Ivano-Frankivsk was supposed to be far from the Russian front. The city and province of the same name are on the far western side of Ukraine, away from the Russian-backed breakaway province of Donetsk in the east. Donetsk has seen almost two years of fighting on stalemated trenches. Yet last month, it was Ivano-Frankivsk that appears to have suffered from a new attack: malware, planted by hackers in several power stations, left hundreds of thousands without electricity in subzero conditions. Cyberwar, it seems, is an attack best served cold.
From Ars Technica:
According to [researchers from antivirus provider] ESET, the Ukrainian power authorities were infected using booby-trapped macro functions embedded in Microsoft Office documents. If true, it's distressing that industrial control systems used to supply power to millions of people could be infected using such a simple social-engineering ploy. It's also concerning that malware is now being used to create power failures that can have life-and-death consequences for large numbers of people.
The health hazards of power outages in winter are well documented. In a study on ice storm impacts over time, David A. Call of Ball State University wrote “Power outages also cause secondary effects, such as carbon monoxide poisoning and fire, and they can force people to leave their homes because of a lack of heat.” The power outage in Ivano-Franivsk was fortunately only a few hours long, but it’s distressing that a hostile attack could even shut off the power at all.
First, the power systems were likely compromised by spearphishing, or targeted emails and social engineering that get a person inside a network to download something harmful. Previously, spear-phishing attacks have stolen information from the Pentagon and broken a steel mill in Germany. Here’s how security researchers ESET described the attack in a blog post:
The attack scenario is simple: the target gets a spear-phishing email that contains an attachment with a malicious document. The Ukrainian security company CyS Centrum published two screenshots of emails used in BlackEnergy campaigns, where the attackers spoofed the sender address to appear to be one belonging to Rada (the Ukrainian parliament). The document itself contains text trying to convince the victim to run the macro in the document. This is an example where social engineering is used instead of exploiting software vulnerabilities. If victims are successfully tricked, they end up infected with BlackEnergy Lite.
Once inside the network, the system either shut down parts of the power station’s infrastructure or provided remote access to the attackers, giving them the controls to shut it down.
Bob Gourley, the former Chief Technology Officer of America’s Defense Intelligence Agency, says that this should get people to take cybersecurity threats to infrastructure more seriously. He writes:
Although intelligence professionals have gone on the record saying that our grids are being probed and that there are indications that some foreign states have placed logic bombs in portions of the grid, those types of warnings are not widely read and seem to be easily forgotten. The fact that a major attack has caused an outage like this should be considered in this context. This type of attack is a real scenario and the threat of it must be mitigated.
Disabling a few power plants for a few hours is no dramatic “cyber Pearl Harbor,” an attack shocking enough to mobilize a national response. Instead, it’s in that foggy gray area between spycraft and sabotage, the sort of clandestine skirmish more typical of a Cold War. And with the ability to shut down power in winter, the war can get very cold indeed.