Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
How to Block Ukraine-Style Hacker AttacksLessons Learned, Based on What's Known About Malware Involved
Evidence that the December 2015 disruption of multiple Ukrainian electrical substations was conducted by a group allied to Russian government interests continues to mount (see Ukrainian Power Grid: Hacked).
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
But regardless of who hacked one or more Ukrainian energy suppliers, security experts note that the spear-phishing emails and related malware infections apparently used by attackers would most likely have been blocked if the targets had some basic information security defenses in place.
"The takeaway is, 'Could that happen to me, and if so, what am I going to do about it?'"
Don't, however, start playing the blame game. "I'm not going to speculate on how good or bad the defenses were of the Ukrainian energy company," Paul Ducklin, a security analyst for information security firm Sophos, tells me. "In some ways they're only in the limelight because they did get penetrated by malware, and anyone to whom that happens could clearly have done something better."
Instead, Ducklin recommends all organizations study the Ukrainian hacks to determine whether they might fall victim to a copycat attack. "To me the takeaway is not to ask, 'Why don't energy companies do a better security job?'" he says. "The takeaway is, 'Could that happen to me, and if so, what am I going to do about it?'"
Sandworm Team: Suspected Connection
Of course, the Ukrainian hack attack is especially concerning because it appears to be the first time that hackers have disrupted an electrical power substation (see Ukrainian Power Grid Hack: 9 Questions).
But security experts are still waiting for a full report from Ukraine's Computer Emergency Response Team, CERT-UA, which has confirmed to me that it's continuing to investigate the attack. It also confirms a report from security vendor ESET that both BlackEnergy Trojan as well as KillDisk wiper malware were found on systems at the hacked energy supplier, Prykarpattya Regional Energy, that suffered the outage. CERT-UA warned in November 2015 that it had discovered KillDisk after a targeted attack against Ukrainian media organizations.
Now, threat-intelligence firm iSight Partners reports that it believes that the Sandworm advanced persistent threat group, which has previously been tied to attacks that align with Russian government interests, was also responsible for the Ukrainian power supplier hack and disruption (see Espionage Hacks Tied to Russians).
In a Jan. 7 blog post, John Hultquist, director of cyber-espionage analysis for iSight Partners, says that the malware used in the attack - the BlackEnergy 3 variant - was first spotted in early 2015, apparently focusing on targets in both Ukraine and Europe.
Both BlackEnergy 3 and KillDisk were also found on at least one of the hacked power company's systems, Hultquist adds, but he cautions that "we cannot confirm that the KillDisk malware caused the outage." Echoing other researchers, however, he observes that the wiper malware was likely intended to at least prolong the outage, adding that the Ukrainian security service, SBU, has claimed that at the time of the power disruption, "technical support numbers associated with the power authorities were allegedly flooded with calls, which may have been an effort to further overwhelm responders."
Wiper Malware: Nasty
But many experts caution that while attribution is useful for authorities - or diplomats - it's up to enterprise information security professionals to defend their organization against these types of attacks, no matter if cybercriminals, hacktivists or an APT team is at work.
Belgian reverse-engineering expert Dider Stevens, in a video teardown of the Excel spreadsheet that's been linked to the Ukrainian attack - as well as the November attacks against media organizations - reports that it uses malicious macros.
But neither Excel nor Word allow macros to execute by default, meaning that the Ukrainian spear-phishing email must have included a request that the recipient activate Office macros, Ducklin says, as has been seen in previous such attacks. If a user complies, the macros then install BlackEnergy, which "phones home" to a command-and-control server and can receive further instructions, exfiltrate data as well as download and install further malicious code. In the Ukrainian power supplier attacks, Ducklin says attackers appeared to install KillDisk on infected systems as well as a hacked copy of the DropBear SSH server, which included hard-coded passwords attackers could use to later remotely access the system.
The KillDisk malware is especially nasty, Ducklin reports, because it gives attackers the ability to wipe the Windows event log, delete all Windows shadow backup files and reinitialize network-connected logical volumes using the "format" command, which is designed to wipe all data on a hard disk, for example when reinstalling the operating system. Finally, the malware can overwrite every physical sector, "including boot sector, operating system files, swap files, applications and data, on up to 10 hard disks," he says.
"The last item really lives up to the name KillDisk," he adds. "But any of the others are likely to cause significant trouble for you and your IT department and would put a very serious dent in your day."
7 Lessons for All Infosec Pros
Anti-virus tools can help detect and eliminate malware such as KillDisk, but they're not foolproof, especially if attackers use malware packers to obfuscate the attack code and try to avoid signature-based scanning tools. Likewise, tricking victims into enabling macros gives attackers the ability to execute arbitrary code on a target's computer and take control.
So it's imperative to prevent spear-phishing emails from ever being viewed - and attachments potentially executed - by would-be victims. Ducklin offers the following advice:
- Filter: Use email filtering to help find and eliminate suspicious attachments as soon as possible.
- Flag: Treat all unsolicited attachments with extreme caution.
- Ignore: Never enable Excel or Word macros, even if an email - that might pretend to be from someone you know - instructs you to do so.
- View: Microsoft offers free Word and Excel viewer programs for Windows and Mac OS X, which give users a way to see document content, but which do not support embedded macros, meaning they cannot execute.
- Upgrade: The most recent versions of Windows help better safeguard users against malicious disk-wiping attempts.
- Block: IT departments must block unknown software from being able to "phone home" to grab and install applications as well as communicate with botnet networks.
- Update: Ensure anti-virus software remains updated and active protection enabled - sometimes known as "on-access scanning" or "real-time scanning" - to better detect as well as block any malware from executing.
Those steps won't block or prevent every piece of malware from ever reaching an end user or executing on a targeted system. But they will help ensure that no "cheap and easy" attacks - such as spear-phishing emails that instruct recipients to enable Office macros - succeed.