The Obama administration on Thursday confirmed that a “synchronized and coordinated” cyberattack hit Ukrainian energy companies last year in what is believed to be the first case of a digital assault causing a power outage.
The United States Computer Emergency Readiness Team said in an alert released Thursday night that “remote cyber intrusions at three regional electric power distribution companies” caused the Dec. 23 outage, which affected nearly a quarter of a million people in Ukraine‘s western region. The outage, first widely reported on Dec. 31, attracted international attention because of the largely uncharted legal waters governing cyberspace.
“The cyberattack was reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks,” US-CERT, the Department of Homeland Security team that leads the government’s cyber incident response, said in its alert. “According to company personnel, the cyberattacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities.”
Investigators believe that the intruders remotely accessed the industrial control systems that run the plants by using previously acquired high-level login credentials.
Feverish speculation has surrounded the identity of the attackers. Malware called BlackEnergy, which has been linked to a Russian hacker collective called Sandworm Team, was found on each company’s computers. The government of Russian President Vladimir Putin is known to encourage ethnic Russian hackers to conduct attacks that support its foreign-policy goals, such as in Estonia in 2007 and Georgia in 2008.
“The significant thing about this event is that the actual functions of a critical infrastructure industry were affected,” Scott Borg, the director of the U.S. Cyber Consequences Unit, which advises the public and private sectors on cybersecurity, told the Daily Dot in an email on Jan. 13. “Russian cyber militias have always carefully avoided these sorts of targets in their previous cyber campaigns.”
U.S. investigators stressed that the connection between BlackEnergy and this cyberattack was unclear. It could theoretically have been left over from a previous, still-secret breach, or it could have been implanted in preparation for an attack yet to come.
The attribution of cyberattacks is very difficult because the perpetrators can route their digital assaults through innocent computer networks to mask their true origin. China and Russia, often considered the two largest state sponsors of cybercrime, also have some of the most porous networks in the world.
Perhaps owing to the malware’s Russian origins and the tense state of diplomatic relations between the former Cold War rivals—which are locked in conflicts over Iran and Syria—the U.S. cyber response team took pains to avoid directly implicating BlackEnergy.
“It is suspected that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials; however, this information is still being evaluated,” US-CERT said. “It is important to underscore that any remote access Trojan could have been used and none of BlackEnergy’s specific capabilities were reportedly leveraged.”
In early January, Ukrainian investigators found malware similar to BlackEnergy on the computers of one of the country’s major airports after it, too, suffered a cyberattack.
Congressional Republicans and even some Democrats have assailed the White House for moving slowly to design and execute offensive and defensive policies for cyberspace, which has become a key battlefield in the past few years as more critical infrastructure systems become interconnected.
Photo via J Brew/Flickr (CC BY 2.0) | Remix by Max Fleishman