A hacker army has systematically undermined practically every sector of Ukraine: media, finance, transportation, military, politics, energy. Wave after wave of intrusions have deleted data, destroyed computers, and in some cases paralyzed organizations’ most basic functions. “You can’t really find a space in Ukraine where there hasn’t been an attack,” says Kenneth Geers, a NATO ambassador who focuses on cybersecurity.
But many global cybersecurity analysts have a much larger theory about the endgame of Ukraine’s hacking epidemic: They believe Russia is using the country as a cyberwar testing ground—a laboratory for perfecting new forms of global online combat.
[..] The infection had triggered the same boot-record overwrite technique to brick the machines just as staffers were working to prepare a morning TV news bulletin ahead of the country’s local elections.
[B]y December 2015, BlackEnergy and KillDisk were also lodged inside the computer systems of at least three major Ukrainian power companies, lying in wait. [T]hey pulled up maps of Ukraine and a chart of its power grid. The three power companies’ substations that had been hit were in different regions of the country, hundreds of miles from one another and unconnected. “This was not a squirrel,” Lee concluded with a dark thrill. [T]he intrusion had started with a phishing email impersonating a message from the Ukrainian parliament. A malicious Word attachment had silently run a script on the victims’ machines, planting the BlackEnergy infection. From that foothold, it appeared, the hackers had spread through the power companies’ networks and eventually compromised a VPN the companies had used for remote access to their network—including the highly specialized industrial control software that gives operators remote command over equipment like circuit breakers.
In 2014 the security firm FireEye had issued warnings about a team of hackers that was planting BlackEnergy malware on targets that included Polish energy firms and Ukrainian government agencies; the group seemed to be developing methods to target the specialized computer architectures that are used for remotely managing physical industrial equipment. Earlier in 2014, the US government reported that hackers had planted BlackEnergy on the networks of American power and water utilities. It looked like the same group that had just snuffed out the lights for nearly a quarter-million Ukrainians had not long ago infected the computers of American electric utilities with the very same malware. The Ukraine attack represented something more than a faraway foreign case study. “An adversary that had already targeted American energy utilities had crossed the line and taken down a power grid,” Lee says.
Kyivoblenergo employees had watched helplessly as circuit after circuit was opened in dozens of substations across a Massachusetts-sized region, seemingly commanded by computers on their network that they couldn’t see. In fact, Kyivoblenergo’s engineers determined that the attackers had set up their own perfectly configured copy of the control software on a PC in a faraway facility and then had used that rogue clone to send the commands that cut the power. Once the circuit breakers were open and the power for tens of thousands of Ukrainians had gone dead, the hackers launched another phase of the attack. They’d overwritten the firmware of the substations’ serial-to-ethernet converters—tiny boxes in the stations’ server closets that translated internet protocols to communicate with older equipment. By rewriting the obscure code of those chunks of hardware—a trick that likely took weeks to devise—the hackers had permanently bricked the devices, shutting out the legitimate operators from further digital control of the breakers.
The hackers also left one of their usual calling cards, running KillDisk to destroy a handful of the company’s PCs. But the most vicious element of the attack struck the control stations’ battery backups. When the electricity was cut to the region, the stations themselves also lost power, throwing them into darkness in the midst of their crisis. With utmost precision, the hackers had engineered a blackout within a blackout.
He ticks off the list of casualties: Ukraine’s pension fund, the country’s treasury, its seaport authority, its ministries of infrastructure, defense, and finance. The hackers again hit Ukraine’s railway company, this time knocking out its online booking system for days, right in the midst of the holiday travel season. As in 2015, most of the attacks culminated with a KillDisk-style detonation on the target’s hard drive. In the case of the finance ministry, the logic bomb deleted terabytes of data, just as the ministry was preparing its budget for the next year.
The three tank-sized transformers arrayed alongside the building, responsible for about a fifth of the capital’s electrical capacity, had gone entirely silent. Until then Zaychenko had been mechanically ticking through an emergency mental checklist. As he ran past the paralyzed machines, the thought entered his mind for the first time: The hackers had struck again.
This time the attack had moved up the circulatory system of Ukraine’s grid. Instead of taking down the distribution stations that branch off into capillaries of power lines, the saboteurs had hit an artery. That single Kiev transmission station carried 200 megawatts, more total electric load than all the 50-plus distribution stations knocked out in the 2015 attack combined. Luckily, the system was down for just an hour—hardly long enough for pipes to start freezing or locals to start panicking—before Ukrenergo’s engineers began manually closing circuits and bringing everything back online.
And CrashOverride isn’t just a one-off tool, tailored only to Ukrenergo’s grid. It’s a reusable and highly adaptable weapon of electric utility disruption, researchers say. Within the malware’s modular structure, Ukrenergo’s control system protocols could easily be swapped out and replaced with ones used in other parts of Europe or the US instead.
In 2007 a team of researchers at Idaho National Lab, one that included Mike Assante, demonstrated that it’s possible to hack electrical infrastructure to death: The so-called Aurora experiment used nothing but digital commands to permanently wreck a 2.25-megawatt diesel generator. In a video of the experiment, a machine the size of a living room coughs and belches black and white smoke in its death throes. Such a generator is not all that different from the equipment that sends hundreds of megawatts to US consumers; with the right exploit, it’s possible that someone could permanently disable power-generation equipment or the massive, difficult-to-replace transformers that serve as the backbone of our transmission system. “Washington, DC? A nation-state could take it out for two months without much issue,” Lee says. . “If they did that in multiple places, you could have up to a month of outages across an entire region,” he says. “Tell me what doesn’t change dramatically when key cities across half of the US don’t have power for a month.”
Yasinsky says he has tried to maintain a dispassionate perspective on the intruders who are ransacking his country. But when the blackout extended to his own home four months ago, it was “like being robbed,” he tells me. “It was a kind of violation, a moment when you realize your own private space is just an illusion.” The attacks, Yasinsky has noticed, have settled into a seasonal cycle: During the first months of the year, the hackers lay their groundwork, silently penetrating targets and spreading their foothold. At the end of the year, they unleash their payload. Yasinsky knows by now that even as he’s analyzing last year’s power grid attack, the seeds are already being sown for 2017’s December surprises.
But in the grand scheme, he thinks that what Ukraine has faced for the past three years may have been just a series of practice tests. He sums up the attackers’ intentions until now in a single Russian word: poligon. A training ground. Even in their most damaging attacks, Yasinsky observes, the hackers could have gone further. They could have destroyed not just the Ministry of Finance’s stored data but its backups too. They probably could have knocked out Ukrenergo’s transmission station for longer or caused permanent, physical harm to the grid, he says—a restraint that American analysts like Assante and Lee have also noted. “They’re still playing with us,” Yasinsky says. Each time, the hackers retreated before accomplishing the maximum possible damage, as if reserving their true capabilities for some future operation.
What will that next step look like? In the dim back room at ISSP’s lab in Kiev, Yasinsky admits he doesn’t know. Perhaps another blackout. Or maybe a targeted attack on a water facility. “Use your imagination,” he suggests drily.
Behind him the fading afternoon light glows through the blinds, rendering his face a dark silhouette. “Cyberspace is not a target in itself,” Yasinsky says. “It’s a medium.” And that medium connects, in every direction, to the machinery of civilization itself.
https://www.wired.com/story/russian-hackers-attack-ukraine/