Ukrainian Critical Infrastructure Cyber Attack exposed

IR-ALERT-H-16-043-01AP Cyber-attack Against Ukrainian Critical Infrastructure

Page Count: 17 pages
Date: March 7, 2016
Restriction: For Official Use Only, TLP: Green
Originating Organization: Department of Homeland Security, National Cybersecurity and Communications Integration Center
File Type: pdf
File Size: 377,931 bytes
File Hash (SHA-256): 9207B47EF264A33335357A7FD5ACCE908D6D0963D73327EF97DEF84AB6F431C7

Download File

This alert update is a follow-up to the original NCCIC/ICS-CERT Alert titled IR-ALERT-H-16-043-01P Ukrainian Power Outage Event that was published February 12, 2016, on the US-CERT secure Portal library.

——— Begin Update A Part 1 of 2 ——–

On December 23, 2015, Ukrainian power companies (Oblenergos) experienced an unprecedented cyber-attack causing power outages,which impactedover 225,000 customers in Ukraine. These attacks were conducted by remote cyber-attackers who, leveraging legitimate credentials obtained via unknown means, remotely operated breakers to disconnect power. While power has been restored, all the impacted Oblenergos continue to run under constrained operations. In addition, three other organizations, some from other critical infrastructure sectors, were also intruded upon but did not experienceoperational impacts. There have been public reports that indicate BlackEnergy (BE) malware was responsible for the attack. However,National Cybersecurity and Communications Integration Center (NCCIC)/Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) does not have sufficient supporting evidenceto confirm the role of BE but continues to conduct further analysis. If BE played a role, it was most likely in the reconnaissance and preparatoryphases, not during the actual attack. Many malware implants could have conducted this activity.

This incident highlights the urgent need for critical infrastructure owners and operators across all sectors to implement enhanced cyber measures that reduce risks from the following types of adversary techniques:

• Theft of legitimate user credentials to enable access masquerading as approved users,
• Leveraging legitimate remote access pathways (VPNs),
• The remote operation of human-machine interface (HMI) via company installed remote access software (such as RDP, TeamViewer or rlogin)
• The use of destructive malware such as KillDisk to disable industrial control systems (ICSs) and corporate network systems
• Firmware overwrites that disable/destroy field equipment
• Unauthorized scheduled disconnects of uninterruptable power supplies (UPS) to devices to deny their availability
• The delivery of malware via spear-phishing emails and the use of malicious Microsoft Office attachments
• Use of Telephone Denial of Service (TDoS) to disrupt operations and restoration.

This report is being shared for situational awareness and network defense purposes. ICS-CERT strongly encourages organizations across all sectors to review and employ the mitigation strategies and detection mechanisms contained within this report.


An interagency team composed of representatives from the NCCIC/ICS-CERT, U.S. Computer Emergency Readiness Team (US-CERT), Department of Energy,Federal Bureau of Investigation, and the North American Electric Reliability Corporationtraveled to Ukraine to collaborate and gain more insight. The Ukrainian government worked closely and openly with the U.S. team and shared information to help prevent future cyber-attacks.

The following account of events is based on the interagency team’s interviews with operations and information technology staff and leadership at six Ukrainian organizations with first-hand experience of the event. The team was not able to independently review technical evidence of the cyber-attack; however, a significant number of independent reports from the team’s interviews, as well as documentary findings, corroborate the events as outlined below.

Through interviews with impacted entities, the team learned that power outages Ukraine experienced on December 23, 2015, were caused by remote cyber-attacks at three regional electric power distribution companies (Oblenergos), impacting approximately 225,000 customers. While power has been restored, all the impacted Oblenergos continue to run under constrained operations. In addition, three other organizations, some from other critical infrastructure sectors, were also intruded upon but did not experience operational impacts.

The team assesses that the attacks against the Oblenergos demonstrated some Tactics, Techniques, and Procedures (TTPs) that,while previously known, have not been previously observedin an actual cyber-attack. The cyber-attacks were reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks.

After gaining a foothold in the victim networks, attackers acquired legitimate credentials and leveraged valid remote access pathways to conduct their attack.The physical impact events of the cyber-attacks launched within 30 minutes of each other, impacting multiple central and regional facilities. Over 50 regional substations experienced malicious remote operation of their breakers conducted by multiple external humans. This was done using either existing remote administration tools at the operating system level or remote ICS client software via virtual private network (VPN) connections.

All three impacted companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack. The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable. It was further reported that in at least one instance, Windows-based HMIs embedded in remote terminal units were also overwritten with KillDisk. The actors also rendered Serial-to-Ethernet devices at substations inoperable by corrupting their firmware. In addition, the actors interrupted power to some data centers through scheduled power outages on server UPS via the remote management interface. The team assesses that these actions were done in an attempt to interfere with expected restoration efforts.

Initial intrusion appears to have been through malware,which was delivered via spear-phishing emails with malicious Microsoft Office attachments.While it has not been confirmed with technical artifacts, it is probable that the two events are related. While the cyber-attack has been widely attributed to BE in the open press, any remote access trojan could have been used in these attacks, and none of BE’s unique capabilities were leveraged. At this time,no definitive link can be drawn between the outage and the presence of the BEmalware, however analysis is ongoing.

Indicator Type
mail.baggins.biz Domain
mx01.24.7h.com Domain
SRV-EXMB01.kpb.ua Domain
Received: from SRV-EXMB01.kbp.ua ( by SRV-EXMB01.kbp.ua (
with Microsoft SMTP Server (TLS) id 15.0.712.22 via Mailbox Transport; Wed, 4 Mar 2015 18:59:59 +0000
Received: from SRV-EXCA02.kbp.ua ( by srv-exmb01.kbp.ua ( with Microsoft SMTP Server (TLS) id 15.0.712.22; Wed, 4 Mar 2015 18:59:57 +0000 Received: from [subdomain].[domain].[tld] (X.X.X.X) by SRV-EXCA02.kbp.ua ( with Microsoft SMTP Server id 15.0.712.22 via Frontend Transport; Wed, 4 Mar 2015 18:59:57 +0000
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CeBACIVfdU/0P4lQXOEgECAgE
X-IronPort-AV: E=Sophos;i=”5.09,689,1418083200″; d=”pps’32,48?mf’32,48?exe’32,48,96?scan’32,48,96,32,96,48,208,245,217″;a=”574775″
Received: from mail.baggins.biz ([XXX.XXX.XXX.XXX]) by [subdomain].[domain].[tld] with SMTP; 04 Mar 2015 18:59:53 +0000
Email Header Information IP Address IP Address IP Address IP Address IP Address IP Address IP Address IP Address
C:\Users\{user}\AppData\Local\_FONTCACHE.DAT Malicious File location
c:\Users\{user}\AppData\Local\FONTCACHE.DAT Malicious File location
C:\Users\{user}\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\flashplayer.exe Malicious File location
C:\Users\{user}\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\flashplayerapp.exe Malicious File location
C:\Windows\System32\drivers\acpipmi.sys Malicious File location
c:\windows\system32\drivers\adpu320.sys Malicious File location
c:\windows\system32\drivers\adpu320.sys (BlackEnergy) Malicious File location
C:\WINDOWS\Temp\Dropbear Malicious File location
148.25182.21/Microsoft/Update/KS4567890.php Malicious URL Malicious URL
XXX.XXX.XXX.XXX/Microsoft/Update/KS1945777.php Malicious URL
hxxp://XXX.XXX.XXX.XXX/fHKfvEhleQ/maincraft/derstatus.php Malicious URL
hxxp:// Malicious URL
hxxp:// Malicious URL
hxxp://XXX.XXX.XXX.XXX /Microsoft/Update/KC074913.php Malicious URL
hxxps:// Malicious URL
hxxps://XXX.XXX.XXX.XXX /Microsoft/Update/KS1945777.php Malicious URL
hxxps:// Malicious URL
hxxps:// Malicious URL
hxxps:// Malicious URL
hxxps:// Malicious URL
hxxps://XXX.XXX.XXX.XXX /Microsoft/Update/KC074913.php Malicious URL
hxxps://XXX.XXX.XXX.XXX /Microsoft/Update/KS1945777.php Malicious URL
hxxps://XXX.XXX.XXX.XXX /fHKfvEhleQ/maincraft/derstatus.php Malicious URL
DropBear.exe Malware Variant Observed
Pnote_o.exe Malware Variant Observed
Pservice_PPD.exe Malware Variant Observed
Starter.exe Malware Variant Observed
tsk.exe (PC) Malware Variant Observed
tsk2.exe (server) Malware Variant Observed
vba_macro.exe (SHA-1:4C424D5C8CFEDF8D2164B9F833F7C631F94C5A4C Malware Variant Observed
Win32/Kill Disk.NBD Malware Variant Observed
Win32/Rootkit.BlackEnergy.BF trojan Malware Variant Observed
Java/TrojanDropper.Agent.BB trojan Malware Variant Observed