The United States Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has confirmed that ‘cyber intrusions’ caused a series of Ukraine power outages late last year.In a statement published on Thursday, the team provides an overview of what it learned from an investigation into an incident that occurred on December 23, 2015.“Through interviews with impacted entities, the team learned that power outages were caused by remote cyber intrusions at three regional electric power distribution companies (Oblenergos) impacting approximately 225,000 customers,” the statement reads. “While power has been restored, all the impacted Oblenergos continue to run under constrained operations. In addition, three other organizations, some from other critical infrastructure sectors, were also intruded upon but did not experience operational impacts.”ICS-CERT goes on to explain that those responsible for the intrusions likely acquired legitimate credentials prior to the attacks, citing spear-phishing emails laced with BlackEnergy malware as a possible initial access vector. The bad actors in turn leveraged those credentials for malicious remote operation of the breakers, which caused the outages. At the conclusion of the targeted attacks, the threat actors wiped some of the systems with KillDisk malware.
The investigation was conducted by an interagency team consisting of representatives from the National Cybersecurity and Communications Integration Center (NCCIC)/ICS-CERT, U.S. Computer Emergency Readiness Team (U.S.-CERT), Department of Energy, Federal Bureau of Investigation, and the North American Electric Reliability Corporation.ICS-CERT’s statement concludes with a few mitigation strategies for companies. These include application whitelisting, adhering to security best practices, and isolating ICS networks from untrusted networks.The security industry has been waiting for the U.S. government to comment on the power outages since the attacks first became public back in December.Some voices in the field, such as Robert M. Lee, chief executive at Dragos Security, are not impressed with ICS-CERT’s response:The @SANSICS delayed our analysis and Ukraine report for the government to say something meaningful. They didn’t. Lesson learned.— Robert M. Lee (@RobertMLee) February 25, 2016In a response post announcing the SANS Industrial Control Systems team’s forthcoming report on the outages, Lee criticizes the government for failing to refer to technical evidence that helps to explain what happened in the attacks. He points to the hesitation of ICS-CERT to discuss BlackEnergy in particular despite researchers having known about the malware’s involvement for months.The security expert is also critical of the mitigations the U.S. government puts forth in its statement:“The focus on application whitelisting and patching infrastructure is misplaced,” he observes. “These are good starting places. However, nothing listed in the ICS-CERT report would have stopped the attack. The threat was a focused and persistent human threat that took months to learn their target and attack it with highly professional logistics and operational planning. They did and would have further adapted to whatever passive defenses that were placed in their way. Recommendations around limited VPN access, two form authentication, patching, etc. are really good places to start. They help build a defensible ICS. They buy defenders time and visibility. But they do not make the ICS defended.”Stop babying the community. ICS asset owners and operators, you are a target. You can’t change that. But you can defend – defense is doable— Robert M. Lee (@RobertMLee) February 25, 2016Lee recommends instead that organizations invest in creating “empowered and trained human defenders” who can together create, maintain, and enhance a defensible ICS environment.