Читать книгу Russian Cyber Operations - Scott Jasper - Страница 19

On December 23, 2015, three different distribution oblenergos (energy companies) in Ukraine experienced unscheduled power outages starting at 3:35 p.m. local time. External hackers had remotely accessed their control centers to take over their supervisory control and data acquisition (SCADA) distribution-management system. The hackers opened breakers at thirty distribution substations, causing more than 225,000 customers to lose power.⁸⁸ The cyberattacks appeared to have been synchronized and coordinated following extensive reconnaissance. Company personnel reported they occurred at the three locations within thirty minutes of each other.⁸⁹ At the conclusion of the onslaught, hackers wiped some systems with KillDisk malware, most likely in an attempt to interfere with expected restoration efforts.⁹⁰ The oblenergos were forced to move to manual operations and fortunately were able to restore service in several hours. In addition to the intrusions, the attackers conducted a remote telephonic denial of service during the period of the outage. Thousands of bogus calls flooded the energy companies’ call centers to prevent impacted customers from reporting the outages. The intent seemed to be to frustrate the customers since they could not find out when the lights and heaters were expected to come back on in their homes.⁹¹

At the onset of the attack, an operator at the Prykarpattya region oblenergo witnessed the cursor on his computer move purposely toward buttons controlling the circuit breakers at a regional substation. The cursor then clicked on a box to open the breakers, taking the substation off-line. The operator stared helplessly as one breaker after another was clicked open.⁹² However, the assault had begun long before this mysterious remote control occurred, when the perpetrators conducted reconnaissance of the company networks and stole operators’ credentials. The attacks began in the spring with a spear-phishing campaign that targeted both information technology (IT) staff and system administrators at multiple electrical distribution companies throughout Ukraine.⁹³ The phishing emails, which appeared to come from a trusted source, contained Microsoft Word documents that were weaponized with embedded BlackEnergy 3 malware.⁹⁴ When workers clicked on the attachment, a pop-up alert asked them to enable macros. If they complied, Black-Energy infected their machines and opened a backdoor avenue for further infections. This method for intrusion exploited an intentional feature in the Microsoft Word program, instead of a vulnerability in an operating system or application.⁹⁵

After being downloaded, BlackEnergy 3 connected to a command-and-control channel for the hackers to communicate with the malware.⁹⁶ The hackers mapped networks and moved laterally throughout the environment, blending into the target’s systems to evade detection.⁹⁷ Eventually they gained access to the Windows domain controllers and harvested workers’ credentials. Even though the companies had segmented the corporate network from the SCADA networks that controlled the grid, the hackers now had a way to access the latter through virtual private networks (VPNs) the grid workers used to remotely log in.⁹⁸ Once inside the SCADA networks, they reconfigured the uninterruptible power supply for two of the control centers so operators would lose and not regain power during the assault.⁹⁹ They also wrote and uploaded malicious firmware for the serial-to-Ethernet converters at more than a dozen of the substations. Replacing legitimate firmware meant the attackers could prevent operators from sending remote commands to reopen breakers during the blackout. Now that they were “armed with the malicious firmware, the attackers were ready for their assault.”¹⁰⁰

Shortly after the outage, the Security Service of Ukraine claimed that Russian security services were responsible for the cyber incident.¹⁰¹ Robert Lee, cofounder of Dragos Security, shied away from quick attribution but suggested different types of actors worked on different phases of the operation in saying, “It could have started out with cybercriminals getting initial access to the network, then handing it off to nation-state attackers who did the rest.”¹⁰² Eventually the cyber-threat intelligence firm iSight Partners blamed the Russian hacking group known as Sandworm for the power outage.¹⁰³ Its conclusion was based on detailed analysis of the Black Energy 3 and KillDisk malware used in the operation. Although iSight said it was not clear whether Sandworm was directly working for Moscow, its director of espionage analysis, John Hultquist, stated that it was “a Russian actor operating with alignment to the interest of the state.”¹⁰⁴ A profile of politically oriented operations by the Sandworm team suggests “some affiliation to the Russian government.”¹⁰⁵ However, alignment with Russian state interests “does not prove state support.”¹⁰⁶ No proof has been presented that Sandworm operated on the instructions of, or under the direction or control of, the Russian government.

Regardless of lack of clear attribution to the state, the fact remains that the pro-Russian group Sandworm conducted the first-ever cyberattack on another country’s electric grid.¹⁰⁷ The hackers had the ability to cause more damage to the circuit breakers, permanently taking the stations off-line, but chose not to. This restraint may have been “meant to signal Russia’s capability to attack Ukraine’s physical infrastructure, but without doing irreparable damage.”¹⁰⁸ The signal could have been more of a warning, for the Ukrainian parliament was considering at the time a bill to nationalize privately owned power companies in Ukraine, some owned by Russian oligarchs.¹⁰⁹ Either way, the widespread impact, during winter, was mainly psychological. Power was restored in one to six hours, and even though the malicious firmware operationally impaired the breakers for months, workers could still control them manually.

Without injury or death and without significant damage, the cyber incident at the regional electrical distribution companies in Ukraine in December 2015 would not be viewed by most analysts as a use of force. Furthermore, the scale (number of customers) and effects (duration to restoration) of the cyber operation would probably not reach the threshold of severity to qualify as an armed attack. At most, the cyber incident was a violation of sovereignty in accordance with the two different bases for remote cyber operations delineated in Rule 4 of the Tallinn Manual 2.0. As for the first base, the degree of infringement on the state’s territorial integrity was met by the enduring loss of functionality of critical infrastructure. For the second base, the experts who wrote the Tallinn Manual 2.0 agreed that “a cyber operation that interferes with data or services that are necessary for the exercise of inherently governmental functions is prohibited as a violation of sovereignty.”¹¹⁰ This determination amounts to a violation of international law under the principle of sovereign equality of states, explained in Rule 4 of the Tallinn Manual 2.0 and enshrined in Article 2(1) of the UN Charter. However, since the violation of sovereignty was not clearly attributable to a state under international law, the incident does not necessarily meet both of the conditions (breach of an international legal obligation and attributable to the state) to qualify as an internationally wrongful act, and therefore countermeasures by the injured state are not justified or allowed.