Ukraine Power Outage May Be the First One Caused By Hackers (arstechnica.com)

← Back to Stories (view on slashdot.org)

Ukraine Power Outage May Be the First One Caused By Hackers (arstechnica.com)

Posted by Soulskill on Tuesday January 5, 2016 @07:35AM from the now-things-get-interesting dept.

bricko notes a report on what appears to be the first power outage known to have been caused by hackers: Highly destructive malware that infected at least three regional power authorities in Ukraine led to a power failure that left hundreds of thousands of homes without electricity last week, researchers said. ... On Monday, researchers from security firm iSIGHT Partners said they had obtained samples of the malicious code that infected at least three regional operators. They said the malware led to "destructive events" that in turn caused the blackout. If confirmed it would be the first known instance of someone using malware to generate a power outage.

Over the past year, the group behind BlackEnergy has slowly ramped up its destructive abilities. Late last year, according to an advisory from Ukraine's Computer Emergency Response Team, the KillDisk module of BlackEnergy infected media organizations in that country and led to the permanent loss of video and other content. The KillDisk that hit the Ukrainian power companies contained similar functions but was programmed to delete a much narrower set of data, ESET reported. KillDisk had also been updated to sabotage two computer processes, including a remote management platform associated with the ELTIMA Serial to Ethernet Connectors used in industrial control systems.

46 of 62 comments (clear)

Min score:

Reason:

Sort:

Re:Cowards... by Rei · 2016-01-05 07:55 · Score: 4, Insightful

Hmm, organized hacking efforts that keep hitting important Ukrainian entities, with targeted code that can take out industrial systems... I can't imagine who could possibly be behind this.

--
Shiny New Australia.
Isn't this the same as... by Jonah+Hex · 2016-01-05 07:56 · Score: 2

this story that's still on the front page? http://it.slashdot.org/story/1...

--
Horror & SciFi Erotic Nudes
1. Re:Isn't this the same as... by SeaFox · 2016-01-05 08:06 · Score: 2
  
  Since the title is different the editors don't consider it a dupe.
Estonia? by Carewolf · 2016-01-05 08:00 · Score: 2

Didn't Putin Jugend already do something similar in Estonia?
It's always someone else's fault in Ukraine by Anonymous Coward · 2016-01-05 08:09 · Score: 3, Interesting

Couldn't it be that Ukrainian power networks are just old and crumbling, management and specialists are incompetent and the cold weather last week didn't help? But hey, it's much easier to blame it on hackers, who are "clearly" sponsored by Putin himself.
And sure enough Ukraine simply blows up power lines going to Crimea to leave 2 million people without power in the midst of winter - no hackers needed.
1. Re:It's always someone else's fault in Ukraine by guestapoo · 2016-01-05 10:05 · Score: 2
  
  That is! I would mod this up, but I have just commented, which could strengthens your point:
  
  Avakov:
  
  Maidan is being completely discredited, that's what's going on! They are sellingn off Ukraine piece by piece. No doubt this is a Russian FSB project.
  Yatsenyuk:
  
  Those who demand to increase social payments and salaries from Ukrainian budget, are FSB agents.
2. Re:It's always someone else's fault in Ukraine by rtb61 · 2016-01-05 16:37 · Score: 1
  
  More likely a pack of ass clowns stupidly hooked up an essential service to the internet because 'er' 'um', ass clowns. It was just a matter of time before it was taken down, nationality of black hats is pretty much arbitrary as black hats from all over the globe would have taken it down including those from inside the Ukraine but outside of course outside the affected region, especially if they were having a digital spat with those in that particular region. The attack nothing fancy at all, a MS Office document macro attack, where the hell is the security. A emailed document macro taking down a power station, talk about fucking amateur ass clowns being in charge, all those involved in not securing those system properly should be fired. Using fancy smancy names like BlackEnergy and KillDisk just really pathetic lame attempts at retaining employment ie not out fault really professional Russian government hackers, nope really lame security and amateur hackers who got in with an attempt that should have totally failed. Sure a system I was looking after got hacked by a document macro but that was near two decades ago and security services were just coming into force and I swapped from windows to Linux servers there and then and ran a full suite of security tools on top, never got hacked again on that system. Let me guess those Ukrainian system admins car pool to work in a clown car, all tumbling out when the car runs into the buildings back door, they one they leave open for easy access. In this case you have to be cruel to be kind, the only response for a admin team who fails to properly secure a power stations systems in this day and age is a thorough and very public firing.
  
  --
  Chaos - everything, everywhere, everywhen
Another form of terrorism by Theovon · 2016-01-05 08:12 · Score: 1

I know that some people throw around the term “terrorism” too much. But this is a sad and increasing element of our modern society. When setting off bombs, the terrorists have to go through huge efforts to go to the target and plant bombs without getting caught. You know you’re killing humans. The terrible thing about cyberterrorism is that it’s too much like Ender’s game. From the comfort of their homes, they can take out infrastructures 1000s of miles away, and the people they’re affecting are dehumanized, because the terrorists never have to face their victims in any way. Hahaha, we took out the electrical grid, but we’re conveniently blind to the fact that we’re shutting down hospitals longer than their backup generators can handle.
I really wish I knew more about cybersecurity, because I would love to get involved in the defense against this kind of terrorism and wanton destruction. I want to protect against attacks and also develop ways of identifying the attackers so they can be arrested and stopped before they can do any damage.
I don’t care if someone hates me for being part of the “Christian West” or whatever. They can argue with me and call me all sorts of offensive things, and I think that is their right to have an opinion. I mean, I think sexist, racist, and homophoic remarks are terribly distasteful, but I think that people should have the right to have a distasteful opinion. It’s only when you injure someone or directly interfere in their lives does something become criminal. These terrorists are criminals, and everyone else needs to work very hard to stop the spread of this kind of behavior.
1. Re:Another form of terrorism by khasim · 2016-01-05 08:23 · Score: 2
  
  I want to protect against attacks ...
  You mean like telling upper management that putting the control systems ON THE INTERNET is a really stupid idea?
  Good luck with that.
  How about restricting access to one system (and a backup) that requires real two-factor-authentication AND IS NOT ON THE INTERNET?
2. Re:Another form of terrorism by wyHunter · 2016-01-05 09:30 · Score: 1
  
  But how could we do that? Then, we couldn't hire folks for $.02 per month in other parts of the world to do stuff for us!
3. Re:Another form of terrorism by amorsen · 2016-01-05 09:44 · Score: 1
  
  Designing control systems with the view that they are disconnected from the Internet leads the developers to become lazy.
  Every system has some level of connection to the Internet today. If nothing else, the software needs updating, and those updates will almost certainly be fetched over the Internet.
  Control system developers need to deal with this reality. That means getting patches installed immediately after they become available -- tricky, because today most serious SCADA installations rely on in-house testing for days or weeks before deploying to production. It also means designing protocols to be safe when used over hostile infrastructure, and having authentication that does not just rely on IP addresses or supposedly-secure networks.
  We are very far from this today.
  
  --
  Finally! A year of moderation! Ready for 2019?
4. Re:Another form of terrorism by just+another+AC · 2016-01-05 14:32 · Score: 1
  
  If nothing else, the software needs updating, and those updates will almost certainly be fetched over the Internet.
  For mission critical systems of vital infrastructure:
  1. All changes (including every minor update) should be done manually, after a significant test period.
  2. Changes should only be made as necessary (where it can be proven there is an existing vulnerability/flaw).
  For powerstation control systems, if it ain't broke, dont fix it. They don't need to be running the latest OS. They don't need to be streaming social media updates. Get them off the damn internet.
  But of course this is completely against the profit at all costs capitalism society we live in. And due to the lack of effective penalties that can be levied against corporations, we have no way of changing this.
5. Re:Another form of terrorism by amorsen · 2016-01-05 20:47 · Score: 1
  
  You say the completely opposite of my post, but you provide no arguments why your position is correct and mine is wrong.
  You did not deal with the most important point:
  
  Every system has some level of connection to the Internet today.
  This is simply unavoidable. It might be air gapped, but it will still have an indirect connection in the form of USB sticks or other media transfers. And since that is the case, the old way of working is no longer an option.
  
  --
  Finally! A year of moderation! Ready for 2019?
Re:Cowards... by phantomfive · 2016-01-05 08:16 · Score: 1

it is simply cowardly to attack the electrical system.
As opposed to actually shooting people with guns?

--
"First they came for the slanderers and i said nothing."
"Hackers" of the past by davidwr · 2016-01-05 08:24 · Score: 1

In times past when you wanted to "hack" the power lines you used an axe or something similar.
Or maybe those were "whackers" *whackwhackwhack*.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
1. Re:"Hackers" of the past by phantomfive · 2016-01-05 08:58 · Score: 1
  
  Serious question.....has anyone ever actually used an ax to chop down a telephone pole? As a terrorist act?
  
  --
  "First they came for the slanderers and i said nothing."
2. Re:"Hackers" of the past by Locke2005 · 2016-01-05 11:07 · Score: 1
  
  Us technologically advanced rednecks use chainsaws to take out the power grid... much faster and more satisfying! If use an axe, your beer usually gets warm before you finish taking down the pole.
  
  --
  I've abandoned my search for truth; now I'm just looking for some useful delusions.
3. Re:"Hackers" of the past by davidwr · 2016-01-07 10:23 · Score: 1
  
  Serious question.....has anyone ever actually used an ax to chop down a telephone pole? As a terrorist act?
  Probably in the 19th century, but it might have been a telegraph pole.
  I'm sure there have been some one-off cases of people taking out utility poles in the 20th and maybe even the 21st century that could be classified as "a terrorist act" by modern "definitions" which sweep lost of "acts done in anger/for revenge" under the "terrorism" label, but as someone else mentioned, they probably used something faster than an ax.
  
  --
  Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Re:Cowards... by U2xhc2hkb3QgU3Vja3M · 2016-01-05 08:28 · Score: 3, Funny

Aliens?
Signed,
fuzzy hairs guy.
As provided elsewhere by Bob+the+Super+Hamste · 2016-01-05 08:28 · Score: 1

As provided elsewhere here is some more information on what was actually found.

--
Time to offend someone
How is this important? by bobbied · 2016-01-05 08:36 · Score: 2

A hundred thousand customers? Drop in the bucket. Not much to see here.
What happened is 3 substations went offline. Three out of thousands of substations. In the USA we've had larger outages caused by a single squirrel who decided to become charcoal and crawled across the wrong two wires or by some hapless lineman who hit the wrong disconnect in the switchyard.
Heck, I've heard second hand where a couple of theater workers crashed the local grid on purpose back in the late 80's by wiring up every stage light they had and then bumping all the dimmers to full at 2AM. The lights all when bright just before the power shut down. The dramatic and unexpected power surge caused the local grid to disconnect and presto, hundreds of thousand of sleeping customers' power went out. I wasn't there, but I have no reason to doubt their story...
Where this idea that hackers could bring down electric service is troubling, it is not really a significant risk, nor is the way this exploit took place hard to counter. Virus scanners, firewalls, all are commonplace as are "air gapped" data networks used by utility providers in North America. And so 100,000 customers loose power sometime? Big deal. Yea it shouldn't happen, but mistakes get made and equipment sometimes fails. It's not like the restoration of power wasn't possible nearly instantly. The hack didn't cause a pile of expensive equipment to be reduced to junk, or that somebody armed with an RPG launcher (commonly available in the area) couldn't do more damage.
There are much bigger fish to fry here in the risk pool than this; Bigger fish which are much harder to protect from. Just the physical security problem presented by the hundreds of thousand substations is a bigger risk than the risk of hacking attacks. Add to that all the towers holding up the transmission lines running between all those substations. That risk is huge and literally everywhere. Why sweat the small stuff?

--
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
1. Re:How is this important? by sims+2 · 2016-01-05 09:46 · Score: 1
  
  Yep and spell check won't catch the mistake because it's still a word albeit not the correct one.
  
  --
  Minimum threshold fixed. Thanks!
2. Re:How is this important? by amorsen · 2016-01-05 09:47 · Score: 1
  
  Attacks on substations and power lines mean that you actually have to be physically nearby. Despite Putin's efforts, it is also easier to identify men in green uniforms with tools to do such acts than it is to say for sure that e.g. Israel made Stuxnet.
  Everything just scales better when you automate it.
  
  --
  Finally! A year of moderation! Ready for 2019?
3. Re:How is this important? by bobbied · 2016-01-05 10:01 · Score: 1
  
  Everything just scales better when you automate it.
  Not in this case. Automation of such an attack implies you have your exploit installed on a lot of separate systems and you can access them all remotely. Even in this case, the number of compromised systems was limited and the damage was exceedingly light. Plus this is Ukraine, home of Chernobyl and other well designed soviet technologies. Am attacker would have a much more difficult time in North America.
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Re:AIR GAP by phantomfive · 2016-01-05 08:57 · Score: 2

And to think that a FREE air gap would have prevented this.
It's more than just an air gap. We know that an air gap isn't enough to stop hacking, although it helps and recommendable.

If you want to have secure software, you need to think about security from the very beginning. US infrastructure is at risk because SCADA programmers didn't think about security from the ground up, which you really should if you're going to be running anything critical on software.

--
"First they came for the slanderers and i said nothing."
why is critical infrastructure on the internet? by lkcl · 2016-01-05 08:58 · Score: 5, Insightful

i've said it once and i'll say it again: what the FUCK is wrong with people who think it's okay to put a country's critical infrastructure on the public internet AT ALL? there should be absolutely no way that power, water, gas, electricity or any kind of public utility should be even VAGUELY "internet connected". to anyone considering responding "but they might want to quotes manage quotes the infrastructure" then they should fucking well have a private closed-loop network or pay key emergency staff to live right next door to the infrastructure. there's a whole boat-load of long-range communications options that don't involve the public internet, which we *know* is wide-open to attack. any country that doesn't have laws in place which make it illegal for critical infrastructure to be on the public internet is quite literally asking for trouble. you don't leave the door to your house unlocked and then complain "but someone stole all my stuff!" - this is exactly the same thing.
1. Re:why is critical infrastructure on the internet? by mongothesecond · 2016-01-05 09:02 · Score: 2
  
  ... you mean like America? Use Shodan to look for SCADA devices. Not hard to find.
2. Re:why is critical infrastructure on the internet? by swb · 2016-01-05 09:28 · Score: 1
  
  Probably because a good chunk of "critical infrastructure" runs on bog-standard Wintel systems that have reached the point where they almost don't work without a continuous Internet connection for licensing, updates, and non-stop marketing data.
  I agree that not airgapping is d-u-m-b, but I also think the people who do it basically run up against all the usual obstacles of time, skill and resources in building out systems that work in an expected manner without Internet access and somebody, somewhere decides that a deadline must be met, a budget must be met, etc and it just becomes easier to bridge that gap than explain to a bunch of nontechnical executives who have already spent expected bonuses why their deadline was unrealistic when a whole bunch of extra work had to be done to operate the products in a manner contrary to the manufacturers built-in expectations of connectivity.
  I think they're both to blame, but I kind of blame the software vendors more because they are the ones who make it so inordinately more complex and cumbersome to use their products without a continuous Internet connection. And most of the time the benefit isn't really to the product owner, but to the manufacturer who wants to data to further their own goals.
3. Re:why is critical infrastructure on the internet? by wyHunter · 2016-01-05 09:35 · Score: 1
  
  I was just gonna type this :)
4. Re:why is critical infrastructure on the internet? by Graymalkin · 2016-01-05 10:18 · Score: 1
  
  While not universally true, there's a good deal of critical infrastructure that is airgapped and "secure". What can happen is these systems end up compromised when an engineer plugs a previously invected laptop or flash drive into that secure network/system. The payload can then either infect those airgapped systems or exfiltrate data (onto the infected laptop/drive) in order to exfiltrate it to the internet once its on a connected system.
  This is the sort of hacking that is done by APTs, i.e. full blown cyber espionage. The infection can occur through highly targeted exploitation (spear phishing, etc).
  While air-gapping a critical system is easy in theory in practice it is much more difficult to truly do so. Air gaps aren't just an absence of a physical connection to the outside world but also lacking a logical connection to the outside world. That process gets much more difficult and expensive because the operator needs to build a fully isolated environment for the critical system themselves as well as any sort of management and monitoring systems.
  
  --
  I'm a loner Dottie, a Rebel.
5. Re:why is critical infrastructure on the internet? by Locke2005 · 2016-01-05 11:02 · Score: 1
  
  In windows, it it possible to disable all USB interfaces so no USB drives can be plugged in. That, and MAC address filtering on the local network switch should make it difficult to connect equipment to the airgapped local network, shouldn't it? I worked for a company that was so paranoid they actually disabled USB on all computers. I didn't tell them that anybody could easily plug in a laptop or unsecured router to the Ethernet and copy all their data anyway, precisely because I didn't want them implementing MAC address filtering and making my job a lot harder.
  
  --
  I've abandoned my search for truth; now I'm just looking for some useful delusions.
6. Re:why is critical infrastructure on the internet? by SchroedingersCat · 2016-01-05 17:26 · Score: 1
  
  It is hard to lock down pirated Windows XP.
7. Re:why is critical infrastructure on the internet? by KGIII · 2016-01-06 08:09 · Score: 1
  
  I say this mostly because I like to nitpick from time to time. But, well... I've heard it stated, and I'm inclined to agree, that the internet is itself a part of the critical infrastructure. I've even heard it stated that one should have a right to basic access - I've even heard people postulate that a minimal access level should be paid for by tax payers indirectly or by an increased tax on those who pay for full services.
  To the point!
  So, if we count the internet as a part of a country's critical infrastructure then...
  No, no I don't actually have a real point other than that. I'm also in full agreement with the rest of what you said but I suppose we should make an exception to that rule to cover then internet itself. Though, I suppose, one could argue that certain equipment that runs/facilitates the 'net shouldn't be connected to the internet itself.
  
  --
  "So long and thanks for all the fish."
Re:AIR GAP by darkain · 2016-01-05 09:00 · Score: 3, Informative

Oh, you mean like how Stuxnet couldn't infect airgapped machines? https://en.wikipedia.org/wiki/...
It's deja vue... by neo-mkrey · 2016-01-05 09:09 · Score: 1

...all over again.
Re:Cowards... by Billy+the+Mountain · 2016-01-05 09:22 · Score: 1

Hmm, I may have an unfair advantage after having read the top of this page but, if I ventured a guess I would say a group called "BlackEnergy?"

--
That was the turning point of my life--I went from negative zero to positive zero.
Re:Cowards... by radarskiy · 2016-01-05 09:44 · Score: 1

That dastardly Ukrainian Government is at it again!
Re:Cowards... by guestapoo · 2016-01-05 09:54 · Score: 2

I can imagine who behind this:
Avakov:

Maidan is being completely discredited, that's what's going on! They are sellingn off Ukraine piece by piece. No doubt this is a Russian FSB project.
Yatsenyuk:

Those who demand to increase social payments and salaries from Ukrainian budget, are FSB agents.
Why? by Locke2005 · 2016-01-05 10:58 · Score: 1

I'm still not clear on why anybody thinks it's ok to connect computers that control the power grid to the Internet. Can somebody help me out on this? Sure, smart meters would connected to the net, so you could hack the billing side of the utility. But the actual powerplant and switching station controls? If you're going to control remote switches over the 'net, wouldn't you use a secure tunnel?

--
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Re:That's what happens when you use LUDDITE Intern by Darinbob · 2016-01-05 12:59 · Score: 1

Don't worry comrade, Putin will invade the Luddites once he is done with the Ukraines.
Air gap my ass. by sshir · 2016-01-05 13:17 · Score: 2

The reason for connecting vital infrastructure systems to the Internet is very simple. Many of those systems are distributed. So you have a choice: build your own network or use existing one (Internet). In most cases building your own network is a no go for many obvious reasons. Like, for example, money, uptime, etc.
Re:Cowards... by Tough+Love · 2016-01-05 13:45 · Score: 2, Insightful

By disrupting the electrical grid you aren't helping either side, and are actively putting people at risk.
Much in the same spirit as Russia bombing civilians in Syria, don't you think?

--
When all you have is a hammer, every problem starts to look like a thumb.
Re:AIR GAP by Burz · 2016-01-05 15:46 · Score: 1

VM guests can be better isolated than air gaps.
Physical interfaces are usually more complex and exploitable than the interfaces available from a locked-down hypervisor.
Re:AIR GAP by phantomfive · 2016-01-05 17:12 · Score: 1

That paper is an advertisement for Qubes OS. Is there any part of it that you find particularly convincing? Virtual Machines can be exploited, an air gap can not unless you plug a USB stick in or similar.

--
"First they came for the slanderers and i said nothing."
Re:Cowards... by campuscodi · 2016-01-06 03:43 · Score: 1

It's war. What war do you remember being fair. Have you ever seen referees on the battlefield?
Re:That's what happens when you use LUDDITE Intern by Hognoxious · 2016-01-08 02:30 · Score: 1

Be realistic. There aren't that many who could find their own country.

--
Confucius say, "Find worm in apple - bad. Find half a worm - worse."