ICS-CERT BlackEnergy Report
Friday, February 26, 2016 @ 02:02 PM gHale
There is no secret the Ukraine power grid took a hit from an attack this past December.
That is why an interagency team comprised of representatives from the National Cybersecurity and Communications Integration Center (NCCIC)/Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), U.S. Computer Emergency Readiness Team (US-CERT), Department of Energy, Federal Bureau of Investigation, and the North American Electric Reliability Corporation traveled to Ukraine to collaborate and gain more insight.
The Ukrainian government worked closely and openly with the U.S. team and shared information to help prevent future cyber-attacks.
The attacks first ended up noticed December 23, Ukrainian power companies experienced unscheduled power outages impacting a large number of customers in Ukraine.
In addition, there have also been reports of malware found in Ukrainian companies in a variety of critical infrastructure sectors. Public reports indicate BlackEnergy malware was on the companies’ computer networks, however it is important to note the role of BlackEnergy in this event remains unknown pending further technical analysis.
This report from ICS-CERT provides an account of the events that took place based on interviews with company personnel. ICS-CERT shared a report on the investigation.
The following account of events comes from the interagency team’s interviews with operations and information technology staff and leadership at six Ukrainian organizations with first-hand experience of the event. Following these discussions and interviews, the team found the outages experienced December 23, were the result of external cyber attackers.
The team was not able to independently review technical evidence of the cyber attack; however, a significant number of independent reports from the team’s interviews as well as documentary findings corroborate the events as outlined below.
Through interviews, the team learned that power outages were the result of remote cyber intrusions at three regional electric power distribution companies (Oblenergos) impacting approximately 225,000 customers. While power has been restored, all the impacted Oblenergos continue to run under constrained operations. In addition, three other organizations, some from other critical infrastructure sectors, were also intruded upon but did not experience operational impacts
The cyber attack was reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks. According to company personnel, the cyber attacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities. During the cyber attacks, malicious remote operation of the breakers ended up conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections. The companies believe the actors acquired legitimate credentials prior to the cyber attack to facilitate remote access.
All three companies indicated the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber attack. The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable. It was further reported that in at least one instance, Windows-based human-machine interfaces (HMIs) embedded in remote terminal units were also overwritten with KillDisk. The actors also rendered Serial-to-Ethernet devices at substations inoperable by corrupting their firmware. In addition, the attackers reportedly scheduled disconnects for server Uninterruptable Power Supplies (UPS) via the UPS remote management interface. The team assesses these actions occurred in an attempt to interfere with expected restoration efforts.
Each company also reported they had been infected with BlackEnergy malware however we do not know whether the malware played a role in the cyber-attacks. The malware was reportedly delivered via spear phishing emails with malicious Microsoft Office attachments.
The theory is BlackEnergy may have been an initial access vector to acquire legitimate credentials; however, this information is still being evaluated. It is important to underscore that any remote access Trojan could have been used and none of BlackEnergy’s specific capabilities were reportedly leveraged.
The first, most important step in cyber security is implementation of information resources management best practices.
Key examples include: Procurement and licensing of trusted hardware and software systems; knowing who and what is on your network through hardware and software asset management automation; on time patching of systems; and strategic technology refresh.
Organizations should develop and exercise contingency plans that allow for the safe operation or shutdown of operational processes in the event their ICS ends up breached. These plans should include the assumption the ICS is actively working counter to the safe operation of the process.
ICS-CERT recommends asset owners take defensive measures by leveraging best practices to minimize the risk from similar malicious cyber activity.
Part of those best practices include using Application Whitelisting (AWL) which can detect and prevent attempted execution of malware uploaded by malicious actors. The static nature of some systems, such as database servers and HMI computers, make these ideal candidates to run AWL. Operators should work with their vendors to baseline and calibrate AWL deployments.
In addition, ICS-CERT said organizations should isolate ICS networks from any untrusted networks, including the Internet. All unused ports should end up locked down and all unused services turned off. If a defined business requirement or control function exists, only allow real-time connectivity to external networks. If one-way communication can accomplish a task, use optical separation (“data diode”). If bidirectional communication is necessary, then use a single open port over a restricted network path.
Organizations should also limit Remote Access functionality wherever possible. Modems are especially insecure. Users should implement “monitoring only” access enforced by data diodes, and do not rely on “read only” access enforced by software configurations or permissions. Remote persistent vendor connections should not be allowed into the control network. Remote access should be operator controlled, time limited, and procedurally similar to “lock out, tag out.” The same remote access paths for vendor and employee connections can end up used; however, there should be no double standards. Users should use strong multi-factor authentication, avoiding schemes where tokens are similar types and can end up easily stolen.
ICS-CERT also said as in common networking environments, control system domains can be subject to a myriad of vulnerabilities that can provide malicious actors with a “backdoor” to gain unauthorized access. Often, backdoors are simple shortcomings in the architecture perimeter, or embedded capabilities that end up forgotten, unnoticed, or simply disregarded. Malicious actors often do not require physical access to a domain to gain access to it and will usually leverage any discovered access functionality. Modern networks, especially those in the control systems arena, often have inherent capabilities deployed without sufficient security analysis and can provide access to malicious actors once discovered. These backdoors can end up accidentally created in various places on the network, but it is the network perimeter that is of greatest concern.
Under the Microscope
When looking at network perimeter components, the modern IT architecture will have technologies to provide for robust remote access. These technologies often include firewalls, public facing services, and wireless access. Each technology will allow enhanced communications in and amongst affiliated networks and will often be a subsystem of a much larger and more complex information infrastructure. However, each of these components can (and often do) have associated security vulnerabilities that an adversary will try to detect and leverage. Interconnected networks are particularly attractive to a malicious actor, because a single point of compromise may provide extended access because of pre-existing trust established among interconnected resources.
While the role of BlackEnergy in this incident is still under investigation, the malware was present on several systems.
Detection of the BlackEnergy malware should end up conducted using the latest published YARA signature.