What the Ukrainian Blackout Means for the Future of Cyberwar

A local woman walks along a rail-road crossing in Debaltseve, eastern Ukraine.

A local woman walks along a rail-road crossing in Debaltseve, eastern Ukraine. Petr Anikukhin/AP

The world’s first cyber-caused electricity blackout shook security experts around the globe. Here’s what it means for keeping the lights on.

For a look at how cyber will play into armed conflict, look at the Dec. 23 attack on the Ukrainian energy sector. This was no simple hack involving celebrity emails or embarrassing personal information but a highly coordinated and complex cyber-physical assault that knocked out power to more than 225,000 people … in a war-torn country … in the dead of winter.

On Thursday, the head of Southern Company, one of America’s larger regional electricity producers, said that the United States was well protected against a similar attack. But that doesn’t mean that a repeat, or a similar event, couldn’t trigger a larger conflict even if it doesn’t shut off the lights.

Who’s behind the attack and what does it mean for the future of war?

The Green Men of the Dark Web

Cyber security researchers have pointed the finger at pro-Russian hacktivist groups. U.S.-based iSight Partners specifically accused the Moscow-based Sandworm. But a wide variety of pro-Russian groups are working against Ukraine and Western forces; one is Cyberberkut, which has taken credit for attacks on German media and NATO sites.

So how do these groups operate? History suggests: with stealth and subtlety. Remember 2014, when masked gunmen, not officially affiliated with any larger nation-state, began waging war in Eastern Ukraine? The so-called “green men” completed their invasion before anyone was able to figure out that they were, in fact, invading.

The specific culprit in the Ukraine blackout is almost less important than the broader trend: the rise of cyber militias that work on behalf of state interests but whose veneer of independence gives governments plausible deniability.

Tom Kellermann, the CEO of Strategic Cyber Ventures, put it this way at the recent Suits and Spooks conference in Washington, D.C. 

“There’s a cult of personality, particularly in the East. The greatest hackers in the world, the Russian-speaking blackhat community in the former Soviet bloc, are beholden to that cult of personality. They’re beholden to that cult of personality for a number of reasons. They’ve been allowed to act with impunity when hacking the [U.S.] financial sector for more than 17 years in exchange for paying tribute or homage to the regime. The examples are Estonia, South Ossetia and now Ukraine.”

He said pro-Russian hacktivist groups use more than 14 zero-day attacks — that is, ways to exploit security holes that were previously unknown to the victim. They are the most effective and the most prized weapons in the hacker’s arsenal — but once you use them, defenders can start to raise shields against them. The fact that pro-Russian groups seem increasingly willing to use them underlines the escalating intensity of the campaign against Western targets.  

“The greatest cyber criminals of all time, that used to spend most of their time targeting the United States financial sector, now spend four or five hours of their day using SSH, or (secure shell) keys and the same modus operandi” against Ukrainian and Western political adversaries, said Kellerman.

Russia’s direct involvement will be nearly impossible to prove.

The Power Grab

Still, there’s motive, if not provable opportunity, where power politics meet the electrical grid. Two sides are competing to provide electricity to people in eastern Ukraine. If Putin can provide the 1,100 megawatts to Crimea that Ukraine provides currently, it will help cement his hold on the Peninsula. Making Ukraine look like an unreliable supplier of power is key to that.

But to read the way U.S. outlets covered the Ukrainian outage, you might think that the cyberattack and the blackout occurred almost randomly.

In fact, utilities and central services have emerged as a new front in the war in the Eastern part of the country. Less than a month before the Ukrainian energy outage, one occurred on the disputed Crimea peninsula. Ukrainian police blamed saboteurs. Russian President Vladimir Putin reportedly reacted by promising to construct power lines into the region; Russian newspapers have reported that German company Siemens has a contract with the Russian government to build gas turbine powered-plants in the Crimean cities of Sevastopol and Simferopol. Siemens reportedly refuted the claims, as building the plants would be a violation of international sanctions). Not long after that denial, Siemens became one of the key targets in the Ukraine blackout.  

Those sorts of dynamics are case-specific. Knocking out power to part of the West Coast wouldn’t create territory that Russian energy companies could compete for.

BlackEnergy

The primary piece of software implicated in the attack was called BlackEnergy, according to DHS’s recently released report on the incident. It’s less of a weapon than a vehicle carrying a weapon.

“Each company also reported that they had been infected with BlackEnergy malware; however, we do not know whether the malware played a role in the cyberattacks. The malware was reportedly delivered via spear phishing emails with malicious Microsoft Office attachments. It is suspected that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials,” the report said.

Jose Nazaro of Arbor Networks first detected BlackEnergy back in 2007. He described it as “a Web-based denial of service bot used by the Russian hacker underground.”

At the time, you could buy it for about $40, according to David Meltzer from the firm Tripwire.

“We think of it as this sophisticated malware targeting these highly industrial environments. It was a common everyday piece of malware.”

BlackEnergy is still around in 2016 because it has a modular architecture, allowing people to write different plug-ins. By itself, it’s not the sort of software that could take down a power station. Rather, it would work in concert with an add-on, a very specifically designed package; in this case, one designed to attack the control equipment of the targeted Siemens power plants.

There exists “something akin to [an] app store,” for BlackEnergy plugins, Meltzer said. “At this point, even [though] the BlackEnergy malware itself isn’t that sophisticated, the library of plug-ins that’s built for it can do a lot of unique things.”

Could The Same BlackEnergy Attack Cause a Major Blackout Here?

No, says Southern Company CEO Tom Fanning, who also chairs the Electricity Subsector Coordinating Council, or ESCC.

“Back in 2014, we got the word that this BlackEnergy thing was out there, we started to take steps to protect ourselves…When something happens, the first thing we do is make sure our industry has situational awareness,” he told Passcode at a recent New America conference.

Still, recent attacks against U.S. power entities are even more sophisticated than the one against Ukraine. Fanning pointed to a March 2015 attack on a Pacific Gas and Electric substation. The assailants broke into the station physically and then disabled the supervisory control and data acquisition, orSCADA system, before trying to damage other things.

“The fact that [someone] targeted the SCADA and control system equipment is kind of a big deal,” Mark Weatherford, principal at the Chertoff Group, told energy research company SNL.

Still, said Fanning, the attack didn’t even cause “the lights to flicker.” Even if attackers were able to exploit some system vulnerability to affect substations, or SCADA systems, or something else, “We can run the system manually,” he said.

A Potential Scenario

Yet, an attack in the style of the Ukrainian blackout could still cause huge problems. Here’s how.

“All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyberattack,” said the DHS attack. “The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable.”

Compared to the presence of BlackEnergy, the use of KillDisk is a far more foreboding indicator of things to come.

“Inside one of the plugin controls for BlackEnergy has been this ability to wipe systems. There’s been some intentional uses to make the systems unusable. Why do they create so much destruction? Maybe a little bit it’s to prevent tracing back. But probably more so, there’s an intent there to damage these environment,” said Metzer.

The use of a self-destruct booby trap is the difference between an act of espionage—something that virtually every nation engages in—and an act of serious consequence, possibly requiring international sanctions or a response from U.S. Cyber Command.

Think back to the Sony hack: The attackers not only took data but also destroyed it.

“This is why I think many of us worry about Sony, the destructive nature of it. It wasn’t just the fun and games of, you know, what rich Hollywood executives were saying about rich Hollywood starlets, right?” Mike Rogers, the Michigan Republican who used to chair the House Intelligence Committee, said last year. “That was kind of tantalizing and good reading — the real game changer was the destruction of property. That is equally possible in our electric grid.”

If lawmakers decide that the use of software like KillDisk is tantamount to an act of war, that could put the military in a difficult position. Adm. Michael Rogers, the head of Cyber Command, has said that offensive cyber weapons would be used proportionally and in line with the rules of conflict.

But if you don’t know who your enemy is, there’s no way to get them to follow the rules.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.