IFSEC Insider is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
You may have read news stories over the New Year’s break about hackers causing power outages in Ukraine, using malware as their primary toolkit for attack.
Ars Technica went as far as to lead with the headline: “First known hacker-caused power outage signals troubling escalation.”
(You may have to read that headine several times: you need to parse signals as a verb, not a noun; and troubling as an adjective, not a verb.)
The article was perhaps a little more circumspect, suggesting that “if confirmed it would be the first known instance of someone using malware to generate a power outage,” but the story is worth learning from nevertheless.
Whether the malware was the cause of an outage, or merely a symptom of a more general security problem, isn’t clear.
The story goes roughly like this:
Company X receives an Excel file via mail. The file contains macros, which don’t run by default, but if the recipient clicks to allow them, the macros install malware from a family called BlackEnergy.
BlackEnergy is what is known as a bot or zombie, which calls home to receive instructions from the remote attackers. (The malware name predates any connection with the energy industry.)
The attackers can then install various additional malware items, such as a data-trashing Trojan called KillDisk, and a hacked copy of the DropBear SSH server that has backdoor “master passwords” programmed into it.
According to security firm ESET, this malware cocktail, or parts of it, appeared at various Ukraine energy companies in December 2015.
And one Ukrainian power company, Prykarpattya Regional Energy, did blame recent local power outages on remote hackers using malware.
What actually happened can only be guessed at, of course, but if you were to end up with a raft of infected Windows computers inside your electricity distribution control centre, and those computers could be used to manage load and control power connections in your local area…
…then an attacker who could login remotely (because he knew the secret password for a remote access Trojan you didn’t realise was installed), run commands of his choice, and then zap data on your computers to the point that they would crash and not reboot (because he could run a disk-killing Trojan from afar) would cause considerable disruption.
If he were to turn off power to a region, or a suburb, or even an individual property, that would cause an outage.
If you tried to turn the power connections back on but found you couldn’t do so until after IT had rushed around reimaging the broken computers in your control centre, that might make the outage last hours rather than minutes.
As it happens, the KillDisk Trojan that ESET says was found along with the BlackEnergy malware in Ukraine, is well-equipped to leave your computer a digital mess.
KillDisk includes numerous different data-wiping components, presumably with the intention that if the more serious ones don’t work because your security settings are strict enough, you may nevertheless end up in trouble.
In increasing order of severity, KillDisk has code for each of these:
Wipe out the Windows event log.
Delete all Windows Shadow Copy backup files.
Reinitialise logical volumes with the FORMAT command, as you might when reinstalling your operating system.
Overwrite all physical sectors (including boot sector, operating system files, swap files, applications and data) on up to 10 hard disks.
The last item really lives up to the name KillDisk, but any of the others are likely to cause significant trouble for you and your IT department, and would put a very serious dent in your day.
How to ward off ransomware
Use email filtering to remove risky attachments as early as possible in the delivery chain.
Treat unsolicited attachments with great caution.
Don’t enable Excel or Word macros just because an emailed document tells you to. Doing so is equivalent to downloading and running a program, and clicking through all the warnings, just because an unknown person told you to.
Consider using Microsoft’s dedicated Word and Excel viewer programs to look at email attachments. Most documents will display just fine, but embedded macros aren’t supported and thus cannot run.
Use the most recent Windows version you can for added protection against tricks such as physical disk wiping.
Use web filtering to limit the ability of unknown software to download and install new content, and to block “call home” requests that are likely to be associated with zombie malware.
Make sure your anti-virus software is up-to-date and that its active protection is turned on (on-access or real-time scanning), so that you can not only detect the presence of malware, but also block it from running in the first place.
Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.
Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.
Ukraine power outages blamed on malware infection: the lessons to learnPaul Ducklin of Sophos considers the recent cyber attack on the Ukrainian power grid and offers some tips on how organisations can protect themselves against similar breaches.
Paul Ducklin
IFSEC Insider | Security and Fire News and Resources
Related Topics
Paxton employees raise over £9k for Teenage Cancer Trust
Photo posts from the 2023 Security & Fire Excellence Awards
Winners revealed for 2023 Security & Fire Excellence Awards