Black energy pushing the country to darkness

Click to edit Master title style

STRICTLY PRIVATE & CONFIDENTIAL © 2015

Click to edit Master text styles Second level

Third level

Fourth level

Fifth level


1

Black Energy- Pushing the Country to Total Darkness




Third level

Fourth level

Fifth level

2 STRICTLY PRIVATE & CONFIDENTIAL © 2015

Power Outage for Several Hours in Ivano‐Frankivsk Region of Ukraine On December 24, 2015, three different

distribution oblenergos (energy company) were attacked, resulting in several substation outages that caused approximately 225,000 customers to lose power across various areas in Ivano‐Frankivsk Region of Ukraine.

The attack was limited to 3 distribution oblenergos only. Other distribution companies, transmission substation, power generation plant and control center was not impacted by this attack.

While the impacted oblenergos were able to restore service after an outage window that lasted several hours, it is reported that they still continue to operate their distribution systems in an operationally constrained mode




Third level

Fourth level

Fifth level


Consolidated List of TTP’s used by the Attacker1. Spear phishing to gain access to the business networks of the

oblenergos

2. Use of BlackEnergy 3 malware to establish 1st level of control into the IT network of compromised oblenergos

3. Theft of credentials from the IT network and establishment of persistence

4. Use of existing virtual private networks (VPNs) from IT network to enter the ICS network

5. Use of existing remote access tools within the SCADA environment or issuing commands directly from a remote station similar to an operator HMI

6. Malicious firmware level upgrade of the serial to ethernet ‐ ‐communications devices used to operate the field devices i.e. switch gears.

7. Use of KillDisk utility to erase the master boot record of impacted organization systems as well as the targeted deletion of some logs

8. Manipulation of UPS systems to impact the substation directly with a power outage during the actual attack duration

9. Telephone denial of service attack on the call center to stop ‐ ‐customers from registering complaints about the outage.




Third level

Fourth level

Fifth level


1. Initial Spearphish During the initial intrusion, malicious Office

documents with embedded Blackenergy 3 malware were delivered via email to individuals in the IT network of the electricity companies

Emails were spoofed to appear to be one belonging to ukranian parliament.

When these documents were opened, a popup was displayed to users to encourage them to enable the macros in the document

Enabling the macros allowed the malware to Exploit Office macro functionality to install BlackEnergy 3 on the victim system




Third level

Fourth level

Fifth level


2. First level of compromise and establishment of C2 Upon Install, the BlackEnergy 3 malware connected to command and

control (C2) IP addresses

It enabled communication with the attacker over an SSH channel.

As per current investigations, attackers appears to have gained access more than six months prior to December 23, 2015, when the power outage occurred




Third level

Fourth level

Fifth level


3. Credential Theft and Persistence C2 communications allowed attacker to gather information from the

environment Attacker used key loggers to perform the credential thefts. It started harvesting credentials, escalate privileges, and move laterally

throughout the environment (e.g. target directory service infrastructure to directly manipulate and control the authentication and authorization system).

After stealing the legitimate user identities, attacker established a persistence in the IT network as an authorized user




Third level

Fourth level

Fifth level


4. Use of VPN to get into SCADA network Attacker identified VPN connections in the IT network that are used to

connect to SCADA network by authorized users Attacker used these as the main avenue to get inside the SCADA network It started conducting recon of the SCADA network to understand the

environment and make itself ready for the next step of compromise- SCADA systems

It collected information related to different Distribution Management System (SCADA-DMS) used in the oblenergos

remote terminal units e.g. serial to Ethernet devices that are used to convert signals from SCADA to Circuit Breakers




Third level

Fourth level

Fifth level


5. Remotely Control the SCADA After gaining understanding of the SCADA- DMS, PLC’s and RTU’s, attacker

invested time in preparation for the actual hack. This involved- learning how to interact with the three distinct DMS environments using the native controls

present in the operator screens.

More importantly, they developed malicious firmware for the serial-to‐ethernet devices.

The attacker likely had test systems in their organization that they were able to use to evaluate the malicious firmware.

Attacker delivered the malicious firmware using remote administration tool available on the operator workstation

Attacker installed KillDisk software across SCADA environment. Attacker also modified connection to UPS system in one of the oblenergo. This

was used later to push the substation into darkness to add more chill to the chaos.




Third level

Fourth level

Fifth level


6. Malicious firmware upgrade of the Switch Gears Attacker used the SCADA-DMS to open the breakers. At least 27

substations (the total number is probably higher) were taken offline across the three energy companies, impacting roughly 225,000 customers.

Simultaneously, attackers uploaded the malicious firmware to the serial‐to Ethernet devices controlling the Switch Gears. This ensured that even ‐if the operator workstations were recovered, remote commands could not be issued to bring the substations back online




Third level

Fourth level

Fifth level


7. Use of Kill Disk to render Operator Workstations Inoperable. Attacker used the Kill Disk software to delete the Master Boot Record of

compromised Operator Workstations. Kill Disk erased many other critical system files of the operator

workstation. This rendered the Operator workstations in-operable during the actual

attack Many of the Operators were locked out of their workstations making

them silent spectator to the hack.




Third level

Fourth level

Fifth level


8. Manipulation of the UPS Systems in one of the oblenergo In one of the oblenergo, attackers discovered a network connected to a

UPS Attacker reconfigured it so that when the attacker caused a power

outage, it was followed by an event that would impact the power in the substation as well.




Third level

Fourth level

Fifth level


9. Telephone DOS Attack on the Call Center As the power outage was in progress, attackers also used telephone

systems to generate thousands of calls to the energy company’s call center

This denied access to legitimate customers from reporting outages to the call center.




Third level

Fourth level

Fifth level


Cyber Kill Chain Mapping of the Hack




Third level

Fourth level

Fifth level


Lessons Learned End users should be made aware of phishing attacks. Phishing

simulation workshops should be part of a larger information security awareness program.

Use end point protection solutions with anti-malware and application whitelisting capabilities to detect and prevent installation of malicious software program

Use intel for active detection of IOC’s as part of the security monitoring of the network, systems and endpoints.

Use intel to detect anomalies in network traffic e.g. sudden increase in outgoing data size, unusual traffic protocols in use, new encrypted traffic etc.




Third level

Fourth level

Fifth level


Lessons Learned Adequately segregate IT network & SCADA network Use 2 factor authentication for VPN connections. Use a jump host with

NAC to avoid split tunneling from remote support employees. Implement sessions timeouts of VPN connections

Implement SOD in SCADA applications to limit privileges of a single role. Avoid allowing use of vendor default or shared userid & password in

Operator or Engineering workstations.

Black energy pushing the country to darkness

Technology

Transcript of Black energy pushing the country to darkness