A North American nonprofit electricity industry information center is recommending its members review their cyber network defenses in the wake of a Ukraine utility that lost power for hours following a cyber attack, according to reports.
Reuters first reported Jan. 6 the Electricity Information Sharing and Analysis Center (E-ISAC) counseled its members in a confidential document to “do a better job” at implementing several layers of cyber defenses. E-ISAC reportedly said the attack on the Ukraine electricity utility Prykarpattyaoblenergo appeared to be a “coordinated effort by a malicious actor.”
The Prykarpattyaoblenergo power company said on Dec. 23 that “interference” in the work of its system led to a blackout for about 700,000 homes in its service region in western Ukraine, including a regional capital of Ivano-Frankivsk.
Ukraine’s state security service (SBU) has since blamed Russia for the cyber attack and the energy ministry is investigating the details through a commission. The commission’s conclusion will be released after Jan. 18, the energy ministry said Jan. 6.
The E-ISAC document reportedly identified Galician Computer Co., a systems integrator, as having worked for Prykarpattyaoblenergo and two other utilities. The other utilities, Chernivtsioblenergo and Kyivoblenergo, were reportedly targeted in the attack but did not experience blackouts.
“The integrator is the single point of connection between various regional electrical entities in the Ukraine that were exposed to this attack,” E-ISAC reportedly said.
Ukraine switched off some power supplies to Crimea, which Russia annexed in 2015. Ukrainian police blamed the power shutoff on unidentified saboteurs blowing up an electricity pylon.
Independent cybersecurity analysts are also investigating the attack. At first some were careful to characterize the power loss as a Russian attack.
The SANS Institute, an information security and cybersecurity training company, gained access to a sample of malware from the network of the Ukrainian site targeted in the attack that may have caused the power loss.
Although the accessed malware was not yet confirmed to be the cause of the power loss, the SANS Industrial Control Systems (ICS) team believes it is related to the incident, SANS ICS Blog contributor Robert Lee said Jan. 1.
Lee is also the founder and CEO of Dragos Security and a former Cyber Warfare Operations officer.
Lee highlighted despite widespread speculation the Ukraine hack is related to BlackEnergy, a hacker tool previously used in attempts to breach energy providers since 2014, “there is very little to support this conclusion right now.”
If the hack is connected to the BlackEnergy campaign, that would add credibility to Ukraine’s claims of the Russia security services origin, Lee added.
Further independent analyses discovered more about the attack.
“This is not necessarily a complex strain of malware. It is highly likely that it was delivered to its intended victim via a phishing email with an infected attachment. Once executed, the document downloaded the appropriate packages for persistence on the infected machine,” Kyle Wilhoit, senior threat researcher at Trend Micro, said in a statement.
Trend Micro also noted in addition to the power utility at least one Ukrainian broadcast company was targeted as well, using the same KillDisk malware that is new to the BlackEnergy malware campaign.