Enlarge image
High-voltage line: "Became the first malware specifically designed to attack the power supply"
Photo: NEIL HALL/EPA
It's hard to imagine a place further removed from the war in Ukraine than Las Vegas' Mandalay Bay Resort.
The huge hotel and casino complex at the southern end of the famous »Strip« is the setting for the 25th Black Hat , a conference on the subject of IT security.
Outside, guests splash around in the artificial lagoon, inside, between endless rows of slot machines and an oversized aquarium with sharks, experts from 111 countries meet for lectures in pompous American ballrooms.
But when Robert Lipovsky and Anton Cherepanov from the Slovakian IT security company Eset introduce their star guest, Ukraine is practically within reach: Viktor Zhora has come to Las Vegas, the deputy head of the Ukrainian IT security authority.
Zhora says that since the end of February he has had to fend off more hacker attacks than ever before.
One of them could have turned off the electricity for up to two million citizens – if it had been successful.
The fact that it wasn't is reassuring on the one hand: A blackout can apparently not even be hacked up.
On the other hand, it is worrying how much effort a suspected government hacking unit put into its attempt.
The perpetrators entered at least a week before the start of the war
Eset and others blame the attack on the Sandworm group, a hacking group affiliated with Russia's GRU military intelligence agency.
It's called that because of the multiple references to Frank Herbert's "Dune" in earlier code snippets of theirs.
Sandworm already sabotaged Ukraine's power supply in 2015 and 2016, the first time for about six hours, the second time just for one.
As a result, 230,000 and 700,000 Ukrainians were temporarily without electricity.
At the time, the attacks alarmed security experts worldwide.
The third attempt took place on Friday evening, April 8, 2022.
But it was prepared at least a week before the start of the Russian attack, namely February 17 at the latest, says Zhora.
He assumes that on that day - or even earlier - a regional Ukrainian electricity company was compromised in a way that is still unknown.
A several-week phase of scouting followed.
The hackers then spread in the supplier's network from the IT to the OT (operational technology), i.e. the control technology.
According to the findings of Eset and the US company Mandiant, the actual malware is based on that which was used in 2016 and was christened Industroyer.
That was "the first malware that was specifically developed to attack the power supply," says Lipovsky.
Attacks on the power supply are highly complex
Accordingly, Eset calls the further development that was used this year Industroyer2.
And although many details of the attack in April are still unclear, Industroyer2 and the previous version show how complex it is to physically damage industrial control systems, such as those used by energy suppliers, with malicious code alone.
The attack in 2016 was supposed to take place in several complex stages, as the Eset researchers were able to reconstruct.
The aim of the perpetrators was therefore to first switch off the electricity in a substation, then to deny the operators access to their own system and to manipulate the control system in such a way that it could no longer be started up.
But the attack was to become even more insidious: After that, they wanted to manipulate a Siemens relay installed by the electricity supplier, which is actually used to trigger a protective fuse in the event of errors.
To do this, they wanted to use a prepared file to put the relay into an update mode in which it would get stuck.
If the operator attempts to manually restart the electricity due to the hacking attack, the system should be damaged - because the fuse manipulated by the hackers does not kick in.
Eset doesn't know whether Industroyer2 should try to do the same.
"We haven't seen any evidence of this," Lipovsky said in an interview with SPIEGEL.
What is clear, however, is that additional malicious programs, so-called wipers, were intended to cover up the perpetrators' tracks in the network this time by overwriting log files and making drives unusable, among other things.
Such wipers have been a recurring hacking weapon in various attacks on Ukrainian targets in recent months.
The suspected group behind the attack: Sandworm
The attack required in-depth knowledge of the plant and the industrial control systems (ICS) used there.
The perpetrators needed a corresponding number of resources and specialists.
Lipovsky finds the effort that the perpetrators made to familiarize themselves with the intricacies of the underlying software protocols downright “disturbing”.
Because you can't just google them.
If someone has this special knowledge, the defense attorneys have a fundamental problem: ICS like the one in the Ukrainian substation and the associated protocols "were developed decades ago without paying attention to security," says Lipovsky.
Accordingly, Sandworm did not have to exploit any previously unknown vulnerabilities in the system.
On the contrary, Industroyer2, as the Eset researcher puts it, "uses a protocol exactly as it was intended".
What ultimately thwarted the attack was a quick response from defenders, who included Ukraine's Computer Emergency Response Team (Cert) as well as Microsoft, Cisco Talos, and Eset.
A mistake in thinking by the hackers also helped with the defense, as Zhora says.
The attack was scheduled to start at 5:58 p.m. Friday, "assuming most employees are still there and their computers are on."
But because most people finish work at four or five o'clock on Fridays, many computers were switched off and were therefore not even paralyzed by the wipers.
The defenders were therefore left with more functioning hardware than the perpetrators might have wished for.
Anyone who has set themselves the goal of sabotaging an electricity supplier sometimes not only needs special technical knowledge, but also insight into duty rosters.
