(Cyberwar.news) An investigation by U.S. intelligence agencies has found that the December hack of a Ukrainian power grid was highly sophisticated and well-coordinated, The Associated Press is reporting.
The report, released last week, provides a detailed analysis of one of the first uses of cyberspace to successfully take a portion of a country’s power grid offline for a period of time. The strike, which was planned well, affected power for some 225,000 people and affected three regional electronic power distribution companies within 30 minutes of each other on Dec. 23.
An attack on the power grid has long been a major concern for U.S. government and private sector power officials. In recent months U.S. Cyber Command chief and head of the National Security Agency, Adm. Michael Rogers, has warned that hacker will eventually target the U.S. power grid as well.
The U.S. government report notes that the impacted Ukrainian power centers still “run under constrained operations” more than two months after the cyber attack. Also, the report states that three other organizations – some related to unspecified Ukrainian “critical infrastructure” – have also likely been attacked but did not suffer as much damage or disruption.
Previously, U.S. and Ukrainian officials have said they suspect Russia was behind the December cyberattack in Ukraine.
Following the hack, the Obama administration sent a team of U.S. cyber officials including members of the Department of Homeland Security, Department of Energy and the FBI to Ukraine to work with that government and glean lessons with an aim of preventing future attacks.
The U.S. group did not review technical evidence from the attack independently, the AP noted, but members talked to Ukrainian officials and performed other investigative tasks in order to analyze and what they believe was a highly advanced cyber assault.
The AP noted further:
The hackers appeared to conduct “extensive reconnaissance of the victim networks,” possibly by first using malware introduced via phony “phishing” emails to snag usernames and passwords to access the facility remotely and hit their circuit breakers.
At the end of the attack, hackers wiped targeted files on some of the systems at the three electrical companies using malware called “KillDisk,” which also rendered the system inoperable.
In addition, hackers tried to disrupt subsequent power restoration efforts, in part by keeping important Internet services inoperable by remotedly shutting down “uninterruptable power supplies” that keep computers running even during a blackout.
Each company that was affected reported that their systems were infected with a malware known as “BlackEnergy,” though investigators are still trying what role, if any, the malware played in the cyberattack.