Hackers are continuing to target Ukraine's power grid with cyberattacks after initial strikes in December caused a widespread power outage impacting hundreds of thousands of people. But security experts warn these new attacks show that pointing the blame at the Russian government without real evidence is premature.
The latest attacks took place Tuesday. Just weeks ago, security researchers revealed the first power outage affected approximately half the homes in the Ivano-Frankivsk region of Ukraine, which has a population of around 1.4 million.
The outage Dec. 23 was caused or enabled by a piece of malware known as BlackEnergy, known to be used by the Russian cybercrime group Sandworm, which has links to the Kremlin. However, the attacks this week, while using the same social engineering technique to deliver the malware, relied on different software. That casts doubts on speculation the Russian government is behind the attack.
“What’s particularly interesting is that the malware that was used this time is not BlackEnergy,” said Robert Lipovsky, malware researcher with Slovakian security company ESET. “The malware is based on a freely available open-source backdoor — something no one would expect from an alleged state-sponsored malware operator. ”
The news of the latest attack comes just days after it was revealed a workstation at Kiev’s Boryspil airport was also infected by the same BlackEnergy malware used in the initial attacks against the three power companies.
The attacks this week used the same spearphishing technique to send highly tailored emails to employees of Ukranian power companies containing an attachment with a malicious XLS file which, if opened, would allow for the malware to be downloaded remotely and give the hackers access to the victim's systems.
Eset informed Ukrainian state cybersecurity agency Cert-UA about the attack and it has taken the servers hosting the malware offline.
Russia has been blamed from the beginning by Ukrainian officials and many within the security industry who follow the operations of the Sandworm group, and given that the two countries have been in armed conflict since April 2014, it is hardly a surprising conclusion.
However Lipovsky said there is no evidence at the moment to suggest who is behind the latest attack or indeed the previous attack which successfully knocked the power grid offline. “Great care should be taken before accusing a specific actor, especially a nation state,” the researcher said.
Security expert Mikko Hypponen pointed out it is unusual for a state-sponsored attack to cause such damage as typically such attacks are used to facilitate spying. “We are assuming it is linked to the Russian government but this case is highly unusual.”
A previous high-profile example of a government-backed campaign which caused real world damage was Stuxnet, a piece of malware jointly developed by the U.S. and Israeli governments. It caused centrifuges at the Iranian nuclear facility at Natanz to spin out of control and explode.
However, Hypponen said the attacks on the Ukrainian power grid are a major concern as they could point to the beginning of a bigger problem to come.“I am worried that it is going to be much worse considering how any modern society nowadays [is powered by] computers and software. It is not just a power plant, it is everything from food processors to telecommunications to medical systems.”