“Without change, something sleeps inside us, and seldom awakens. The sleeper must awaken.”

This quote from Dune is one of my favorites because it speaks so well to the phenomenon we see around cyber attacks, particularly those targeting critical infrastructure. In many instances the industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems that run such infrastructure have been in place for years. Hesitant to make changes for fear of causing disruption, operators seldom update these systems. But aging infrastructure and other security weaknesses are creating opportunities for hackers, as evidenced by the attack on the Ukraine power grid on December 23, 2015.

I was invited to speak at BSides Philadelphia and presented the story of this attack. For this blog I will briefly recap the steps of the attack and why and how “the sleeper must awaken.” You can watch the full presentation here.

There are three main points to take away from this attack, also referred to as the BlackEnergy Power Grid Hack based on the name of the malware used.

1 – It was the first time in history that someone brought down a power grid by cyber attack.

2 – It was a very coordinated operation that targeted three different sites and a call center, all of which went down at the same time.

3 – Approximately 225,000 people lost power and many more lost confidence in the service.

We now know that the attack was technically sophisticated and that it took six months from the first intrusion to the actual power outage. In other words, for six months the attackers stayed under the radar – plenty of time to ensure flawless execution.

So, what happened during this period time? This first stage of the attack consisted of the intrusion and lateral movement across networks. The attacker weaponized an Microsoft Office document with an attachment, in this case a decoy document that embedded a BlackEnergy dropper. The delivery method was spearphishing. Emails were sent to individuals on the network who took the bait – they opened the attachment that enabled a macro designed to exploit a specific Microsoft vulnerability. When not patched, the vulnerability allows remote execution of embedded executables, in this case the dropper for the BlackEnergy malware.  

At this point, to validate the process Windows 64 bit requires a digital signature. But BlackEnergy changed the boot configuration to allow for temporary signatures. Making this change can alert the user with an on-screen “test mode” message. So, to remain undetected, BlackEnergy ran a patch to mask the “test mode” text so it is not visible. The malware also masked the typical User Account Control (UAC) pop-up that automatically comes up. Next, it located an available, disabled driver and replaced it with a malicious DLL driver.

We’re now into the second stage of the attack, focused on the ICS itself. With the DLL up and running, the attackers can now use a library of plug-ins for different types of capabilities from stealing passwords to destroying systems, taking screen shots, key logging, etc. Using stolen credentials, the hackers were able to conduct network discovery, locate the SCADA system and disable UPS systems to eliminate backup once power is out. Using the system information gathered, they developed firmware specific to the sites they planned to compromise and simulated the attack in their own test environment to make sure it worked flawlessly.

After six months they were ready to launch the attack and executed three critical activities simultaneously. They accessed the human machine interface (HMI) remotely to flip off the breaker. They used KillDisk to remove all evidence, render the SCADA system unusable and wiped the hard drive. And, as a final blow, they launched a telephony-based denial of service (DoS) attack into call centers so that when those who lost power tried to call to report it, they couldn’t get through.

Wow! No wonder it took six months to execute. This attack was extremely targeted, orchestrated, multi-faceted, and tested.

So what could have been done to detect and stop malicious activity sooner? It starts with indicators of compromise (IoCs) – a topic near and dear to my heart that I discussed in a previous blog.

At each point during the attack you can use various tools to gather IoCs – sometimes just pieces of data without context but that may, when tied together and overlaid with additional information, reveal malicious behavior. These tools can include: sandboxes for malware, network packet capture and analyzer tools, observables (key words, file name, hash files, DLLs, registry keys) and threat data feeds (open source, commercial, and industry-specific). With a threat intelligence platform, like ThreatQ, you can aggregate IoCs from these disparate systems and tools and add context to learn more. For example, you can cross-correlate internal log files with external IoCs or you can use enrichment tools, like VirusTotal, that provide history related to a piece of malware or an IP address for additional context. IoCs could have helped to detect that credentials were being misused, that a VPN tunnel was being created to access the HMI, that the UPS system was being modified, etc.

The Ukraine BlackEnergy Power Grid hack created a power outage that lasted for a few hours. It could have been much worse. We can be sure that similar attacks are on the horizon, but there are measures we can take to mitigate risk.

As I mentioned before, our critical infrastructure systems are largely legacy systems and all use similar network structures. They aren’t being patched for fear of disrupting operations. The specific vulnerability used within this attack can be patched. But that’s not the only vector for intrusion. Additional layers of security and policies can strengthen defenses and help to address human behavior which remains the weakest security link. In this case network segmentation, staff training, password policy enforcement, and a threat intelligence platform that mines, classifies, scores and correlates IoCs are just a few techniques that could have helped detect and stop the attack. The sleeper must awaken.