WASHINGTON – A U.S. investigation found that a December hack on the Ukrainian power grid was coordinated and highly sophisticated.
The report, released Thursday, offers a detailed look at one of the first cyberattacks to succeed in taking down part of a national power grid. The well-planned strike, which blacked out supplies to more than 225,000 people, hit three regional electronic power distribution companies within 30 minutes of each other on Dec. 23.
An attack such as this one has long been a nightmare scenario for top U.S. officials. National Security Agency and U.S. Cyber Command chief Adm. Michael Rogers has previously warned that it is not a matter of if, but when, attackers will also target U.S. power systems.
The impacted sites continue to “run under constrained operations” more than two months later. In addition, the report states that three other organizations, some involved with unspecified Ukrainian “critical infrastructure,” also appear to have been hacked — but didn’t suffer overt impacts to their operations.
The U.S. sent a team of cyber officials including from the Department of Homeland Security, the Department of Energy, and the FBI to Ukraine to work with the government and learn lessons to prevent such future attacks.
The group did not independently review technical evidence from the Dec. 23 cyberattack, although it conducted interviews and did other spadework to piece together what appears to be a highly targeted and advanced hack.
The hackers appear to have conducted “extensive reconnaissance of the victim networks,” possibly by first using malware introduced via phony “phishing” emails to snag user names and passwords to access the facility remotely and hit their circuit breakers.
The networks were compromised at least six months before the outage, by sending emails that included the downloader for the virus Black-Energy to company employees whose emails were found publicly online, said Anna Dudka, a spokeswoman for the Ukrainian Energy Ministry.
All the affected companies reported infections with malware known as BlackEnergy, although U.S. investigators said they are still evaluating whether that specific malware played a role in the attacks.
At the end of the attack, hackers wiped targeted files on some of the systems at the three electrical companies using malware called “Kill-Disk,” which also rendered the system inoperable.
The hackers also did their best to interfere with power-restoration efforts.
For instance, they aimed to keep important servers inoperative by remotely disconnecting their “uninterruptible power supplies,” which would normally keep the computers running even during a blackout. The attackers managed that by accessing an internal management program for those power supplies.
Among several preventive measures, the report suggests that companies isolate systems used to run critical infrastructure from the Internet and that they limit the ability to remotely access these systems.