Welcome back to this series on SCADA Hacking and Security!
SCADA/ICS security is critical for SO many reasons. Among the most important is that any cyber warfare in the future will likely involve some form of SCADA/ICS hacking to take down the opponent's critical infrastructure such as electricity, water, oil refining and transportation. As we in the West prepare for such a potential attack, we can watch and study what is happening now in the Ukraine for lessons on how such an attack might take place. We have a real life "laboratory" to learn from in the Ukraine.
With that in mind, let's take a look at the attack on the Ukraine's electricity grid by a highly sophisticated hacking group based in Russia known as "Sandworm". Our intention-- by studying this attack--is to learn lessons to protect our facilities from similar attacks.
The attack on the Ukraine power system was the result of the use of a piece of malware that has come to be known as BlackEnergy 3. Let's take a more detailed look at this attack and malware to understand how such attacks might take place in the our future.
Blackenergy is a Trojan has been circling the globe now for over a decade and in that time it has made some significant transformations. It was originally designed to generate zombies for a botnet to use in DDoS and distributed password attacks (BlackEnergy 1), it's modular nature has enabled it to transform into SCADA/ICS malware (BlackEnergy 3).
The Context
As you are aware, the Russian Federation and the Ukraine are engaged in a struggle for the eastern portion of that country. Russia annexed the Crimea from the Ukraine in 2014 (for historical context, Catherine the Great first annexed the Crimea for the Russian Empire in April 1783 and then transferred to the Ukraine 1954) and since then the two nations have been engaged in both cyber warfare and kinetic warfare. To read more about this conflict and the SCADA cyber warfare element read this excellent article.
On the evening of Dec 23, 2014, the power in the Western Ukrainian city, Ivano-Frankivsk went out.
About the same time, a second Ukrainian power company, Kyivblenergo, announced it had been hacked. In this case, the hackers disconnected breakers for 30 of its substations and left 80,000 customers without power. In total, over 225,000 people were without power.
Since late 2015, the Russian antagonists have been selectively blacking out regions of the Ukraine in a form of kinetic and psychological warfare against the Ukrainian citizenry. This is the first time in history that an actor in an international conflict has used power outages as an act of warfare. It appears that BlackEnergy 3 was at least in part responsible for this attack and hence our interest here.
What is BlackEnergy?
Originally developed for DDoS attacks, BlackEnergy has gone through three (3) transformations over the last decade. It was BlackEnergy 3 that was used in the Ukraine attack and is the focus of our analysis here.
BlackEnergy 2 appeared in 2010 and with its new emergence it had a new plugin architecture enabling developers to add capability easily. When BlackEnergy 3 was used in 2014, it had new capabilities far beyond those of the original BlackEnergy 1 DDoS tool. These new capabilities included data exfiltration and network monitoring plugins. These new plugins were so sophisticated that they were likely the result of a nation state's development efforts.
At that time the BlackEnergy 3 appeared in the Ukraine it used a vulnerability, CVE-2014-4114 against Microsoft Office 2013, in the OLE packager 2 (packager.dll). This same vulnerability was enumerated as MS14-060 by Microsoft. On Microsoft's Technet Bulletin they characterized the vulnerability as;
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a Microsoft Office file that contains a specially crafted OLE object. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
A reverse engineered exploit for this vulnerability is available in Metasploit as;
exploit/windows/fileformat/ms14_060_sandworm
In this attack, the hacker must send a specially crafted Office document, usually an Excel or Word document. The user must trust the sender and click to allow the macro to run.
The Ukrainian users received a message similar to that below.
To understand how this exploit works, we can delve a bit deeper into how Microsoft OLE works. As you know, Microsoft Office supports execution of macros (thanks to the OLE format) allowing the document’s author to easily embed macros and Visual Basic code that can then get executed by anybody who opens the document.
Malicious actors began abusing this feature many years ago and started to introduce this vector more often, as this approach was increasingly successful. Microsoft then added protection such as the ability to disable macros and any external content by default, and to warn the user when content such as a macro is about to be executed.
The screenshot below shows the Visual Basic code within BlackEnergy 3 as a macro.
The SandWorm Team Attack Sequence
Stage 1
The first stage of the attack was a spearfishing campaign with attached Office documents. The emails appeared to be from officials in the Ukrainian government. When the user opened the attached document and enabled the macro content, the malware immediately connected to the command and control (C & C) server of the attackers (Sandworm). This then allowed the attackers to begin to gather information about the systems and network including localization and keyboard layout.
They apparently then gathered credentials of other systems and the VPN using mimikatz. They then escalated privileges, and pivoted laterally throughout the network.
With the stolen credentials, the Sandworm attackers were able to move unimpeded throughout the network. With this kind of access, they are were able to map the entire network and with the VPN credentials were able to continue to access the network undetected.
Stage 2
In the second stage, they likely hijacked the HMI (Human Machine Interface) to gain access to the SCADA/ICS network. Once inside the SCADA network, they could intercept the tcp-to-serial communication and reverse engineer the firmware of the UPS.
Stage 3
In the third stage, they uploaded the new UPS firmware in order that the operators would be without power, the KillDisk program that wiped out system files and the MBR (Master Boot Record) of key systems disabling them from recovery. They then disconnected 30 substation breakers (apparently simply using the HMI).
The screenshot below shows a static analysis in IDA Pro of the KillDisk API imports.
Stage 4
In the final stage, they executed a voice DDoS attack against the electric utility's help line, thereby delaying the initial awareness and response to the blackouts.
Conclusion and Lessons
The BlackEnergy 3 malware marks the first time in history that an attacker has used power black outs as a form of cyber warfare. The most important lesson to note in this attack is that the malware was NOT designed to exploit vulnerabilities in the SCADA network or systems, but rather the corporate network connected to the SCADA network (this is typical of many SCADA attacks). This only emphasizes the need to isolate and segregate the SCADA network from the business network
Once the attackers had exploited systems within the corporate network they escalated privileges, pivoted laterally to others systems and eventually took control of systems with access to the SCADA network such as the HMI, thereby disabling the substation breakers and causing blackouts.