This article episode will be focused on cyber attacks performed against power grids and their impact for non-technical people; anyone can listen and understand.
All the stories have been taken from publicly available sources and do not reflect any opinion about the subjects.
In this article we will focus on 2 attacks that happened years apart from each other, both of them targeting power grids and critical infrastructure companies.
Let’s go back to the past to 2015. Political tension between Russia and Ukraine reached new peaks, and in December 2015 a Ukraine power grid received what is considered to be the first known successful cyber attack against a power grid.
Hackers were able to successfully compromise information systems of three energy distribution companies in Ukraine, and disrupt electricity supply to the end consumers for several hours.
This attack was highly professional and had multiple stages to ensure it was successful and achieved maximum chaos.
First the hackers used different techniques of email phishing, trying to lure employees working for the targeted companies to open and run infected emails with files or links.
Once the employees ran the malware on their computer, things started to happen without their knowledge. The malware searched for, and tried to seize control on SCADA devices connected to the network and after finding them it was trying to inflict the maximum damage possible.
In addition to that, the malware was able to search for files and wipe them out from servers and computers on the network.
At the same time, the malware also started to perform denial of services attacks against the call centre of the companies that were infected, making sure customers could not reach the company, forcing them to literally stay in the dark.
It took several hours to restore the electricity, and some say that it took so long because the electric companies had to go to remote stations and physically switch the power after the controller was destroyed in the attack.
Some stories even go further and say that since it’s been so long since manual power transmissions were used, they had to call people who retired from the electric companies, and now on pension to come and apply a temporary fix using decades-old systems that were not digital.
The Second Attack
At the end of July 2018 , The U.S. Department of Homeland Security revealed that Russian government hackers have gained deep access to hundreds of U.S. electrical utility companies.
According to the publication, this time the attackers were detected before they could cause real damage.
The way the hackers worked this time to get into these companies was different this time.
The hackers were able to penetrate into the networks of key vendors that provide services to utility companies, and already have trusting relationships and share infrastructure together.
That gave the hackers direct access to install malware on the networks of many different utility companies without their knowledge, while they only needed to hack into one network.
DHS has been warning utility executives with security clearances about the threat of Russian groups to critical infrastructure since 2014.
But the latest briefing was the first time that DHS has given out information in an unclassified setting with as much detail.
However, they still continue to withhold the names of victims, but now say there were hundreds of victims, and not just a few dozen as had been said previously.
Another reason for not disclosing the names of the people impacted by this attack is because it also said some companies still may not know they have been compromised,
because the attacks used credentials of actual employees to get inside utility networks, potentially making the intrusions more difficult to detect.
Both of these examples show 2 different countries in different parts of the world being impacted physically from attacks coming over the internet, even while the networks are completely isolated from the internet.
The critical infrastructure today is at big risk all around the world, in such cases where attackers are using unknown malware that has never been seen before. There is a need for a more proactive approach. By receiving constant quality intelligence feeds, the odds of such threats to be successful are reduced dramatically. In case such an attack happens, cyber threat intelligence can provide valuable insights and knowledge related to stopping and handling such attacks.
Stay safe and see you next time.
Don’t forget to visit www.cybercure.ai for the latest podcasts and cyber intelligence.