For the past two years, hackers have lashed out at Ukraine’s power grid during the freezing month of December, cutting off electricity to hundreds of thousands of people.
Now, a sense of anticipation has gripped Ukrainian utilities as they batten down the hatches for a possible third attack this month.
"Time will show" if new cyber defenses hold, said Michael Bno-Airiyan, director of communications and international cooperation for Ukrainian transmission operator NPC Ukrenergo. He said the national power company has met with technical experts and U.S. security officials to build its own cybersecurity strategy, resulting in "a number of formal and informal changes" to the organization.
The overhaul’s effectiveness "will be proven by the resilience of our information infrastructure to possible cyberattacks," Bno-Airiyan said in an emailed response to questions.
Reforming Ukraine’s grid to keep pace with cyberthreats will take time, experts caution, as many systems still run on Soviet-era equipment and technology. Meanwhile, the country’s infrastructure networks face constant bombardment from some of the most adept hackers in the world.
"It just doesn’t stop anymore," Marina Krotofil, principal industrial cybersecurity analyst at cybersecurity firm FireEye Inc., said in a recent interview. "All critical and high-profile organizations are potentially vulnerable."
She credited some Ukrainian companies and government agencies for shoring up their networks in response to recent cyberattacks, from the grid hacks to the "NotPetya" ransomware outbreak this summer (Energywire, June 30). But she added that major improvements will likely play out over years.
"Attackers still have a great opportunity to cause a lot of havoc," said Krotofil, who spoke on a cybersecurity panel at a conference in Ukraine earlier this month.
U.S. utilities would do well to take note, cybersecurity analysts say, even though hackers aren’t known to have caused a blackout beyond Ukraine’s borders.
Adam Meyers, vice president of intelligence at CrowdStrike, tracks Ukraine’s grid hackers by the cryptonym "Voodoo Bear." He said he has seen an increasing amount of disruptive attacks from the Russia-linked hacking group — most recently during the "Bad Rabbit" ransomware outbreak in October.
"They’re not only focused on Ukraine, but that seems to be where their primary mission is," he pointed out.
Meyers emphasized that he has seen recent hacking activity directed against the U.S. and global energy sector from a variety of sources.
"It’s not just Russia," he said. "Given ongoing geopolitical tensions, organizations really need to be vigilant."
Open for business
On Dec. 23, 2015, hackers hijacked the networks of three Ukrainian distribution utilities, switching off lights to some 225,000 customers for several hours.
The attackers had spent months planning the unprecedented assault, which marked the first publicly known time hackers cut off electricity anywhere in the world.
The intruders logged into the utilities’ operational networks and switched circuit breakers directly, locking out legitimate utility employees and even switching off the backup power source to a key control center. They flooded the victim companies’ phone lines with bogus calls to hamper recovery efforts and add to confusion (Energywire, July 18, 2016).
The victim distribution companies — Prykarpattyaoblenergo, Kyivoblenergo and Chernivtsioblenergo — quickly reverted to manual operations, flipping switches by hand. Power came back within hours, but weeks would pass before the Ukrainian companies could trust their corporate computers, many of which had been infected by the "BlackEnergy 3" spying tool, according to investigators.
The hackers struck again nearly a year after the first attack. Around midnight on a chilly December night, they seized control of a 330-kilovolt transmission substation north of Kiev.
This time, the attackers unleashed a sophisticated piece of malware that had lain dormant in Ukrenergo’s computer networks, experts say. The hacking tool, known variously as "CrashOverride" or "Industroyer," could issue commands along grid control networks to flip circuit breakers, halting the flow of electricity.
Ukrenergo reverted to manual operations and restored power before dawn on Dec. 18.
But CrashOverride marked a significant escalation in attackers’ capabilities. The tool was tailor-made to harm the grid, unlike its predecessor, BlackEnergy 3, which mainly offered attackers a means to steal employee login credentials.
The 2016 attackers appear to have relied on help from a shadowy support group churning out "high-end" malware for various missions, according to Robert M. Lee, CEO of industrial cybersecurity firm Dragos Inc.
That group, which Dragos calls "Electrum," doesn’t typically launch attacks, but instead develops advanced hacking tools like CrashOverride for use by other teams, according to Lee.
Not long after hackers pulled the trigger on CrashOverride in Ukraine, Electrum fell silent.
But since late November, the group’s fingerprints have started cropping up again in Ukraine and in other parts of Europe, Lee said. "It’s interesting to see their capabilities being used again — the team is open for business, so we want to keep an eye on that."
Lee declined to share many details on the latest round of activity but said it has not appeared to target the industrial control system sites that Dragos specializes in protecting. He added that he hasn’t seen any signs that Electrum is gearing anyone up for another attack on Ukraine’s power grid.
"Is the timing interesting? Absolutely," he said. "But that has nothing to do with what their intent is."
A political call
The hackers’ goal in the 2015 and 2016 attacks appears to have been twofold: trying out new capabilities and undermining trust in Ukraine’s government, experts say.
Such hacking activity is "usually the Russians testing capabilities, but also sending a message to the Ukrainians," said Steven Pifer, nonresident senior fellow at the Brookings Institution and a former U.S. ambassador to Ukraine.
He pointed out that the attacks so far, while disruptive, have been limited in scope. "What we haven’t seen is a broader cyberattack designed to shut down large parts of the Ukrainian grid," he said.
Ukraine’s security service has blamed many of the most intrusive cyber campaigns on Russia’s government. A new round of cyberattacks would put yet another burden on Ukrainian President Petro Poroshenko, who is already dealing with mounting protests against official corruption in the capital, and an ongoing war with Russian soldiers and separatists in the east.
The armed conflict in Ukraine’s Donbass region has killed thousands since war broke out nearly four years ago. In 2014, Russia annexed Ukraine’s southern Crimean peninsula and soon launched a clandestine ground invasion of eastern Ukraine. Cease-fires have come and gone, while the hostilities show no sign of abating, with Russian troops cementing their positions in eastern Ukraine.
"The Kremlin has concluded that this is a useful device — to use that simmering conflict in the Donbass to put pressure on the government in Kiev; to undermine and weaken it," said Pifer.
With Russian soldiers set to return from campaigns in Syria next year, Ukrainian officials worry the worst may be yet to come.
"Russia is changing and preparing" for acting out in the new year, Oksana Syroyid, deputy chairwoman of Ukraine’s Parliament, said at a conference earlier this month. "Russia will be using all techniques, and modernizing itself to be more and more aggressive — I think that is quite obvious," she said.
Whether Russia will include another strike on western Ukraine’s grid is ultimately a "political decision," said Ben Read, manager of cyber espionage analysis at FireEye, which tracks Ukraine’s grid hackers by the name "Sandworm" and attributes the group to the Russian government.
"In 2017, we’ve seen more of these high-profile ransomware [attacks], messing with the financial sector … so they could be prepping for a new December power attack," he said. "The capabilities demonstrated in CrashOverride are pretty significant in terms of manipulating industrial control systems, so they definitely have the capability to walk and chew bubble gum at the same time.
"We’re just out here trying to divine it," he added.
U.S. officials from the Department of Homeland Security, Department of Energy, FBI and nonprofit North American Electric Reliability Corp. flocked to Ukraine in the wake of the 2015 attack to investigate.
Since then, the U.S. government has encouraged Ukraine to prop up its cyber defenses, offering expert assistance and helping to organize training events, among other steps.
In May, senior Trump administration officials met with Ukrenergo CEO Vsevolod Kovalchuk to discuss energy security concerns, officials confirmed. In September, the State Department announced it would provide $5 million in aid to boost Ukraine’s "ability to prevent, mitigate and respond to cyberattacks."
Just this month, a delegation from the U.S. State Department and Mitre Corp. sat down with Ukraine’s deputy energy minister, Nataliya Boyko, to discuss grid cybersecurity, including plans to set up a cyber crisis response center at the national power company. A State Department official cast the Dec. 7 meeting as "part of broader U.S. efforts to cooperate on cybersecurity matters in Ukraine."
In Europe, officials have also sought to offer assistance. A NATO-backed cybersecurity center helped organize a first-of-its-kind cybersecurity exercise for Ukrainian utilities in October this year. Though Ukraine is not a NATO or European Union member state, both organizations have offered security support to Kiev.
"We know that there have been repeated cyberattacks on key infrastructure in recent years; energy, banking and payment systems have been targeted," Ambassador Hugues Mingarelli, head of the European Union delegation in Ukraine, said at a recent meeting with Ukrainian security officials. "On our side, we try to stand by the Ukrainian authorities in this hybrid war."
Will all the assistance and preparations head off another grid attack?
The back-to-back nature of the first two cases has set off speculation among the close-knit community of industrial control system security professionals.
"There is always a risk that an attempt is foiled and the demonstration would backfire," said Michael Assante, who directs the industrial controls system security program at the SANS Institute cyber training group. He said in an email that he will still be watching out for any suspicious activity in Ukraine.
Krotofil of FireEye said she isn’t sure what will happen, but said "all the necessary conditions are there" for a new visit from Sandworm.
She warned that the next big incident could pair a grid cyberattack with strikes on other vital services, amplifying the effects of both.
"The attacker has now tested enough," she said. "They can come up with more complex scenarios, with more devastating consequences."