The U.S. Cyber Emergency Response Team said on Monday that it had identified a version of the BlackEnergy malware in the industrial-control systems of a Ukrainian energy company that announced major blackouts on Dec. 23.
BlackEnergy is associated with the ethnic Russian hacking group Sandworm, and Ukraine has blamed Russia for the outage. US-CERT, part of the Department of Homeland Security, previously found the malicious code in U.S. energy infrastructure in 2014. It apparently crept into the Ukrainian systems through an infected Microsoft Word file.
“The basic facts and overall circumstances of the cyber attacks that caused the electric power outage in Ukraine all suggest that an ethnically Russian cyber militia was responsible,” Scott Borg, the director of the U.S. Cyber Consequences Unit, a nonprofit cybersecurity research group, said in an email.
“The significant thing about this event is that the actual functions of a critical infrastructure industry were affected,” Borg said. “Russian cyber militias have always carefully avoided these sorts of targets in their previous cyber campaigns.”
If the outage is confirmed to be the result of a cyberattack, it would represent the first instance of a digital assault causing a physical blackout. Such a determination could prompt greater scrutiny of the international law of cyberspace, which is largely unwritten. The incident is already raising alarm bells in the U.S. energy sector.
Borg considered it “extremely unlikely” that the Russian government had carried out the attack itself, “using these tools.” The BlackEnergy malware’s relative simplicity instead pointed to non-state actors, said Borg, whose group studies the cyber campaigns of groups supporting Russia, China, and other states and causes.
“These cyberattacks did not demonstrate any great knowledge of how electric power systems operate,” he wrote. “They do not appear to have been designed to do maximum damage.”
Instead, he suggested that they “were simply a small political statement, containing a small implicit threat.”
Ukraine and Russia have been locked in political and military conflict since the late 2013 ouster of Ukraine’s pro-Russian president, and Russia has encouraged non-state actors to conduct cyber campaigns on its behalf in previous conflicts.
US-CERT said that it could not “confirm a causal link between the power outage [and] the presence of the malware,” suggesting a possible desire to avoid prematurely linking Russia to the incident. But Borg said that he “would be careful not to read too much into those wordings,” saying that US-CERT’s reports were “not heavily edited and vetted for diplomatic consequence.”
It is unclear whether the Obama administration will formally accuse pro-Russian forces of the attack. In an email to the Daily Dot, Jason Healey, a senior cyber research scholar at Columbia University’s School of International and Public Affairs, said that while “they likely will be under pressure to talk,” officials might let private-sector investigators release the definitive analysis.
The security firm iSIGHT Partners linked the attack to Sandworm in a Jan. 7 report.
Along with DHS, the National Security Agency and the Central Intelligence Agency are said to be investigating the outage.
Marty Edwards, the head of US-CERT’s industrial-control systems division, said at a conference on Wednesday that his investigators saw “more and more [attacks] that are gaining access to that control system layer” due to vulnerabilities in Internet-connected hardware.
Photo via Juanedc.com/Flickr (CC BY 2.0) | Remix by Max Fleishman