December 2015 – 2017 — A blackout across the Ivano-Frankivsk region in western Ukraine killed power for 700,000 people on December 23. The blackout was attributed to a cyberattack on Ukrainian electrical power company Prykarpattya Oblenergo. Ukraine's state security service SBU officially blamed Russian-linked hackers.
ESET analyzed the attacks,
reporting January 3
that a cybercriminal group had used the BlackEnergy malware
family to attack the Ukrainian electrical power industry
and news media companies.
They used both denial-of-service attacks, overwriting
document files with random data and making the operating
system non-bootable, plus an SSH back door they labeled.
It listens for an SSH client providing the hard-coded password
ESET issued another report on January 4. Other energy companies in Ukraine were targeted at the same time. The infections came in through Microsoft Office files with malicious macros. The malware also had some additional functions targeting industrial control systems.
Kaspersky provided more details in their report on January 28. Cyc Centrum has a report on BlackEnergy attacks in Ukraine through 2014 and 2015.
SentinalOne released a nice detailed analysis of BlackEnergy 3 in late January, see the announcement and the detailed report.
SANS published a detailed analysis in mid-March 2016, summarizing the incident itself, the reporting in the media, and then analyzing the attack techniques. They concluded that it started with a phishing email with Word and Excel documents with macro-based malware. That dropped BlackEnergy3 malware into place, which stole legitimate user credentials. The stolen VPN credentials allowed attackers to access the industrial control systems network.
This was widely reported, including by Dark Reading on January 5 2016, January 14, and January 27; Foreign Policy on January 8; Reuters on January 27; The Register on January 28, and Wired with more detail on March 3.
The U.S. Defense Intelligence Agency's Russia Military Power Report 2017 reported "CyberBerkut is a front organization for Russian state-sponsored cyber activity, supporting Russia's military operations and strategic objectives in Ukraine", citing "Russia's Use of Disinformation in the Ukraine Conflict. Russian strategy analysis", 18 Feb 2015, in Eurasia Review. They say that CyberBerkut "has been implicated in multiple incidents of cyber espionage and attack, including distributed denial of service attacks against NATO, Ukraine, and German government websites." More recently, CyberBerkut has been stealing and publishing documents from Ukrainian government and political figures in order to discredit, demoralize, embarrass, and create distrust of those figures.
Russia's "Troll Army", also known as the Internet Research Agency, is described in the DIA report as "a state-funded organization that blogs and tweets on behalf of the Kremlin. The New York Times reported on the Troll Army in June 2015.
December 2016 – 2017 — On December 17, 2016, malicious software tripped circuit breakers and shut off electrical power to part of western Kiev, cutting off about 20% of the city's electrical supply. About 700,000 people in the Ivano-Frankivsk region, half the homes there, were left without electricity for several hours. That seems to have been just a test of sophisticated malware, since labeled Crash Override and Industroyer by investigators.
The malware has a modular design, with support for various SCADA protocols commonly used in Europe. Unlike earlier attacks against infrastructure which required interactive control by several operators, this malware seems to be largely automated. It can map the network where it is inserted, observing and logging traffic patterns.
It exploits a known vulnerability in a Siemens digital relay. There is speculation that it is intended to do more than just cut off power, but to damage equipment in the process, overloading lines and transformers.
Honeywell and the Kiev-based Information System Security Partners have said that the 2016 blackout was likely caused by the same attackers as the 2015 attack, which has been widely attributed to a hacker group called Sandworm, and that it likely originated in Russia.
The Dragos report says, "Dragos, Inc. tracks the adversary group behind CRASHOVERRIDE as ELECTRUM and assesses with high confidence through confidential sources that ELECTRUM has direct ties to the Sandworm team."
Technical reports and analysis:
Ongoing Sophisticated Malware Campaign Compromising ICS (Update E)
Industrial Control Systems CERT, updated 9 Dec 2016
The Daily Beast, 12 June 2017
June 2017 — Malicious software targeted Ukraine on 27 June 2017. It spread quickly in Ukraine through government ministries, energy companies, the power grid, banks, and transportation. 80% of the infections happened in Ukraine, with 9% in Germany and others in France, Italy, Poland, the U.K. and the U.S.
The malware claimed to be ransomware, but it was actually a "wiper", overwriting data. It was a variant of Petya, which propagates via the NSA's EternalBlue exploit. This variant is being called Petya, NotPetya, Pnyetya, ExPetr, GoldenEye, and more.
Initial spread was through an update to M.E. Doc, a Ukrainian tax accounting package. All tax accounts in Ukraine are required by law to use M.E. Doc, and it is the de facto standard accounting package for businesses there. A similar attack had happened on 18 May 2017 when ransomware called XData was carried out via M.E. Doc. [see the report in Russian]
The site with M.E. Doc software updates was served on one host at the WNet hosting company. On 1 June 2017 the Ukrainian security agency SBU raided the WNet offices. The SBU said that WNet had turned over control to the FSB, Russia's intelligence service. [see the reports at ain.ua and politolog.net] On July 1 "the head of Ukraine's CyberPolice suggested" in an Associated Press report that M.E. Doc knew of the intrusion and malware planting and "For this neglect, the people in this case will face criminal responsibility."
In January 2018, the CIA concluded that the Russian military's GTsST or Main Center for Special Technology was behind NotPetya.
A.P. Møller-Maersk, the world's largest container shipping company, reported that it recovered by reinstalling over 4,000 servers, 45,000 PCs, and 2,500 applications in late June and early July 2017. For 10 days they had no computers, but meanwhile another ship with 20,000 containers would enter a port every 15 minutes.
Reuters New York Times Washington Post (June 2017) BBC Ars Technica Wired Bloomberg ain.ua politolog.net Associated Press Washington Post (January 2018)
Technical reports and analysis:
Matt Suiche Kaspersky Labs, #1 Kaspersky Labs, #2 the grugq Brian Krebs Lesley Carhart On the Wire Talos and Cisco detailed analysis ESET detailed analysis Wired US-CERT Alert TA17-181A
July 2018 — Ukraine's SBU federal security service detected and shut down a cyberattack that used VPNFilter malware against equipment in the LLC Aulska chlorine station that supplies water and sewage treatment plants. The Russian military hacker team called Fancy Bear and APT28 is believed to be behind the attack.
Interfax Ukraine News Agency