When a Cyberattack Paralyzed a Power Grid!
In 2016, when cyber attackers targeted Ukraine's power grid, they had an interesting challenge:
To attack the power grid, they need to be inside the network that controls the power grid. But that network is highly segregated, firewalled and disconnected from internet.
How then could they enter it? How then could they cause the damage?
For a determined attacker, no challenge is a formidable challenge.
In the end, attackers not only breached the power grid, but also disconnected multiple electrical substations, causing a full blackout for 250k residents.
This is the story of first publicly acknowledged cyber-attack hitting a power grid. Here's more:
Attack flow:
1) Attacker targets Ukraine's electricity staff > Sends Facebook themed phishing emails with embedded Malicious Office documents.
2) Victim downloads and enables macros > Payload executes > Installs malware > Communication between victim and attacker machine established.
3) Attacker spends next 6 months just gathering more credentials, studying network layout, and establishing persistence.
(Till here, the attacker has access only to IT network. But they need to get into actual network that controls electricity substations called SCADA network).
4) During the 6 months recon, attacker steals grid worker's VPN credentials used to remotely login to SCADA > Replays them > Now gets inside SCADA > Looks for SCADA dispatch workstations. (they can send instructions now).
5) Attacker performs firmware attack to update legitimate firmware on substations with malicious firmware > Renders them unrecoverable. (Post this the operators could not connect to substations anymore).
6) Parallelly attacker launches a telephone denial-of-service attack against customer call centers related to electricity grids (Why? Will explain later below)
7) Attacker deploys wiper malware > Overwrites the master boot record of infected computers > Computers could not reboot > Total black out!
A few thoughts on this attack:
There are so many things to talk about in an attack such as this. I’ll limit it to the key ones:
The IT network is where employees check their emails. The OT network (Operational Technology) is where industrial systems (ex: power, aerospace, telephone) are controlled. Both of these cannot exist in the same network. Period.
Many companies are aware of this and segment their networks. But in reality, most of such implementations do not end up as "fully segregated" networks. There will always be that 'one hop' that lets the entry into the OT from other networks and that will be the one that gets targeted! The more such hops you have, the more vulnerable you will be. Threat model. Identify such hops. Eliminate them.
If for some business reasons, you had to allow IT to come into OT (which should be a concern), then implement solid controls to restrict the access. For ex, the flaw in the above scenario is that VPN connections were allowed without MFA.
The attackers spent 6 months in the IT network just doing recon. This is the opportunity to catch them. Because once they enter the key network, they are going to move with rapid pace to finish their task. This is why fundamental practices such as network monitoring, phishing protection, endpoint monitoring are so critical.
Coming to why the attacker performed phone DOS, here's the reason: By DDOS-ing the telephone lines, the attackers prevented customers from calling in to report the outage! This bought them a few more minutes to complete their mission to take down more substations without alerting the personnel.
At the end, attacker deployed Wiper attack. Wiper attacks usually target an important system file called "Master Boot Record" (MBR). MBR holds important information about how your computer starts up, like where to find the operating system. Think of it like a map that guides your computer when you turn it on. Attackers replace the MBR record so that, the boot process crashes, making the files inaccessible.
During such attacks, one thing that’s extremely valuable post the attacks is the availability of logs. Ensure that logging is enabled on devices present in both IT and OT.
The Ukrainian power companies did not have a way to maintain control of their SCADA environment after the attack. In regular IT based attacks, you take actions to offboard a device, reset a credential or disable an asset. Similar capabilities need to be established in OT environments. Else recovering fast from such attacks can be extremely hard.
Hope you learned something useful.