Attacking the power grid: Kyiv Targeted

The power grid, along with other utilities continue to not receive their due cybersecurity attention. Unfortunately, the population does not appreciate, in general, how very vulnerable a significant portion of these are. More to the point the subsequent potential affects of a breach (i.e. no electricity for extended periods) are not appreciated...until it happens to a set of users.

Attackers

Well, this issue has two sides, as do most. While one side has not given this the appropriate level of attention, another has given this at least a baseline amount…the attackers. Recently the Kyiv power grid was attacked. From the appearances and evidence present, a well-known group was involved with this latest attack. This was allegedly the work of the Telebots and used Industroyer. This was the same malware responsible for the disc-wiping software NotPetya and BlackEnergy. The group was responsible for the 2015 blackout in the Ukrain.

Telebots had been linked to Industroyer due to their recent activity. A group attempted to deploy a new backdoor titled Exaramel. This appears to be an improved version of Industroyer. This appearance is based on code similarities, shared command & control (C&C) infrastructure, and malware execution chains. While this is not 100% indicative, the point and direction is rather significant. This pattern of implementing the specific backdoor is rather telling.

Resources

Lyngaas, S. (2018, October 11). Researches link tools used in notpetya and ukraine grid hacks. Retrieved from https://www.cyberscoop.com/telebots-eset-notpetya-ukraine-link/

Reeve, T. (2018, October 11). Kyiv power grid attack attributed to telebots through industroyer link. Retrieved from https://www.scmagazineuk.com/kyiv-powre-grid-attack-attributed-telebots-industroyer-link/article/1495836?bulletin=sc-newswire

WeLiveSecurity. (2018, October 11). New telebots backdoor: First evidence linking industroyer to notpetya. Retrieved from https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.