Hundreds of thousands of homes in Ukraine were left without electricity last week after malware infected the networks of regional power companies, according to Ars Technica.
The firm added that it had obtained samples of the malicious code from at least three regional power operators. It was this code that supposedly caused “destructive events” that resulted in the blackout, which happened on December 23.
If confirmed, the incident will be the first time hackers have successfully used malware to generate a power outage.
“It’s a milestone because we’ve definitely seen targeted destructive events against energy before — oil firms, for instance — but never the event which causes the blackout,” John Hultquist, head of iSIGHT’s cyber espionage intelligence practice, told Ars Technica. “It’s the major scenario we’ve all been concerned about for so long.”
iSIGHT isn’t the only security company analysing the attack.
Researchers at a firm called ESET also confirmed that multiple power companies in Ukraine had been infected with “BlackEnergy,” a malware package that was first identified in 2007.
The BlackEnergy package was updated two years ago to make it more effective and it now has an ability that makes it impossible to reboot infected computers (e.g. completely break your machine).
Another cause for concern is the fact that ESET recently discovered the BlackEnergy package has been updated with a component called KillDisk, which has the ability to destroy critical parts of a computer hard drive and sabotage industrial control systems, including those used by power companies. The latest version of BlackEnergy is reported to include a backdoored “Secure Shell Utility” that gives attackers permanent access to infected computers.
ESET was unable to confirm that BlackEnergy was directly responsible for last week’s outage. However, in a blog post published on Monday, ESET researchers wrote:
Our analysis of the destructive KillDisk malware detected in several electricity distribution companies in Ukraine indicates that it is theoretically capable of shutting down critical systems. However, there is also another possible explanation. The BlackEnergy backdoor, as well as recently discovered SSH backdoor, themselves provide attackers with remote access to infected systems. After having successfully infiltrated a critical system with either of these trojans, an attacker would, again theoretically, be perfectly capable of shutting it down. In such case, the planted KillDisk destructive trojan would act as a means of making recovery more difficult.
The hackers using BlackEnergy, which iSIGHT has nicknamed the “Sandworm” gang, are thought to be behind a number of other attacks, including one on NATO (the North Atlantic Treaty Organisation), several on Ukrainian and Polish government agencies, and a host of others on the private sector.
Researchers at ESET believe the Ukrainian power authorities may have been infected by a Microsoft Office documents that contained “booby-traps” hidden within the macro-functions.
“If true, it’s distressing that industrial control systems used to supply power to millions of people could be infected using such a simple social-engineering ploy,” wrote Ars Technica security editor Dan Goodin in his report. “It’s also concerning that malware is now being used to create power failures that can have life-and-death consequences for large numbers of people.”
Last week, Reuters reported that Ukrainian authorities were investigating a suspected cyber attack on its power grid.
ESET has published technical details about the latest BlackEnergy package here.