The recent cyberattack on a Ukrainian power company was a coordinated effort consisting of several distinct elements, according to a group of researchers focused on industrial control systems.
The attack was comprised of “multiple elements,” SANS ICS director Michael Assante wrote in a blog post published Saturday.
“The attackers demonstrated planning, coordination, and the ability to use malware and possible direct remote access to blind system dispatchers, cause undesirable state changes to the distribution electricity infrastructure, and attempt to delay the restoration by wiping… servers after they caused the outage,” Assante wrote.
The Ukrainian Security Service SBU was swift to blame Russia for planting malware to cause the blackout. Relations between the two nations have been in a steep decline since Russia annexed Crimea last year and began supporting pro-Russian separatists in Ukraine.
"We found that the [malware] came from Russia," SBU said. "It was an attempt to interfere in the system. But it was discovered and prevented."
Assante’s analysis shows that while malware enabled the attackers to carry out certain elements of their plan, it was not the direct cause of the outage.
Instead, malware was likely used to prevent system operators from detecting the attack while a remote attacker opened “breakers,” disconnecting parts of the network.
The attackers also a launched a DDoS attack on the power company’s customer service center, flooding it with phony calls to prevent customers from reporting the outages.
A report from the pseudo-government industry group the Electricity Information Sharing and Analysis Center (E-ISAC) last week also called the blackout a "coordinated effort by a malicious actor,” urging its U.S. members to boost their network security in response.
In a nine-page confidential document, E-ISAC echoed concerns from lawmakers and security experts that outdated systems and an increasingly connected grid have left vital infrastructure vulnerable.
Although E-ISAC insisted that "there is no credible evidence that the incident could affect North American grid operations and no plans to modify existing regulations or guidance based on this incident," officials say hackers from Russia, Iran and China are all probing the U.S. power grid for weaknesses.
National Security Agency Director Adm. Michael Rogers has acknowledged to lawmakers that China and “one or two” other countries are capable of shutting down portions of critical U.S. infrastructure using a cyberattack.
The consequences if hackers moved from grid-mapping to a deliberate attack could be devastating. A blackout across 15 states and Washington, D.C., could cost the economy hundreds of billions of dollars, raise mortality rates at hospitals and cut the nation’s water supply, according to a recent study.