Industroyer, The Ukrainian Power Grid Attacks

My post contentThe cyberattacks on Ukraine's power grid in December 2015 and later in 2016 were the 2nd known APT conducted OT (Operation Technology) attacks of its kind against power plants; the first one on Iranian nuclear facilities in 2010 conducted by the US and Israeli joint taskforce and the second one was orchestrated by Russians. The common unique feature of these attacks was the capability of malware to directly interact with industrial components, causing physical effects, however, the Russian malware, called Industroyer and specifically crafted for interaction with ICS (Industrial Control System), was believed to be more sophisticated and dangerous.

The attackers utilized various capabilities not only in penetration into the network by spear phishing but also in maintaining a long time very effective presence for several months without detection, harvesting credential, elevating access, detailed mapping of the network, connecting to the power grid control system and operating the ICS and SCADA (Supervisory Control and Data Acquisition) to successfully carry out such an advanced operation.

Remote access to the SCADA system enabled the hackers to take control of over 30 substations, distribution systems, relays, backup power systems, and workstations. In order to maximize the damage, they wiped out the workstations' storage and performed a DDoS attack on the phone system to sabotage the communication and recovery operation.

Hackers had owned the control systems, and Ukrainians were, in fact, locked out of the systems, so they were forced to manually access and control the substations to restore the power. The attack in December 2015 caused a blackout for a few hours and disrupted the lives of over 225,000 Ukrainians. December 2016 caused a power grid interruption that was providing energy to over 2 million of Kyiv’s population, the Capital city of Ukraine, for several hours.

Cyberattacks of this magnitude (like Iranian centrifuges or Ukrainian power grid) are considered next-gen warfare and frighteningly are posing a real threat to our societies in coming years. While using OT is an important part of modern living and infrastructure necessities, we need to take certain steps to secure it, such as:

• Network segmentation or separation

• Maximizing the network security by employing VPNs, firewalls, IDS, IPS, zero trust policies, advanced IAM, more restricted access control, and advanced monitoring systems

• Multi-layered defense mechanism

• Security awareness programs to minimize the human element threat factor

Reference:

• https://www.eweek.com/security/industroyer-cyber-attack-revealed-as-cause-of-ukraine-power-outage/

• https://www.bbc.com/news/technology-38573074

• https://www.youtube.com/watch?v=upLPkLaMhro&ab_channel=InternationalSocietyofAutomation-ISA

• https://www.youtube.com/watch?v=d18kbimxpuA&ab_channel=InternationalSocietyofAutomation-ISALinks to an external site.

• https://www.technologyreview.com/2022/04/12/1049586/russian-hackers-tried-to-bring-down-ukraines-power-grid-to-help-the-invasion/

• https://www.headmind.com/fr/industroyer-2/

• chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf