January 16, 2017


Whitepaper: Enhancing security, resilience and efficiency across a range of industries

Critical national infrastructure

Ukraine power outages blamed on malware infection: the lessons to learn

You may have read news stories over the New Year’s break about hackers causing power outages in Ukraine, using malware as their primary toolkit for attack.

Ars Technica went as far as to lead with the headline: “First known hacker-caused power outage signals troubling escalation.”

(You may have to read that headine several times: you need to parse signals as a verb, not a noun; and troubling as an adjective, not a verb.)

The article was perhaps a little more circumspect, suggesting that “if confirmed it would be the first known instance of someone using malware to generate a power outage,” but the story is worth learning from nevertheless.

Whether the malware was the cause of an outage, or merely a symptom of a more general security problem, isn’t clear.

The story goes roughly like this:

  • Company X receives an Excel file via mail. The file contains macros, which don’t run by default, but if the recipient clicks to allow them, the macros install malware from a family called BlackEnergy.
  • BlackEnergy is what is known as a bot or zombie, which calls home to receive instructions from the remote attackers. (The malware name predates any connection with the energy industry.)
  • The attackers can then install various additional malware items, such as a data-trashing Trojan called KillDisk, and a hacked copy of the DropBear SSH server that has backdoor “master passwords” programmed into it.

power lines electricity utilities

According to security firm ESET, this malware cocktail, or parts of it, appeared at various Ukraine energy companies in December 2015.

And one Ukrainian power company, Prykarpattya Regional Energy, did blame recent local power outages on remote hackers using malware.

What actually happened can only be guessed at, of course, but if you were to end up with a raft of infected Windows computers inside your electricity distribution control centre, and those computers could be used to manage load and control power connections in your local area…

…then an attacker who could login remotely (because he knew the secret password for a remote access Trojan you didn’t realise was installed), run commands of his choice, and then zap data on your computers to the point that they would crash and not reboot (because he could run a disk-killing Trojan from afar) would cause considerable disruption.

If he were to turn off power to a region, or a suburb, or even an individual property, that would cause an outage.

If you tried to turn the power connections back on but found you couldn’t do so until after IT had rushed around reimaging the broken computers in your control centre, that might make the outage last hours rather than minutes.

As it happens, the KillDisk Trojan that ESET says was found along with the BlackEnergy malware in Ukraine, is well-equipped to leave your computer a digital mess.

KillDisk includes numerous different data-wiping components, presumably with the intention that if the more serious ones don’t work because your security settings are strict enough, you may nevertheless end up in trouble.

In increasing order of severity, KillDisk has code for each of these:

  • Wipe out the Windows event log.
  • Delete all Windows Shadow Copy backup files.
  • Reinitialise logical volumes with the FORMAT command, as you might when reinstalling your operating system.
  • Overwrite all physical sectors (including boot sector, operating system files, swap files, applications and data) on up to 10 hard disks.

The last item really lives up to the name KillDisk, but any of the others are likely to cause significant trouble for you and your IT department, and would put a very serious dent in your day.

How to ward off ransomware

  • Use email filtering to remove risky attachments as early as possible in the delivery chain.
  • Treat unsolicited attachments with great caution.
  • Don’t enable Excel or Word macros just because an emailed document tells you to. Doing so is equivalent to downloading and running a program, and clicking through all the warnings, just because an unknown person told you to.
  • Consider using Microsoft’s dedicated Word and Excel viewer programs to look at email attachments. Most documents will display just fine, but embedded macros aren’t supported and thus cannot run.
  • Use the most recent Windows version you can for added protection against tricks such as physical disk wiping.
  • Use web filtering to limit the ability of unknown software to download and install new content, and to block “call home” requests that are likely to be associated with zombie malware.
  • Make sure your anti-virus software is up-to-date and that its active protection is turned on (on-access or real-time scanning), so that you can not only detect the presence of malware, but also block it from running in the first place.

This article was originally published on the Naked Security blog by Sophos. Sophos researcher James Lyne has also demonstrated how to hack a security camera in a video we published on IFSEC Global. 

IFSEC International 2017 (20-22 June, ExCeL London) is set to debut Borders and Infrastructure Expo. Find out more about this new “show within a show” dedicated to the protection of borders and critical national infrastructure and click here to book your free pass

Listen to the IFSEC Insider podcast!

Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.

Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.


Related Topics

Notify of
Inline Feedbacks
View all comments