Last year, in the month December, a cyber attack took place in Ukraine which impacted 225000 people, forcing them to be without electricity for a while.
Now if we let this sink in, we have to realize that emergency services were not available, that people were forced to stay in a cold home, that alarm systems were not operating and that the complete country could have been set upside down in a couple of hours.
The level of the cyber attack was high enough for the Industrial Control Systems Cyber Emergency Response Team to perform a research on the events which had taken place.
According to ICS CERT (Industrial Control Systems Cyber Emergency Response Team) the outages which were experienced on December 23, 2015 were caused by external cyber-attackers.
ICS CERT also stated that:
Through interviews with impacted entities, the team learned that power outages were caused by remote cyber intrusions at three regional electric power distribution companies (Oblenergos) impacting approximately 225,000 customers.
But what is also interesting is the fact that ICS CERT discovered that:
Three other organizations, some from other critical infrastructure sectors, were also intruded upon but did not experience operational impacts.
The report which has been published explains that the cyber attack was an synchronized and coordinated cyber attack. The threat actors are believed to have performed extensive reconnaissance of the victim networks and according to the employees of the effected companies; the cyber attacks occurred within 30 minutes of each other.
During the cyber-attacks, malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections. – us-cert.gov
But it gets worse, the threat actors also focussed on the following points in their cyber attack on Ukraine;
Systems were wiped
All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack.
In at least one instance, Windows-based human-machine interfaces (HMIs) embedded in remote terminal units were also overwritten with KillDisk.
The actors also rendered Serial-to-Ethernet devices at substations inoperable by corrupting their firmware.
UPS were disconnected
In addition, the actors reportedly scheduled disconnects for server Uninterruptible Power Supplies (UPS) via the UPS remote management interface. The team assesses that these actions were done in an attempt to interfere with expected restoration efforts.
It is not the first time that a country has suffered such a cyber attack, in 2007, Estonia suffered a cyber attack which derailed the country for 2 weeks – more information about the Estonia case can be found here.