Ukraine power outage linked to Russian Sandworm Team hacking group

[Reefa]

The suspected cyber attack on a Ukrainian power grid last week has been linked to the Russian hacking group Sandworm Team, according to US security firm iSight Partners.

 

"We have linked Sandworm Team to the incident, principally based on BlackEnergy 3, the malware that has become their calling card," John Hultquist, director of cyber espionage analysis at iSight Partners, said in a blog post.

 

"We have analysed the forensic evidence we have been able to obtain from the region, contextualising it within our knowledge of cyber espionage actors. Many details of the event remain unknown and, given the nature of the incident, especially the use of destructive malware, we do not anticipate every detail will be exposed."

 

iSight has been tracking the Sandworm group for over a year, disclosing in October 2014 that it had used a zero-day exploit to target Ukrainian government officials, and members of the EU and NATO. Shortly after these findings, security experts at Trend Micro reported that the group was also targeting SCADA systems that control and monitor industrial automation.

 

Now, with the renewed focus on the BlackEnergy malware and its latest malicious component called KillDisk, iSight believes that Sandworm has re-emerged and could be responsible for the Ukrainian attack.

 

The security firm said that it cannot confirm that the KillDisk component caused the outage, but that it may have been used to "manipulate power in order to impede restoration efforts".

 

"A cyber attack of this nature is a milestone, although a predictable one," Hultquist added.

 

"The aggressive nature of Sandworm Team's previous activity in Europe and the US exposed their interest in targeting critical systems and indicated preparation for cyber attack.

 

"Targeting of critical entities in Ukraine throughout 2015, during a time of war, further presaged a desire to disrupt infrastructure."

 

Attack could happen anywhere

Meanwhile, it has been said that the malware suspected to have been used in the cyber attack "could be directed anywhere", posing a threat to all nations, according to a former FBI cyber expert.

 

Leo Taddeo, who is currently chief security officer at US firm Cryptzone, warned that the type of malware used to target energy companies in Ukraine is not confined to the region.

 

"Geography is no barrier to attack in our connected world. This attack appears to be focused on the Ukrainian media and energy sectors, but that's likely due to the attacker's desire to disrupt those specific targets, rather than any technical limitation of the malware," he said.

 

Ukraine has blamed Russia for the attack. This is difficult to prove, but Taddeo explained that the evidence points towards the involvement of a nation state.

 

"Sophisticated criminal groups would not expend the time or resources to target media outlets or critical energy infrastructure. Those targets don't offer payoffs that criminal groups look for," he said.

 

"On the other hand, a nation state, most likely Russia or one of its proxy hacking groups, is behind the attacks. The tactics and targets fit into Russia's past use of cyber weapons in support of its military and political objectives."

 

Jens Monrad, threat intelligence liaison manager EMEA at FireEye, agreed that attacks on critical infrastructure "can happen everywhere" but stopped short of suggesting who might be responsible for the power grid incident.

 

"While there is attention on attacks on industrial control system [ICS] environments, the reality is that there is little data gathered and therefore the insight into potential attacks, malicious payloads and potential breaches is limited," he told V3.

 

However, Monrad said that attacks on key sectors such as energy are likely to increase as reliance on the internet grows. "These environments are becoming more connected and operated via network connected environments, some even directly operated via the internet," he said.

 

"Companies need to ensure they have a plan and the right maturity to detect threats, respond to them and contain the breach, so they can continue operating while they are under attack."

 

Robert M. Lee, a former US intelligence expert and current CEO of Dragos Security, managed to acquire a sample of the malware used in the attack and has published some initial analysis on his website.

 

"The malware is a 32-bit Windows executable and is modular in nature indicating that this is a module of a more complex piece of malware," he said.

 

Lee speculated that the wiping function of the malware is "likely to be for the purposes of cleanup after the attack" and does not appear to be capable of causing the outage.

 

He added: "Security personnel in ICS organisations should be actively looking for threats. The Ukrainian incident should not be seen as an incident that only affects one site in a foreign country, although no panic or alarm should be taken, only due diligence towards defence."

 

Multiple teams are now analysing the malware, according to Lee. "I passed the malware sample to Kyle Wilhoit, a senior threat researcher at Trend Micro, who has done great work in the ICS community before, who confirmed through static analysis that the malware has the a wiping routine that would impact infected systems," he said.

 

"The idea of a cyber attack on infrastructure that leads to an impact to operations is very serious in nature and must be handled with care, especially when there is geopolitical tension in an area such as Ukraine."

 

Following the news that Ukraine is investigating the power grid failure, security firm ESET revealed evidence that the malware may be a variant of BlackEnergy, which has been in circulation in various forms since 2007.

 

Anton Cherepanov, an ESET malware researcher, explained that the malware has become more sophisticated in the past 12 months.

 

Cherepanov warned that a component called KillDisk has been implemented that directly attacks the operating system on a computer and overwrites any documents held on the system.

 

The researcher believes that the KillDisk component that targets the energy sector is a different variant. "Now it accepts a command line argument to set a specific time delay when the destructive payload should activate," he said.

 

"As well as being able to delete system files to make the system unbootable the KillDisk variant detected in the electricity distribution companies also appears to contain some additional functionality specifically intended to sabotage industrial systems."

 

The new variant is thought to delete Windows ‘event logs', including application, security and system records.

 

While earlier this week it was revealed that Ukrainian authorities are investigating the suspected attack.

 

A report on Reuters initially said that a power company in western Ukraine claimed that a large section of the grid was taken offline by "interference" on 23 December, and that the blame had been pinned on Russia.

 

The SBU said that it managed to stop the malware and warned that, if undetected, it would have left the region facing a major power blackout.

 

The Energy Ministry in Kiev said in an update that the department will set up a special commission to investigate the incident, Reuters revealed.

 

Russia and China are thought to have the most sophisticated cyber capabilities alongside the Five-Eyes cyber alliance of Australia, Canada, New Zealand, the UK and the US.

 

It was revealed in November that the FBI was closing in on a hacker from a Russian gang known as CyberVor thought to be responsible for the theft of 1.2 billion internet records and up to 500 million email addresses.

http://www.v3.co.uk/v3-uk/news/2440469/ukraine-investigating-suspected-russian-cyber-attack-on-power-grid