power lines at dusk, yellow sky

Did hackers disrupt the Ukrainian power grid, and Swedish airspace?

10:44 14 April in cloud security, Cyber security, cyber warfare, hack, Incident Response

The idea of disruptive hacking has long been a favourite of the media and certain talking heads. The idea that a dedicated team with laptops could take out the power and other critical services across a whole country is one that captures the imagination, and makes for great headlines. A power outage in November in Ukraine and more recently allegations that a Russian linked hacking group disrupted Swedish air traffic control have bought these fears bubbling to the surface again.

Are these incidents real?

The Ukrainian one certainly is. You can read the Wired article linked above, and also I would highly recommend this report from the SANS institute. It’s more technical and detailed, but worth a read. There is currently no supporting evidence for the Swedish air traffic control allegations (or at least non that is public). It also seems unlikely to me that the Swedish government would publicly claim the disruption was caused by electromagnetic disturbances as a cover story and expect it to hold. Right now that one is in my ‘wait for more information’ pile (UPDATE: The story has been refuted).

So lets focus on Ukraine. An audacious and unprecedented incident certainly. But, its marked out in many ways by the mundanity of the attack vectors used. The attacks used phishing emails, with malicious MS Office documents attached, which required the user enable macros to successfully deliver the malicious payload. This is an old trick, but sadly one which is still widely used and successful. I get emails like this every day. Equally the long period the attackers went undetected is not unusual. It’s not unusual for companies to be compromised for months, or even years, without knowing it. However typically attacks like that are not intended to be disruptive – in general spooks and criminals prefer you don’t realise they are in your computers.

What is unusual is the disruptive intent, and as both the Wired article and the SANS report make clear, the level of planning that went into ensuring it was difficult for the power companies to easily recover using their computer based control systems. They had to resort to physical means.

Is this the end of the world as we know it?

I’d say no. In fact, overall it’s possibly a good wake up call. The Ukrainian attack was successful because of some fundamental security weaknesses – users were tricked into doing something they shouldn’t, remote access was possible because of a lack of two factor authentication, insufficient segregation of critical systems, and there was clearly no security monitoring on the network which allowed the breach to go undetected. Also, again as is made clear in the analysis, this took a significant amount of time to plan, and resulted in a power outage of between one and six hours, across the affected regions. Conversely in November 2015 someone using plain old explosives caused an outage in Crimea that affected 2 million people, and lasted in some cases for up to two weeks.  As far back as 1997 the IRA plotted to bring chaos to London by blowing up substations.

My point is that whilst cyber attacks on power grids are evidently possible, they may not be the biggest threat. Equally, whatever the motive of the people behind the Ukraine hack, the downside of doing something like this is that it is much harder to do the second time. As the links above show, there is a lot of good information about the attack in the public domain, and certainly there will be more in private channels. Every power provider in Ukraine should be looking for signs of compromise, and upping their security game. Likewise power providers worldwide should, and almost certainly will, be doing the same. So the next attacker who wants to accomplish this will need to work harder. However, substations and power lines can still be blown up.

What can I learn from this?

Plenty. The techniques used in the Ukraine attacks are similar to those used by hackers everywhere. In the immediate short term you can disable macros across on all your Windows devices using Group Policy. Failing that, put out an alert to all staff telling them under no circumstances to enable macros if they open an attachment which apparently requires them. This will stop all sorts of bad stuff getting onto your network.

Other things you can do;

  • Train your staff to be suitably paranoid
  • Ensure you have AV running, ideally different products checking your inbound email and protecting desktops
  • As always, keep your operating systems and software up-to-date.
  • Implement two factor authentication if you allow remote access of any sort
  • Monitor your network for security breaches. You can’t assume you’ll never be compromised, so knowing immediately ensure you can respond quickly and effectively, and minimise the impact.

If you need help or would like to understand more about any of the above, do get in touch.  Use the contact form, or find us on twitter.

Thanks for reading