Madis Leinakse

Cyber attacks on the Ukranian power grid

Discussion created by Madis Leinakse Partner on 12-Jan-2017
Latest reply on 13-Jan-2017 by Lukas Galdikas

The Ukranian power system faced a cyber attack on December 23, 2015:

Who Hacked The Lights In Ukraine? | Motherboard 

 

Some nice slides describing the used cyber kill chain in relatively simple language (I have seen some difficult to understand report aswell): www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf

One of the first steps seems to have been e-mailing MS Office files that requested the use of macros and installed the malware  

 

After some steps this led to following:

• Supporting attacks:
 Schedule disconnects for UPS systems
 Telephonic floods against at least one oblenergos’ customer support line
• Primary attack: SCADA hijack with malicious operation to open breakers
• Amplifying attacks:
 KillDisk wiping of workstations, servers, and an HMI card inside of an RTU
 Firmware attacks against Serial‐to‐Ethernet devices at substations

 

A second (known) attack, this time an attack on the transmission system, took place on  December 17, 2016:

The Ukrainian Power Grid Was Hacked Again | Motherboard

According to the article, the method of attack involved switching off substation RTUs and seemed to be more of a demonstration of hackers abilities.

Outcomes