isagreatactivedefensemethodofdetectingexfiltrationandendinganadversarysattackpath
beforeitdisruptstheICS.
VPN Access
Ukraine Attack
Mitigation guidance based on the attacker approach used in this campaign recommends using twofactor
authenticationwithusertokenstostrengthenauthentication.
Ukraine Attack
Basedonthedetailsprovided,theadversariesusedtheorganizationsworkstationsremotely(whiletheattacker
was physically remote, logically they were local to the host) to conduct Stage 2 of the attack. Mitigation
recommendationsfocusondisablingremoteaccessatthehostandattheperimeterfirewall.
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
13
DefenseLessonsLearnedPassiveandActiveDefenses
Opportunities to Disrupt
Asadefenderpreparesforacyberassetwithinatrustedenvironmentthatmaybecompromisedandremotely
controlled,theymustconsiderapproachestoquicklymovetoaconservativeoperationsenvironmentwherethe
abilitytoissuecontrolsignalsfromuntrustedassetsispaused.Properarchitecturewoulddictatetheabilityto
segment or disable activities such as remote connections, and unnecessary outbound communications, while
conducting active defense mechanisms; such as incident response prior to restoring operational control
capabilitiestoknowngoodassets.
Ukraine Attack
AstheattackersutilizedtheoperatorHMIs,theyoperatednumeroussitesunderthecontrolofthedispatcher.
Mitigationapproachesforthisspecificactionwouldfocusonapplicationlevellogicrequiringconfirmationfrom
theoperator,orimplementAreaofResponsibility(AoR)limitationsthatonlyallowanoperatortoeffectcertain
componentsofasystem.Forexample:IfanentityimplementedAoRononeoperatorworkstationthatprovided
eastbreakercontrol,andasecondoperatorworkstationthatprovidedWestbreakercontrol,thenanadversary
positionedononeworkstationwouldbelimitedtotheAoRallowedonthatspecificworkstation.Somevendor
systemsallowforUsernamedeterminedAoR,WorkstationdeterminedAoR,and/oranintersectionmodelthat
combinesusernameandworkstationidentifierinAoRauthorization.Therearevariationsamongstvendorsystems
inhowauthenticationishandledwithinthelocalworkstation,directory,orattheapplication.
Opportunities to Disrupt
Preparingforadversarialutilizationofcyberassets,orcommunicationpathstocontrolandoperateelementsof
anICSsystem,requiressystemdefenderstodeveloparesponseapproachthateliminatesentiresectionsofcyber
assetelementsandnetworksinanefforttoinhibitautomatedcontrolandactivatemanualoperationsonly.As
adversaries learn the environment, they may issue test commands and interact with the SCADA environment
without the intention to disrupt it. For mitigation purposes, defenders must talk to operators and ask about
abnormaloccurrences,andfromapassivedefenseperspective,ensurethatlogsarecollectednotonlyfromthe
hostbutalsofromtheSCADAapplications.Additionally,implementalogaggregationarchitecturethatreplicates
logfilesfromassetsintoalogcorrelationsystem.Finally,haveactivedefendersroutinelyreviewtheselogsin
conjunctionwithothermonitoringactivitythroughouttheICStoidentifyabnormalities.
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
14
DefenseLessonsLearnedPassiveandActiveDefenses
Ukraine Attack
The attackers used multiple approaches to impact communication tools, operator technology for restoration
efforts,andfacilityinfrastructureessentialtomanyoperatoractivities.Therefore,mitigationrecommendations
arevaried.Itemstofocusonare:
EstablishingfilteringandresponsecapabilitiesattelecomproviderstoactivateduringanongoingTDoS
attack
Disableremotemanagementoffielddeviceswhentheyarenotrequired.
DisconnectbuildingcontrolinfrastructuresystemsfromtheICSnetwork.
Considerthenumberofsparesrequiredforembeddedsystemstoregainrequiredcommunicationor
control/protection.
Afteranattackeridentifiesincreasedsecurityrequirementsforfielddevicemanagement,theymayattemptto
establishdirectaccesstoafielddevicethroughalocalassetwithconnectivityorphysicalpresenceatthesitefor
direct firmware manipulation. Mitigation strategies for this attack approach focus on electronic and physical
accesscontrolsandthedevelopmentofarapidresponsecapabilityduringanattackorincident.
Opportunities to Disrupt
Adeterminedadversarycanimpactremoteassetseitherelectronicallyorphysically.Adefendershoulddevelop
strongrecoveryandrestorationapproachestoreplacemissioncriticalcyberassetcomponents.Oneoptionisto
rely on inventory and mutual aid assistance from trusted peer organizations and/or suppliers. In cases where
specificassetsarenotimmediatelyrecoverable,itisnecessarytodeveloptheabilitytooperatethelargersystem
withoperationalislandsthatcanberecoveredinatimelymanner.
DefendersshouldhaveaccesstoandvisibilityoftheICSstobeabletoidentifyabnormalbehavioraroundfield
device interaction. For example, uploading firmware outside of a scheduled downtime should be quickly
observable.Firmwaremodificationsoverthenetworkcausespikesinnetworktrafficthatactivedefendersshould
beconsistentlylookingfor.SeeFigure10foranexampleofamaliciousfirmwareupdatetoanindustrialnetwork
switch.Evenwithoutknowingthebaselineofnormalactivity,whichdefendersshouldhave,itcanbetrivialto
spotfirmwareupdatesinnetworkdata.
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
15
DefenseLessonsLearnedPassiveandActiveDefenses
Figure10:SampleNetworkI/ODatafromaMaliciousFirmwareUpdatetoanIndustrialEthernetSwitch38
Ukraine Attack
ThecyberattacksperformedagainstthreeUkrainianoblenergoswerewellplannedandhighlycoordinated.The
attacksconsistedofseveralmajorelementswithbothenablingandsupportingattacksegments.Theattackers
wereremoteandinteractedwithmultiplelocationswithineachoftheirtargetstoincludecentralandregional
facilities.Distributionutilitiestraditionallyhavebothcentralbusinessandengineeringoffice(s)andanumberof
branch facilities used to support line crew, meter reading, bill payment, and distributed supervisory control
operations.CertaintypesofcyberattacksdesignedtomaliciouslytakeoverandoperateaSCADADMSmaybe
bestperformedinadistributedfashionatthelowestormostdirectlevel(fromalocaldispatchandSCADAserver
outtothesubstationsthatarebeingmonitoredandcontrolled).Preparingforahightempo,multifacetedattack
isnoteasyanditrequirescarefulplanreview,testing,integrateddefense,andoperationsexercises.Rehearsing
stepstomorequicklyseverorpreventremoteaccess,tosafelyseparatetheICSsfromconnectednetworks,orto
containandisolatesuspicioushostsiscritical.
Opportunities to Disrupt/Restore
OperationspersonnelmustbeinvolvedinplanningforrestorationfromasuccessfulStage2ICSattack.Concepts
to consider from an electric operations and engineering perspective include the following and are graphically
depictedinFigure11:
Cybercontingencyanalysis:Continuousanalysisandpreparingthesystemforthenextevent.
Cyberfailureplanning:Modelingandtestingcybersystemresponsetonetworkandassetoutages.
Cyber conservative operations: Intentionally eliminating planned and unplanned changes as well as
stoppinganypotentiallyimpactfulprocesses.
38ForagooddiscussiononexploitsandmaliciousfirmwareupdatesforindustrialethernetswitchesseetheresearchbyEireannLeverett,
ColinCassidy,andRobertM.LeeintheDEFCONpresentationSwitchesGetStitcheshere:
https://www.youtube.com/watch?v=yaY3rtA37Uc
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
16
DefenseLessonsLearnedPassiveandActiveDefenses
Cyberloadshed:Eliminatingunnecessarynetworksegments,communications,andcyberassetsthatare
notoperationallynecessary.
CyberRootCauseAnalysis(RCA):RCAforensicstodeterminehowanimpactfuleventoccurredandensure
itiscontained.
Cyber Blackstart: Cyber asset base configurations and bare metal build capability to restore the cyber
systemtoacriticalservicestate.
Cyber mutual aid: Ability to utilize information sharing and analysis centers (ISACs), peer utilities, law
enforcement and intelligence agencies, as well as contractors and vendors to respond to largescale
events.
Figure11:Summaryoftheopportunitiestodisrupttheattack
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
17
Recommendations
Architecture
Recommendations:
Properlysegmentnetworksfromeachother.
Ensureloggingisenabledondevicesthatsupportit,includingbothITandOperationalTechnology(OT)
assets.
Ensurethatnetworkarchitecture,suchasswitches,aremanagedandhavetheabilitytocapturedata
fromtheenvironmenttosupportPassiveandActiveDefensemechanisms.
MakebackupsofcriticalsoftwareinstallersandincludeanMD5andSHA256digitalhashofthe
installers.
Collectandvaultbackupprojectfilesfromthenetwork.
Testthetoolsandtechnologiesthatpassiveandactivedefensemechanismswillneed(suchasdigital
imagingsoftware)ontheenvironmenttoensurethatitwillnotnegativelyimpactsystems.
Prioritizeandpatchknownvulnerabilitiesbasedonthemostcriticalassetsintheorganization.
Limitremoteconnectionsonlytopersonnelthatneedthem.Whenpersonnelneedremoteaccess,
ensurethatiftheydonotneedcontrolthattheydonothaveaccesstocontrolelements.Usetwoform
authenticationontheremoteconnections.
Consideruseofasystemeventmonitoringsystem,configuredandmonitoredspecificallyforhighvalue
ICS/SCADAsystems.
Passive Defense
Recommendations:
Applicationwhitelistingcanhelplimitadversaryinitialinfectionvectorsandshouldbeusedwhennot
tooinvasivetotheICSs.
DMZsandproperlytunedfirewallsbetweennetworksegmentswillgivevisibilityintotheenvironment
andallowdefendersthetimerequiredtoidentifyintrusions.
Establishacentrallogginganddataaggregationpointtoallowforensicevidencetobecollectedand
madeavailabletodefenders.
Implementalarmpackageprioritiesforabnormalcybereventswithinthecontrolsystem.
EnforceapasswordresetpolicyintheeventofacompromiseespeciallyforVPNsandadministrative
accounts.
Utilizeuptodateantivirusorendpointsecuritytechnologiestoallowforthedenialofknownmalware.
Configureanintrusiondetectionsystemsothatrulescanbequicklydeployedtosearchforintruders.
Active Defense
Recommendations:
TraindefenderstohuntforoddcommunicationsleavingthenetworkedenvironmentsuchasnewIP
communications.
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
18
Recommendations
Performnetworksecuritymonitoringtocontinuouslysearchthroughthenetworkedenvironmentfor
abnormalities.
PlanandtraintoincidentresponseplansthatincorporateboththeITandOTnetworkpersonnel.
Consideractivedefensemodelsforsecurityoperationssuchastheactivecyberdefensecycle.
Ensurethatpersonnelperforminganalysishaveaccesstotechnologiessuchassandboxestoquickly
analyzeincomingphishingemailsoroddfilesandextractindicatorsofcompromise(IOCs)tosearchfor
infectedsystems.
Usebackupandrecoverytoolstotakedigitalimagesfromafewofthesystemsinthesupervisory
environmentsuchasHMIsanddatahistoriansystemsevery612months.Thiswillallowabaselineof
activitytobebuiltandmaketheimagesavailableforscanningwithnewIOCssuchasnewYARArules
onemergingthreats.
TraindefendersonusingtoolssuchasYARAtoscandigitalimagesandevidencecollectedfromthe
environmentbutdonotperformthescansintheproductionenvironmentitself.
GoodarchitectureandpassivedefensepracticesbuildadefensibleICS;activedefenseprocessesestablisha
defendedICSenvironment.Counteringflexibleandpersistenthumanadversariesrequiresproperlytrainedand
equippedhumandefenders.
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
19
Infrastructuredefendersmustbereadytoconfronthighlytargetedanddirectedattacksthatincludetheirown
ICSsbeingusedagainstthem,combinedwithamplifyingattackstodenycommunicationinfrastructureandfuture
useoftheirICSs.Theelementsanalyzedintheattackindicatedthattherewasaspecificsequencetothemisuse
of the ICSs, including preventing further defender use of the ICSs to restore the system. This means that the
attackerburnedthebridgesbehindthembydestroyingequipmentandwipingdevicestopreventautomated
recovery of the system. The attacks highlight the need to develop active cyber defenses, capable and well
exercisedincidentresponseplans,andresilientoperationsplanstosurviveasophisticatedattackandrestorethe
system.
NothingabouttheattackinUkrainewasinherentlyspecifictoUkrainianinfrastructure.Theimpactofasimilar
attackmaybedifferentinothernations,buttheattackmethodology,Tactics,Techniques,andProcedures(TTPs)
observedareemployableininfrastructuresaroundtheworld.
Conclusion
We have identified five themes for defenders to focus on as they consider what this attack means for their
organization:
Theme 1
As defenders of ICSs, consider the sequence of events taken by the adversary in the months leading up to
December 23, 2015 when this cyber operation targeting Ukrainian electricity infrastructure was planned and
developed. The operation relied upon intrusions that appear to have come from a broader access campaign
conductedinthespringof2015.Inaprolongedattackcampaign,therearelikelynumerousopportunitiestodetect
anddefendthetargetedsystem.ThetwostageICScyberkillchainhelpsnotethatinanICSenvironment,there
isanincreasedwindowforthedetectionandidentificationofthemostconcerningattacktypes.
Theme 2
The cyber attacks were conducted within minutes of each other against three oblenergos, resulting in power
outagesaffectingapproximately225,000customersforafewhours.Whilethetotalnumberofcustomersacross
threeserviceterritoriesdoesnotadduptoasignificantnumberofcustomersorloadacrossUkraine,theremay
besignificanceintargetselectionorspecificloads.Onecriticalelementofthisparticularattackwasitscoordinated
natureaffectingthreetargetentitiesandthethoroughnessoftheadversarysequenceofeventsinachievingtheir
goals.Importantopportunitiesfordefenderstodisrupttheadversaryssequenceofeventswereidentified.
Theme 3
ThecyberattacksweremislabeledassolelylinkedtoBlackEnergy3andKillDisk.BlackEnergy3wassimplyatool
usedinStage1oftheattacksandKillDiskwasanamplifyingtoolusedinStage2oftheattacks.BlackEnergy3
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
20
ImplicationsandConclusion
malwarewasusedtogaininitialfootholdsintoamultitudeoforganizationswithinUkraineandnotjustthethree
impacted oblenergos. It is unknown if the adversary had planned to use this access campaign to enable their
operationorifachievingaccesswasthemotivationleadingtothedevelopmentofaconcepttoattackthepower
system.
Excessivefocusonthespecificmalwareusedinthisattack placesdefendersintoamindsetinwhichtheyare
simplywaitingforguidanceonthespecificattackcomponentssotheycaneliminatethem.Thisattackcouldhave
beenenabledbyavarietyofapproachestogainaccessandutilizeexistingassetswithinatargetenvironment.
Regardlessoftheinitialattackvector,theICStoolsandenvironmentwereultimatelyusedtoachievethedesired
effect,nottheBlackEnergy3malware.
Theme 4
The attack concept had to be able to work across multiple SCADA DMS implementations and target common
susceptibleelements,suchasstorageoverwritesforWindowsbasedoperatingsystemworkstationsandservers.
Theattackerslikelydevelopeddestructivefirmwareoverwritetechniquesafterdiscoveringaccessibleembedded
systems.Therewaslikelyasignificantamountofunobservableadversarialtestingperformedpriortointroducing
the attack into the environment. Many capabilities were demonstrated throughout this attack, and they all
providespecificlessonslearnedfordefenderstotakeactionon.
Theme 5
Informationsharingiskeyintheidentificationofacoordinatedattackanddirectingappropriateresponseactions.
Within the Ukraine, an organization with the ability to enable appropriate information sharing and provide
incident response guidance should be pursued. In the United States and other countries with established
informationsharingmechanisms,suchasISACs(InformationSharingandAnalysisCenters),thefocusshouldbe
on maintaining and improving the information provided by asset owners and operators. This increased data
sharingwillenhancesituationawarenesswithinthesector,whichwillinturnleadtoearlierattackdetectionand
facilitateincidentresponse.
Inmanyways,theUkrainianoblenergosandtheirstaff,aswellastheinvolvedUkrainiangovernmentmembers
deservecongratulations.Thisattackwasaworldfirstinmanyways,andtheUkrainianresponsewasimpressive
withallaspectsconsidered.
Astheinvestigationandanalysisoftechnicaldatacontinuesandmoreinformationregardingthisattacksurfaces,
theauthorsofthisDUCwillupdatethisreportwhereappropriateinanefforttomaintainthemostaccurateand
beneficialguidancedocumentpossibleforICSdefenders.TheEISACwillcontinuetoprovidecrediblereporting
andguidanceaswell.
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
21
Credibility:539
TheclaimsbytheUkrainiangovernmentthatoutagesintheserviceterritoryofthetargetedelectricitycompanies
werecausedbyaseriesofcyberattackshavebeenconfirmed.Theclaimwasoriginallymetwithprivateskepticism
by the SANS ICS team as ICS organizations frequently have reliability issues and incorrectly blame cyber
mechanismssuchasmalwarefoundonthenetworkthatisunrelatedtotheoutage.Earlyreportingonincidents
isoftenrushedandstressfulwhichleadstoinaccurateclaims.However,intheUkrainiancase,thereisalarge
amountofevidenceavailable;includingmalwaresamples,interviewswithoperatorspresentduringtheincident,
andconfirmationbymultipleprivatecompaniesinvolvedintheincident.Lastly,theU.S.governmenthassince
alsoconfirmedtheattacksduetotheirowninvestigation.
ThemostrecentreportreleasedfromDHSICSCERT40citesdirectinterviewswithoperationsandinformation
technologystaffandleadershipatsixUkrainianorganizationswithfirsthandexperienceoftheevent.Basedon
theinformationprovidedinthereport,41theU.S.delegationinterviewedandconsideredinformationfromthe
three impacted organizations as well as others. The format of the interviews, and asset owner and operator
discussions,indicatedthattheteamwasnotabletoindependentlyreviewtechnicalevidenceofthecyberattack.
However,asignificantnumberofindependentreportsfromtheteamsinterviewsaswellasdocumentaryfindings
corroboratetheevents.42However,alargeamountoftechnicalinformationwasmadeavailabletothelarger
communityincludingindicatorsofcompromise,malwaresamples,technicalinformationabouttheICSitselfand
itscomponents,andsomesamplesoflogsfromtheSCADAenvironment.43Themajorityofsourcestodatehave
relieduponinitialattemptsbyUkrainianpowerentitiestoinformcustomersaboutthecauseoftheoutageand
sources derived from interviews with impacted entities. The DHS report does not attempt to assign attacker
attributionandneitherwillthisDUC.
However,itshouldbenotedthattheremaybepiecesofinformationmissingduetothelackofvisibilityinvarious
partsoftheICSnetwork.Asanexample,packetcapturesfromthenetworkduringtheattackandfielddevice
39 Credibility of the information is rated in a scale from [0] Cannot be determined, [1] Improbable, [2] Doubtful, [3] Possibly true, [4]
Probablytrue,[5]Confirmed
https://icscert.uscert.gov/alerts/IRALERTH1605601
SANSICSteammembershavebeenabletoviewtechnicaldatainbothpublicandnongovernmentprivatechannelstoconfirmthe
existenceofforensicdataandthecorecomponentsoftheanalysisbasedoffofthedata.
42
https://icscert.uscert.gov/alerts/IRALERTH1605601
40
41
43 It should be noted that many in the community would like access to internal forensic logs of the impacted oblenergos. This is an
understandablerequestbutitisextremelyrareforimpactedorganizationstomakesuchinformationpubliclyavailable.SANSICSteam
membershavebeenabletoviewtechnicaldatainbothpublicandnongovernmentprivatechannelstoconfirmtheexistenceofforensic
dataandthecorecomponentsoftheanalysisbasedoffofthedata.
44AmountofTechnicalInformationAvailableisananalystsevaluationanddescriptionofthedetailsavailabletodeconstructtheattack
providedwitharatingscalefrom[0]Nospecifics,[1]highlevelsummaryonly,[2]Somedetails,[3]Manydetails,[4]Extensivedetails,[5]
Comprehensivedetailswithsupportingevidence
45
http://mpe.kmu.gov.ua/minugol/control/uk/publish/article;jsessionid=CE1C739AA046FF6BA00FE8E8A4D857F3.
app1?art_id=245086886&cat_id=35109
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
22
AppendixInformationEvaluation
loggingwerenotavailable.Withthisinformationevenmoreaboutthetechnicalminutiaoftheattackwouldbe
available. The amount of information available as well as the willingness by the impacted oblenergos and
Ukrainiangovernmenttosharethatinformationpubliclywasthemostseentodateforaconfirmedintentional
cyberattackthatimpactedtheoperationsofanICS.
Whenconsideringthetechnicalinformationprovided,theauthorsofthisDUChaveconsideredthelargerpublic
reportingofelectricitycustomeroutageswithinUkraineasacomponentofthevalidationandevidencenecessary
todemonstratetheattackereffectstotheelectricitysystem.TheofficialpublicalertbyDHScorroboratesprior
reportingandisbasedoninterviewsandinformationexchangedwiththeimpactedorganizations.
EISAC|AnalysisoftheCyberAttackontheUkrainianPowerGrid|March18,2016
23