The Department of Homeland Security advised electric utilities Thursday that they may need to stop using the Internet altogether, after the agency found that a cyberattack that brought down Ukraine’s power grid in December could have been far more devastating than reported.
The Dec. 23 cyberattack forced U.S. regulators to place utilities on alert after unknown attackers caused thousands of Ukrainian residents to lose power for hours by installing malicious software, or malware, on utility computers. But the Department of Homeland Security said Thursday that the attack may have been directed at more than just the country’s electricity sector, suggesting the attackers were looking to cause more harm than was reported.
In response, federal investigators are recommending that U.S. utilities and other industries “take defensive measures.” To start with, they need to best practices “to minimize the risk from similar malicious cyber activity,” according to an investigative report issued Thursday by Homeland Security’s Industrial Control Systems Cyber Emergency Response Team.
But the team is also recommending more drastic action, such as keep control-system computers away from the Internet.
“Organizations should isolate [industrial control system] networks from any untrusted networks, especially the Internet,” the report says. “All unused ports should be locked down and all unused services turned off. If a defined business requirement or control function exists, only allow real-time connectivity to external networks. If one-way communication can accomplish a task, use optical separation.”
The findings show that the power outages were caused by three attacks using cyberintrusion software to attack electric power distribution companies, affecting about 225,000 customers. It also reveals that once power was restored, the utilities continued “to run under constrained operations,” implying that the damage to grid control systems was profound.
The team also learned that “three other organizations, some from other critical infrastructure sectors, were also intruded upon but did not experience operational impacts.” That suggests the attackers were going after more than just the power grid, and may have been planning a much more economy-wide attack. The team does not disclose what other sectors of the country were targeted.
The team said the attack was well-planned, “probably following extensive reconnaissance of the victim networks,” the report says. “According to company personnel, the cyberattacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities.”
The attackers were attempting to make the damage permanent. The report says the attackers installed “KillDisk” malware onto company computers that would erase data necessary to reboot operations after a cyberattack.
There is also a mystery to the attackers’ actions.
“Each company also reported that they had been infected with BlackEnergy malware; however, we do not know whether the malware played a role in the cyberattacks,” the report says. The malware was delivered using an email embedded hacking technique known as “spear phishing” that contained a number of malicious Microsoft Office attachments.
“It is suspected that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials; however, this information is still being evaluated,” the team says.
The investigation was done with Ukraine authorities and involved the FBI, Department of Energy and the North American Electric Reliability Corporation.
