Cyberwarfare Against Ukraine: Power Grid Attacks, Countless Hacks, and NotPetya

The world’s powers may not be shooting bullets at each other right now, but they’re certainly engaged in a cyber war, something that should make us all fear for the coming days and years.

While no government will admit that their hackers were behind a certain attack, many groups have been known to be affiliated to state powers, which has led to many reports about various attacks as being “state-sponsored.” Fancy Bear, or APT 28 and a handful of other names, is one of the groups that’s been known to be close to Russia, for instance. The hackers have been tied to attacks on the US Democratic Party ahead of the 2016 elections, as well as on Macron’s team ahead of the French elections earlier this year, and many others.

This type of attacks sought to gain information that could then be leveraged against the targets. In the aforementioned cases, the hackers wanted to plants seed of distrust against Hillary Clinton and Emmanuel Macron. In the first instance, they succeeded, as Donald Trump won the race to the White House. In the second, they weren’t as successful mainly because the French were on the look-out for such an attack.

There are other types of attacks, however, that should have us all deeply troubled and fearing for what’s to come. Sure, sensitive information is dangerous, but taking down your city’s power grid? That’s terrifying.

 

The nightmare

We’ve all seen those spy movies where the power is cut throughout the city, right? We’ve all seen the attacks that can happen when security systems don’t work because there’s no power to keep them up, right? While this is Hollywood at work, it doesn’t mean it can’t happen in the real world.

In late 2015, as well as in 2016, almost a year to the day, Ukraine was hit by hackers who managed to successfully attack power stations, causing blackouts. Now, just a few months later, the NotPetya fake-ransomware attack also targeted energy companies throughout Ukraine, with the country being the ground-zero for the incident. In the meantime, other institutions throughout the country have been under constant attack, including the national railway system, government ministries, and a national pension fund.

Many voices have pointed towards Russia, although it’s not like the country will ever admit to anything. The closest they’ve gotten to saying they had a hand in any of the recent hacks against Russia’s enemies was Vladimir Putin saying that hackers loyal to the country may have conducted actions on their own. We’re likely not going to get anything more than this, and frankly, they don’t have to say it. We all know the world’s super powers are fighting each other and others too, either via their own intelligence agencies or loyal hackers.

Regardless of who you think is behind an attack or another, the point is that they are possible and there’s very little that can stop them. The fault for this is that many of the security systems protecting power grids, water dams and so on, are old and haven’t been upgraded in a while. This, of course, makes them quite an easy target, no matter where they are around the world. The bad news is that they are extremely dangerous to the population, affecting millions of people in one go.

Without power, you have no water pumps, heat in the winter, air conditioning in the summer, electronic protection for your building; not to mention the problems a sudden blackout can cause to servers holding important data from banks and other companies, including telecommunications.

Attacks on the water supply system, dams, power plants of all kinds, and so on, are entirely possible and they can cause a lot of mayhem.

 

The NotPetya smoke screen

The interesting part is that some of the attacks on the Ukraine have been conducted only to cover infections with malware such as BlackEnergy. Following the recent NotPetya attack, cybersecurity experts also believe that it was all a show, with the sole purpose being to cover malware infiltration on the real target.

The clues are there and the theory holds water. The “ransomware” came with the demand of victims paying $300 for the decryption code, but before sending the money they were told to email a certain address. The hackers must have known that the address would be shut down shortly after the attack started spreading, making it impossible for them to receive any of the money they were demanding. Experts over at Kaspersky even reached the conclusion that the victim’s disk couldn’t have been decrypted even if the system had worked.

“We have analysed the high level code of the encryption routine and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks. To decrypt a victim’s disk threat actors need the installation ID. In previous versions of “similar” ransomware like Petya/Mischa/GoldenEye this installation ID contained the information necessary for key recovery. ExPetr does not have that, which means that the threat actor could not extract the necessary information needed for decryption. In short, victims could not recover their data,” Kaspersky wrote in a blog post.

Trend Micro security firm agreed on this, saying that NotPetya deletes its own Master File Table, which makes the decryption impossible.

In the end, security firms have cataloged NotPetya as a wiper malware, not ransomware, which seems a lot more fitting given how it acts.

The belief that the infection with NotPetya was only a way for the hackers to deliver some sort of hidden malware is widespread among specialists. Information Systems Security Partners (ISSP), a cybersecurity company in Kiev, points out that at almost all organizations whose network domains were infected, not all computers went offline. Now, they’re trying to figure out what might have been left behind on those machines.

Until then, however, we’re left hoping that the trojan horse doesn’t burst open.