Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ukraine Power Station Outage -- Enabled By Malware, But Not Caused By Malware (sans.org)

Posted by Soulskill on from the splitting-malhairs dept.

itwbennett writes: A new study of a recent cyberattack against Ukrainian power companies suggests malware didn't directly cause the outages that affected at least 80,000 customers. While malware was used to gain access to networks, the attackers then opened circuit breakers that cut power, according to information published Saturday by the SANS Industrial Control Systems (ICS) team. The attackers used direct intervention to try to mask their actions to the power systems operators and also conducted denial-of-service attacks on the utilities' phone systems to block complaints from affected customers, SANS said.

35 comments

  1. I think that's the stupidest summary ever. by Anonymous Coward · · Score: 1

    The malware didn't cause the outages, the circuit breakers that the malware allowed the hackers to open caused it. To me, that's a distinction without a difference.

    1. Re:I think that's the stupidest summary ever. by plover · · Score: 2

      It wasn't the summary's fault. It's an accurate summary of a really stupid article. But it's in CSO Online magazine, so consider the audience is not the sharpest technical group. To them, it's all technobabble.

      --
      John
    2. Re:I think that's the stupidest summary ever. by Anonymous Coward · · Score: 0

      No, the fact that the network was accessible to the public is the stupidest thing ever. Hackers break into a system's edge defense and cause havoc. Shocker. Ever consider a private network as opposed to a VPN on a public network?

    3. Re:I think that's the stupidest summary ever. by fustakrakich · · Score: 1

      God really! And did you see their prices? Damn! Compilation is good business...

      --
      “He’s not deformed, he’s just drunk!”
    4. Re:I think that's the stupidest summary ever. by thegarbz · · Score: 1

      To me, that's a distinction without a difference.

      There's a very clear distinction to me. It implies that this was not some complicated malware attack like Stuxnet which was specifically crafted to act as the payload. Rather it was just some malware designed to let someone in to manually do something malicious.

      The complexity of the malware alone can differentiate who is implicated in the attack and it shows that this attack is very different from some other attacks on industrial systems.

  2. Sheesh by Ol+Olsoc · · Score: 2
    A very fine sharp dividing line here.

    Yes your honor, I stabbed the victim a hundred times. But it wasn't me - it was the knife that did the cutting.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    1. Re:Sheesh by aicrules · · Score: 4, Insightful

      It's more like if you leave a shim in a door on your way out of a light bulb plant, then later come back and use that door to gain access and then proceed to smash hundreds of bulbs. The shim wasn't what destroyed the light bulbs, but it sure did come in handy to let you do it when you wanted to. If the shim placed in the door then sprung to life at a predetermined time and went about smashing bulbs on its own, then that would be akin to what they were originally thinking. Overall it doesn't matter too much to the crime committed, but from a technological standpoint it means the malware had less complex behavior built into it than they were giving it credit for.

    2. Re:Sheesh by gstoddart · · Score: 1

      No, not really .. malware was one of many pieces which enabled this to happen, but the malware did not directly do the attack. The malware was used to get a foothold, and to cover their tracks. But the actual attacks were more targeted and used other things.

      This is more like someone exploiting an issue with your security system to gain access to your home so they could target your wall safe.

      The malware itself wasn't the core of the attack, but it was an enabling and contributing aspect of the actual attack.

      Assante wrote that KillDisk wouldn't have been compatible with the type of SCADA (supervisory control and data acquisition) systems used by utilities. But it may have been employed to wipe other files that would have helped to restore systems.

      Your knife analogy is wrong.

      --
      Lost at C:>. Found at C.
    3. Re:Sheesh by sycodon · · Score: 0

      The Knife didn't kill him. It was the blood loss.

      --
      When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
    4. Re:Sheesh by Ravaldy · · Score: 1

      I'm still amazed that a system like this was accessible remotely. I know people that work for Hydro Quebec and they tell me the controls are 100% offline.

    5. Re:Sheesh by Anonymous Coward · · Score: 0

      No, not really .. malware was one of many pieces which enabled this to happen, but the malware did not directly do the attack. The malware was used to get a foothold, and to cover their tracks. But the actual attacks were more targeted and used other things.

      This is more like someone exploiting an issue with your security system to gain access to your home so they could target your wall safe.

      The malware itself wasn't the core of the attack, but it was an enabling and contributing aspect of the actual attack.

      Assante wrote that KillDisk wouldn't have been compatible with the type of SCADA (supervisory control and data acquisition) systems used by utilities. But it may have been employed to wipe other files that would have helped to restore systems.

      Your knife analogy is wrong.

      Why is it thought that this mallware would not be compatible with current generation SCADA systems? Like it or not, most of them are Windows based these days. This did not used to be true, but, unfortunately, it is today. Now the actual control devices are NOT Windows devices (at least not the good ones), but once you have a access path to them, your only constraint is simple username/password, and many of these devices are particularly weak in this aspect. EG, they pass passwords in the clear over the network.

  3. Ukraine is weak by Joe_Dragon · · Score: 1, Funny

    Ukraine is weak

    1. Re:Ukraine is weak by Anonymous Coward · · Score: 0, Insightful

      When Ukraine traded it's nuclear weapons for a promise that Russia respect it's territory, they made a bad deal. If they had those weapons today, Russia wouldn't have taken Crimea, nor would they have sent troops into the east.

    2. Re: Ukraine is weak by Anonymous Coward · · Score: 0

      Whoosh!

    3. Re:Ukraine is weak by phantomfive · · Score: 1

      This is the reference he was joking about.

      --
      "First they came for the slanderers and i said nothing."
    4. Re:Ukraine is weak by sageres · · Score: 0

      Agree 100%. Someone mod the parent up please!

    5. Re:Ukraine is weak by phantomfive · · Score: 2

      When Ukraine traded it's nuclear weapons for a promise that Russia respect it's territory, they made a bad deal.

      They basically had no choice unless they wanted to be completely isolated by the rest of the world. The east and west were both united against them on that point.
      Maybe they could have gotten a better deal if Donald Trump were negotiating for them, after all, he's the world's best negotiator, but there is no way they were keeping their nuclear weapons.

      --
      "First they came for the slanderers and i said nothing."
    6. Re:Ukraine is weak by Anonymous Coward · · Score: 0

      His casinos are uninhabited, he can keep them there..

    7. Re:Ukraine is weak by 93+Escort+Wagon · · Score: 1

      Ukraine is weak

      It is feeble! I think it is time to put the hurt on Ukraine...

      --
      #DeleteChrome
  4. Attack was Timed... So what? by bobbied · · Score: 1

    About all this says over what we previously knew is that apparently the attackers picked the time of the outage and then had multiple attack points to prevent the operator from being able to effectively disrupt what the attackers where doing. This is different from some virus infection that just so happed to disrupt the operation of the equipment.

    But this all matters to me why? Ukraine isn't known for it's security, physical or network. Ukraine isn't known for using the best of technology in their power generation equipment given the worst nuclear accident in history took place here. This attack had an incredibly small affected area and only involved 80,000 customers. This is roughly equal to vandalizing a subway train with spray paint in front of a sleeping transit cop. Yea, it looks bad, but it only happened because somebody was asleep on the job in an ex-soviet country awash in Vodka and violence...

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  5. 0h 0h by Impy+the+Impiuos+Imp · · Score: 1

    The attackers used direct intervention to try to mask their actions to the power systems operators and also conducted denial-of-service attacks on the utilities' phone systems to block complaints from affected customers

    Ok, this has gone far enough. Time to get James Bond involved.

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    1. Re:0h 0h by Errol+backfiring · · Score: 1

      He was a bit shaken by the power outage. But not stirred.

      --
      Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
    2. Re:0h 0h by Anonymous Coward · · Score: 0

      I wonder if the Russians get any complaints for the suddenly leaky roofs and broken windows. Car insurance must be a real laugh.

      Really, what is the nature of a consumer complaint in a place like Ukraine or Somalia, places like that? They fix it by sending an army guy to shoot them, right?

  6. Re:Probably russian hackers by Fire_Wraith · · Score: 3, Interesting

    Even Putin isn't indiscriminately using force in any of the conflicts in the Ukraine. Even if no one believes that "it's really just the separatists, not Russian troops pretending to be separatists" bit, it's an important fig leaf of plausible deniability. Putin still seems to feel it's important to be able to pretend to be doing this stuff.

    And it would be the same with this. Assuming the Russians were behind it, they'd likely be using this method in part because it obscures their connection to the point that, despite everyone thinking they did it, no one can prove it beyond a reasonable doubt. Which, if you think about it, is sort of the best of both worlds. You get the intimidation factor that comes with people not wanting to mess with you, but also without the consequences of having gotten caught doing it.

  7. The US isn't different by whitroth · · Score: 1

    It's *full* of moronic CEOs who want Everything Internet Enabled!!!.. and some not only do not have air gaps between the grid controls and the 'Net, but don't even know what the words "air gap" means.

                                mark

  8. Hmmm.... by Anonymous Coward · · Score: 0

    Given the coordinated efforts it really sounds like the attack had to be state sponsored.

    Now who would want to mess with Ukraine?

    -PinkyGiggleBrian (too lazy to log in at the moment)

  9. lights out "Ted Koppel" by Anonymous Coward · · Score: 0

    I haven't read it yet myself.