Hackers responsible for the late December 2015 cyber attack on part of Ukraine’s power grid were based in Russia, Ukraine’s Ministry of Energy and Coal Industry said Feb. 12, according the report in Reuters.
The ministry stated its findings after the conclusion of an investigation into the hack, first reported in early January. The original attack spurred a North American electricity industry information center to recommend its members review their cyber network defenses.
Although the ministry did not accuse the Russian government of direct involvement, it said hackers used a Russian-based internet provider and made phone calls from inside Russia.
“According to one of the power companies, the connection by the attackers to its IT network occurred from a subnetwork…belonging to an (internet service) provider in the Russian Federation,” the ministry said in the report.
Oleksander Svetelyk, Deputy Energy Minister, said the attackers prepared at least six months in advance.
“The attack on our systems took at least six months to prepare–we have found evidence that they started collecting information (about our systems) no less than 6 months before the attack,” Svetelyk told Reuters.
Researchers at Trend Micro, a software security firm, said Feb. 11 that the hackers behind the Ukraine power attack were also likely behind similar attacks against a mining company and a railway operator in Ukraine.
The researchers deduced this by pivoting off the original indicators of compromise, which included hacker group BlackEnergy reconnaissance and lateral movement tools as well as KillDisk, a disk-wiping malware.
“A fellow senior threat researcher at Trend Micro and I began hunting for additional infections or malware samples related to the incident. We quickly realized that Prykarpattya Oblenergo and Kyivoblenergo were not the only targets revolving around the newest BlackEnergy campaign,” Kyle Wilhoit, Senior Threat Researcher at Trend Micro, said in a company blog post.
Using open source intelligence telemetry data and the company’s Smart protection Network, the researchers saw samples of the BlackEnergy and KillDisk malware used against the mining and rail companies.
“In addition, the possible infections in the mining and railway organizations appear to use some of the same BlackEnergy and KillDisk infrastructure that were seen in the two power facilities attacks,” Wilhoit said.
“Based on our research, we can say we believe that the same actors are likely involved in some regard to these two victims and to those behind the Ukrainian power utility attack,” he added.
The Trend Micro researchers postulated three possibilities about the larger cyber attack picture. Attackers may have intended to destabilize Ukraine via a massive or persistent disruption involving power, mining, and transportation; the attackers have deployed the malware at different critical infrastructure systems to determine which is the easiest to infiltrate and later take control of; and/or the infections in the mining and train companies were possibly preliminary with attacks testing the code base.
“Whichever is the case, attacks against Industrial Control Systems (ICS) should be treated with extreme seriousness because of the dire real-world repercussions. In addition—and this bears repeating—this attack shows that any organization, regardless of the nature or size of their business, can be a target,” Wilhoit said.