BlackEnergy: Lights Out in Ukraine
On December 23, 2015, a sophisticated cyber attack plunged 200,000 Ukrainians into darkness, cutting off their power for up to six hours. The attackers targeted three power distribution companies, marking the first-ever known cyber attack to disrupt a nation’s power grid. The malware used in this attack, known as BlackEnergy, is believed to have been deployed by the Russian Advanced Persistent Threat (APT) group, Sandworm, likely as part of the ongoing Russia-Ukraine conflict that began in 2014. This event underscored the potential of cyber attacks to cause physical damage and disrupt critical infrastructure.
How BlackEnergy Operated
The attack began with spear-phishing emails sent to key staff within the Ukrainian power companies. These emails contained malicious Microsoft Office documents that, when opened, executed BlackEnergy malware on the victims’ systems. BlackEnergy is a modular malware platform not specifically designed for SCADA (Supervisory Control and Data Acquisition) systems, but it proved adaptable enough to compromise Windows workstations connected to SCADA. The attackers used these compromised workstations to gain control over substations and open circuit breakers, cutting electricity to 200,000 people.
To prolong the outage, the attackers deployed additional tactics, including wiping the infected machines with KillDisk, making it impossible for operators to restore power remotely. Utility company staff were forced to manually visit substations to restore power—a process that took hours. To further frustrate recovery efforts, the attackers launched a denial-of-service (DoS) attack on the companies’ customer service lines, preventing customers from reporting outages and blocking crucial communication channels for the power companies.
This unprecedented cyber attack underscored vulnerabilities in industrial control systems and exposed the real-world impact of cyber warfare on civilian infrastructure.
NotPetya: The Devastating Supply Chain Attack
Another significant cyber attack targeting Ukraine, NotPetya, occurred in June 2017. Though initially disguised as ransomware, NotPetya’s true aim was not financial gain but widespread destruction. It quickly spread beyond Ukraine’s borders, impacting organizations worldwide and causing billions in damages, including losses for companies like Maersk and FedEx.
NotPetya’s Mechanism and Impact
The NotPetya malware was introduced through a supply chain compromise. Attackers initially infiltrated the network of Linkos Group, a Ukrainian software developer, and inserted NotPetya into updates of Medoc, a widely-used tax software in Ukraine. When Medoc clients downloaded the compromised updates, NotPetya was deployed across multiple systems, establishing a "patient zero" in numerous corporate networks.
Once activated, NotPetya used a blend of strategies to spread and maximize damage:
Initial Infection: NotPetya encrypted files and overwrote the Master Boot Record (MBR), rendering infected systems inoperable.
Credential Dumping: The malware used tools like Mimikatz to extract login credentials from the Local Security Authority Subsystem Service (LSASS) memory, allowing it to reuse credentials to spread within the corporate network.
Propagation: For unpatched systems, NotPetya exploited the EternalBlue and EternalRomance vulnerabilities, which affected Windows systems and allowed it to spread through network ports 139 and 445. For patched systems, it leveraged the stolen credentials to spread laterally using PSExec and WMIC commands, infecting even those with up-to-date security patches.
Why BlackEnergy and NotPetya Were So Significant
Both BlackEnergy and NotPetya serve as critical examples of how cyber warfare has evolved to target national infrastructure and private sector supply chains. BlackEnergy was a pioneering attack that took down physical systems through cyber methods, while NotPetya illustrated how a supply chain attack could deliver a destructive payload globally. Together, they highlight the vulnerabilities within critical infrastructure and supply chains, which attackers can exploit to achieve wide-reaching impacts beyond national borders.
Lessons Learned and Ongoing Risks
Industrial Control System (ICS) Security: The BlackEnergy attack underscored the risks in ICS environments that are increasingly network-connected yet lack cybersecurity defenses.
Supply Chain Vulnerabilities: NotPetya exposed the risks inherent in software supply chains, showing that a compromised update could devastate a wide range of industries and even spread internationally.
Preparedness and Response: These attacks emphasized the need for companies to maintain strong cyber defenses, including robust backup and recovery strategies, continuous security updates, and comprehensive incident response plans.
Conclusion:
In a world where digital and physical infrastructures are deeply interconnected, the lessons from BlackEnergy and NotPetya continue to resonate, reminding us of the critical importance of vigilance, resilience, and innovation in the face of evolving cyber threats.
Akash Patel
Comments