Failure to Secure Privileged Accounts Means “Lights Out”

As more and more details about the attack on the Ukrainian power grid are published, the more it becomes clear this was one of the more sophisticated cyber-attacks in recent years and the first critical infrastructure attack to actually cause physical ramifications (resulting in a blackout for approximately 230,000 people).

The Ukrainian electric grid operators used strong cyber defenses in their power management networks, including firewalls and system logging controls. But as in many other attacks, the attackers were able to penetrate the network and cause serious damage by taking control of privileged account credentials.

A newly published post-mortem analysis from SANS, in conjunction with the North American Reliability Corporation (NERC)’s E-ISAC, confirms that the attack started as a spear-phishing attack that penetrated the corporate network and enabled the attackers to harvest user credentials. The stolen credentials included credentials for accessing the VPN service that grants remote access into its ICS/SCADA network.

The use of stolen credentials to remotely access critical ICS assets is the most common threat to power grids. This is exactly what the attackers were able to do. After using the VPN credentials, the attackers were able to access other critical systems and went as far as logging out the operators in the control center, effectively taking control of the company’s power substations.

The sophistication of the attack is evident by the multiple systems that were targeted and penetrated in the Ukrainian power grid. This takes a well-coordinated plan, as well as a thorough understanding of the network architecture. With the stolen privileged credentials, the attackers were able to gain this understanding by conducting reconnaissance on the network undetected for more than 6 months. They used this time to learn how to disable critical ICS operator workstations to prevent them from intervening and initiate contingency procedures.

Some of the steps taken in this attack include:

  • Disable primary and back-up power (UPS) to the control system, causing the control center to lose power.
  • Rewriting of the firmware on the serial-to-Ethernet convertors in the substations, preventing the control center from accessing them remotely.
  • Launching a telephone denial-of-service attack against the customer call centers, preventing the call center from receiving real reports on the blackout.
  • A malware by the name of KillDisk was used to wipe files from the control center computers and caused the computers to crash. This left the control center incapable of starting and quickly recovering from the attack.

This Dark Reading article delves into the new SANS analysis on how the attackers successfully took control of the industrial control systems across three regional power firms and successfully shut off the lights, and also explores some key lessons learned from the attack. It’s worth a read. And for additional reading and resources on mitigating cyber security risk and protecting the grid, I encourage you to check out the following blog posts: