February 12, 2016
MSi has been tracking the ongoing cyber attack campaign against power companies, and now the energy supply chain, in the Ukraine. This is an issue of national importance. New developments are becoming public.
Above is what we knew. It is ongoing and evolving.
This may not mean a lot to many of you, but this is an issue of national importance. A foreign actor has been leading an ongoing campaign against the Ukrainian power grid and more recently switching tactics to hit the energy supply chain (i.e. resource producing companies that supply material to make power and the trains that deliver them). TrendMicro first broke the news last night: https://www.trendmicro.com/en_us/research/16/b/killdisk-and-blackenergy-are-not-just-energy-sector-threats.html
The first waves in December and early January of 2016 “turned off the lights” by disconnecting the power grid from generation by simultaneously opening the relays in the control network and turning off 30 substations (remotely, all at once, lights go out). The Ukraine utilities apparently did not even know this was a cyber attack and sent people out to the 30 substations to manually put the power back on. In the US, we are far more automated after decades of progression and returning to manual operation for any period of time (days) is not very feasible.
The adversary has been adjusting their attack tactics in near real-time as they see responses unfold. They recently began attacking and infiltrating the energy supply chain in phase 2 in an effort to take out the power, fuel and transportation sources (trains). This is not an attack on one plant or one company, it is an ongoing campaign against the supply chain of what keeps the power systems, and all that rely upon them, operating in a region of a major NATO country.