Ukraine: How Russian hackers wanted to turn off the electricity

It’s hard to imagine a place further removed from the war in Ukraine than the Mandalay Bay Resort in Las Vegas. The huge hotel and casino complex at the southern end of the famous “Strip” is the backdrop for the 20. Black Hat , a conference on the subject of IT security. Outside, guests splash around in the artificial lagoon, inside, between endless rows of slot machines and an oversized aquarium with sharks, experts meet from 111 countries to lectures in pompous American ballrooms.

But when Robert Lipovsky and Anton Cherepanov from the Slovakian IT security company Eset introduce their star guest, it’s Ukraine is practically within reach: Viktor Zhora has come to Las Vegas, the deputy head of the Ukrainian IT security agency.

Zhora says that since the end of February he has had to fend off more hacker attacks than ever before. One of them could have turned off the electricity for up to two million citizens – if it had been successful. The fact that it wasn’t is reassuring on the one hand: A blackout can apparently not even be hacked up. On the other hand, it’s disturbing how much effort a suspected government hacking entity put into their attempt.

The perpetrators entered at least a week before the war began

Eset and others blame the attack on the Sandworm group, a hacking group affiliated with Russia’s GRU military intelligence agency. It’s called that because there were several references to Frank Herbert’s »Dune« in earlier code snippets of theirs.

Sandworm already sabotaged 2015 and 2016 the Ukrainian power supply, the first time for about six hours, the second time only for one. 112. 10 or. 700.000 Ukrainians were temporarily without electricity . At the time, the attacks alerted security experts worldwide.

The third attempt took place on Friday evening April 8th 2022, instead of. But it was prepared at least a week before the start of the Russian attack, namely at the latest on 17. February, says Zhora.

He assumes that on that day – or even earlier – a regional Ukrainian electricity company was compromised in a way that is still unknown . A several-week phase of scouting followed. The hackers then spread in the supplier’s network from the IT to the OT (Operational Technology), i.e. the control technology.

More on the subject

  • Ukraine stoppte offenbar Hackerangriff auf Stromversorgung

  • The actual malware is based on the findings of Eset and the US company Mandiant

    on the one that 2016 was used and named Industroyer. That was “the first malware specifically designed to attack the power supply,” says Lipovsky.

    Attacks on the power supply are highly complex

    As Eset calls it the further development that was used this year, Industroyer2. And although many details of the attack in April are still unclear, Industroyer2 and the previous version show how complex it is to physically damage industrial control systems, such as those of energy suppliers, with malicious code alone.

    So should the attack in take place in several complex stages, as the Eset researchers were able to reconstruct. The aim of the perpetrators was therefore to first switch off the electricity in a substation, then to deny the operators access to their own system and to manipulate the control system in such a way that it can no longer be started up.

    But the attack was to become even more insidious: because they then wanted to manipulate a Siemens relay installed by the electricity supplier, which is actually used to trigger a protective fuse in the event of errors. To do this, they wanted to use a prepared file to put the relay into an update mode in which it would get stuck. When the operator tries to restart the power manually because of the hacking attack, the system should be damaged – because the fuse manipulated by the hackers does not kick in.

    Eset doesn’t know whether Industroyer2 should try to do the same. “We haven’t seen any evidence of this,” Lipovsky said in an interview with SPIEGEL. What is clear, however, is that additional malicious programs, so-called wipers, were intended to cover up the perpetrators’ tracks in the network this time by overwriting log files and making drives unusable, among other things. Such wipers are a recurring hacking weapon in various attacks on Ukrainian targets in recent months.

    The alleged group behind the attack: Sandworm

    The attack required in-depth knowledge of the plant and the industrial control systems (ICS) used there. The perpetrators needed a corresponding number of resources and specialists. Lipovsky finds the effort that the perpetrators made to familiarize themselves with the intricacies of the underlying software protocols downright “disturbing”. Because they can’t just be googled.

    If someone has this special knowledge, the defenders have a fundamental problem: ICS like those in the Ukrainian substation and the associated protocols » were developed decades ago without paying attention to safety«, says Lipovsky. Accordingly, Sandworm did not have to exploit any previously unknown vulnerabilities in the system. On the contrary, Industroyer2, as the Eset researcher puts it, “uses a protocol exactly as it was intended”.

    Which ultimately thwarted the attack, was a quick reaction of the defenders, which included the Ukrainian Computer Emergency Response Team (Cert) as well as the companies Microsoft, Cisco Talos and Eset. A mistake in the hacker’s thinking also helped in the defense, as Zhora explains.

    The attack was supposed to take place on Friday at 17.50 Start the clock “assuming most of the employees are still there and their computers are on”. But because most people finish work at four or five o’clock on Fridays, many computers were switched off and were therefore not even paralyzed by the wipers. The defenders were therefore left with more functioning hardware than the perpetrators might have wished for. Someone who has set himself the goal of sabotaging an electricity supplier not only needs special technical knowledge, but also insight into duty rosters.

    Related Articles

    Back to top button