The Ukraine Power Grid Hack: A Profile in Cyber Kill Chains

IT security today is not just about what could, in theory, happen. It’s also a study of what has in fact happened, and could easily happen again, unless analysis and improvement prevents it.

One recent example comes from the Ukraine. In the third week of December 2015, three different energy companies were simultaneously compromised and their services shut down, for several hours—leaving almost a quarter million people without electricity. It was a highly sophisticated, subtle and multifaceted attack launched with extensive preparation and planning; a bold demonstration of just how devastating cyber attacks can be.

Also notable is just how closely the Ukraine attack conforms to the general description of a sophisticated attack on industrial command systems (ICSs), published earlier in 2015 by the SANS Institute. SANS focuses on cybersecurity and regularly publishes guidelines and best practices that can be remarkably helpful to those looking to learn from the security shortfalls of others.

An important underlying concept drawn from SANS’s description is the “cyber kill chain.” This is a two-stage, abstract sequence of events by which hackers could (and as it turns out, very soon did) gain control of critical facilities or systems.

Kill Chain Analysis Drives Cybersecurity Improvement

By walking through the kill chain, and observing how it correlates to the Ukraine attack, organizations can glean clear areas of potential improvement.

Stage One: Intrusion and reconnaissance

This preliminary stage focuses largely on gaining the access information required to fulfill the goals of the hacker — most often a security breach as a precursor to an attack.

In the case of the Ukraine hack, this stage happened via hacker analysis of potential targets. The energy companies were chosen because of the significance of their services and their degree of automation. The next step involved targeting engineers at the chosen utility companies with spear-phishing emails. These included carefully prepared Word documents with embedded macros that once activated, gave malware the power to infect local systems.

Subsequently, the hackers spent months carefully mapping out network hosts and capabilities, and in particular, obtaining access credentials to key systems.

Stage Two: ICS attack

In stage two, the opportunities discovered in stage one are aggressively leveraged. How did that play out in the Ukraine case?

  • Malicious firmware was installed and system boot records erased to prevent employees from quickly regaining control over compromised systems
  • A denial of service attack was launched to prevent the help desk from discovering this issue via normal user reports over the phone
  • SCADA systems were then manipulated to open breakers and thus cut off electrical service

Consequences of Attack Harmful to Public Safety and Business

The results of this attack? Around 225,000 people left without heat in the dead of winter. They were also, for the energy companies involved, extraordinarily bad for business by any metric.

And while basic service was restored within a few hours, full capabilities were still not available months later. Breakers still had to be opened or closed manually, rather than automatically via digital policies.

Break the Chain

There are many options to help shelter your organization against such complex and formidable attacks. Our Fortinet experts can help you assess where your infrastructure is most vulnerable, create a strategy to segment your network for the protection of your most valuable assets, and execute the strategy with advanced cybersecurity solutions.