Report: Hackers Used Malware to Confuse Utility in Ukraine Outage

(Reuters) -
A view of a Soviet-designed surface-to-air missile system S-125 modernized by Ukraine's Aerotechnka company in the town of Makariv outside Kiev, Ukraine, Tuesday, Dec. 29, 2015. Ukrainian officials have announced plans to modernize the nation's air defense systems. (AP Photo/Efrem Lukatsky)
A view of a Soviet-designed surface-to-air missile system S-125 modernized by Ukraine’s Aerotechnka company in the town of Makariv outside Kiev, Ukraine, Dec. 29, 2015. (AP Photo/Efrem Lukatsky)

Hackers likely caused a Dec. 23 electricity outage in Ukraine by remotely switching breakers to cut power, after installing malware to prevent technicians from detecting the attack, according to a report analyzing how the incident unfolded.

The report from Washington-based SANS ICS was released late on Saturday, providing the first detailed analysis of what caused a six-hour outage for some 80,000 customers of Western Ukraine’s Prykarpattyaoblenergo utility.

SANS ICS, which advises infrastructure operators on combating cyber attacks, also said the attackers crippled the utility’s customer-service center by flooding it with phone calls to prevent customers from alerting the utility that power was down.

“This was a multi-pronged attack against multiple facilities. It was highly coordinated with very professional logistics,” said Robert Lee, a former U.S. Air Force cyber warfare operations officer who helped compile the report for SANS ICS. “They sort of blinded them in every way possible.”

Experts widely describe the incident as the first known power outage caused by a cyber attack. Ukraine’s SBU state security service blamed Russia, and U.S. cyber firm iSight Partners identified the perpetrator as a Russian hacking group known as “Sandworm.”

Ukraine’s Energy Ministry has said it will hold off on discussing the matter until after Jan. 18, following completion of a formal probe into the matter.

The utility’s operators were able to quickly recover by switching to manual operations, essentially disconnecting infected workstations and servers from the grid, according to the report.

SANS ICS said  it had “high confidence” in its findings, which were based on discussions and analysis from “multiple international community members and companies.” The report’s authors declined to identify those sources.

U.S. critical infrastructure security expert Joe Weiss said he believed the report’s findings would be validated. “They did a phenomenal job,” he said.

There is strong interest in the outage because of concerns that similar techniques could be used to launch more attacks on power operators around the globe.

“What is now true is that a coordinated cyber attack consisting of multiple elements is one of the expected hazards [electric utilities] may face,” SANS ICS Director Michael Assante said in a social media post.

We need to learn and prepare ourselves to detect, respond, and restore from such events in the future,” said Assante, former chief security officer of the quasi-governmental North American Electric Reliability Corp.