Suspected Russian cyberattack that hit Ukrainian power plant strikes major airport

Ukrainian officials are reviewing the country’s cybersecurity defenses after a cyberattack apparently originating from Russia struck the country’s main airport.

“In connection with the case [at Kiev’s major airport] Boryspil, the ministry intends to initiate a review of anti-virus databases in the companies which are under the responsibility of the ministry,” an infrastructure ministry spokeswoman told Reuters.

The malware found in the airport computer network—which includes air-traffic control functions—is reportedly similar to the malicious code found in a Ukrainian power plant that suffered a major outage on Dec. 23. Ukrainian authorities have blamed Russian hackers for that outage. The malware, called BlackEnergy, is the work of an ethnic Russian hacker group called Sandworm.

A military spokesman told Reuters that the malware was being directed from a server located in Russia. Because Ukraine detected it in the airport computers quickly enough, it did not have time to damage the system.

The infrastructure ministry did not respond to a request for comment.

The U.S. Cyber Emergency Readiness Team (US-CERT) is assisting Ukraine’s CERT in investigating the late December power outage, which occurred in the western part of the country. Several American cybersecurity firms have concluded that the BlackEnergy malware was responsible, making the incident the first time a digital attack has resulted in a power blackout.

The attack raises the specter of low-level cyberwar in a world that largely lacks the legal regime to handle such conflict.

Scott Borg, the director of the U.S. Cyber Consequences Unit, a private research firm, said that independent “cyber militias,” and not the Russian government itself, were responsible for the BlackEnergy attacks.

“The Russian government has regularly been able to influence the timing and choice of targets by ethnically Russian civilian cyber militias without becoming directly involved in their actions,” Borg said in an email.

“There have even been cases where the ethnically Russian attackers went after targets, such as banks, when they believed that the Russian government would support these attacks, but when the Russian government may actually have been surprised by the resulting cyber campaigns,” he said. “This is suggested by the apparent confusion of the Russian government when it was accused of supporting some of these cyber actions.”

Ethnic Russian hacking groups have targeted Ukrainian computer systems on and off since Russia invaded Crimea in early 2014. Russian cyber criminals also used computer attacks to supplement the government’s military action during the 2008 Russo-Georgian War.

“Hacker talent over the last few years has increasingly focused on industrial control systems and other kinds of operational systems,” Borg said. “It has been many years since the brightest young hacker minds were interested in things like botnets.”

Photo via Aero Icarus/Flickr (CC BY 2.0) | Remix by Jason Reed

Eric Geller

Eric Geller

Eric Geller is a politics reporter who focuses on cybersecurity, surveillance, encryption, and privacy. A former staff writer at the Daily Dot, Geller joined Politico in June 2016, where he's focused on policymaking at the White House, the Justice Department, the State Department, and the Commerce Department.