Thanks to James Wyke and Anna Szalay of SophosLabs for doing the hard parts of this article.
You may have read news stories over the New Year’s break about hackers causing power outages in Ukraine, using malware as their primary toolkit for attack.
Ars Technica went as far as to lead with the headline: “First known hacker-caused power outage signals troubling escalation.”
(You may have to read that headine several times: you need to parse signals as a verb, not a noun; and troubling as an adjective, not a verb.)
The article was perhaps a little more circumspect, suggesting that “if confirmed it would be the first known instance of someone using malware to generate a power outage,” but the story is worth learning from nevertheless.
Whether the malware was the cause of an outage, or merely a symptom of a more general security problem, isn’t clear.
The story goes roughly like this:
- Company X receives an Excel file via mail. The file contains macros, which don’t run by default, but if the recipient clicks to allow them, the macros install malware from a family called BlackEnergy.
- BlackEnergy is what is known as a bot or zombie, which calls home to receive instructions from the remote attackers. (The malware name predates any connection with the energy industry.)
- The attackers can then install various additional malware items, such as a data-trashing Trojan called KillDisk, and a hacked copy of the DropBear SSH server that has backdoor “master passwords” programmed into it.
According to security firm ESET, this malware cocktail, or parts of it, appeared at various Ukraine energy companies in December 2015.
And one Ukrainian power company, Прикарпаття Обленерго (Prykarpattya Regional Energy), did blame recent local power outages on remote hackers using malware.
What actually happened can only be guessed at, of course, but if you were to end up with a raft of infected Windows computers inside your electricity distribution control centre, and those computers could be used to manage load and control power connections in your local area…
…then an attacker who could login remotely (because he knew the secret password for a remote access Trojan you didn’t realise was installed), run commands of his choice, and then zap data on your computers to the point that they would crash and not reboot (because he could run a disk-killing Trojan from afar) would cause considerable disruption.
If he were to turn off power to a region, or a suburb, or even an individual property, that would cause an outage.
If you tried to turn the power connections back on but found you couldn’t do so until after IT had rushed around reimaging the broken computers in your control centre, that might make the outage last hours rather than minutes.
As it happens, the KillDisk Trojan that ESET says was found along with the BlackEnergy malware in Ukraine, is well-equipped to leave your computer a digital mess.
KillDisk includes numerous different data-wiping components, presumably with the intention that if the more serious ones don’t work because your security settings are strict enough, you may nevertheless end up in trouble.
In increasing order of severity, KillDisk has code for each of these:
- Wipe out the Windows event log.
- Delete all Windows Shadow Copy backup files.
- Reinitialise logical volumes with the FORMAT command, as you might when reinstalling your operating system.
- Overwrite all physical sectors (including boot sector, operating system files, swap files, applications and data) on up to 10 hard disks.
The last item really lives up to the name KillDisk, but any of the others are likely to cause significant trouble for you and your IT department, and would put a very serious dent in your day.
WHAT TO DO?
- Use email filtering to remove risky attachments as early as possible in the delivery chain.
- Treat unsolicited attachments with great caution.
- Don’t enable Excel or Word macros just because an emailed document tells you to. Doing so is equivalent to downloading and running a program, and clicking through all the warnings, just because an unknown person told you to.
- Consider using Microsoft’s dedicated Word and Excel viewer programs to look at email attachments. Most documents will display just fine, but embedded macros aren’t supported and thus cannot run.
- Use the most recent Windows version you can for added protection against tricks such as physical disk wiping.
- Use web filtering to limit the ability of unknown software to download and install new content, and to block “call home” requests that are likely to be associated with zombie malware.
- Make sure your anti-virus software is up-to-date and that its active protection is turned on (on-access or real-time scanning), so that you can not only detect the presence of malware, but also block it from running in the first place.
SOPHOS PRODUCTS DETECT AND BLOCK THIS MALWARE AS FOLLOWS
• Booby-trapped XLS document: Troj/DocDl-AQE
• BlackEnergy malware installers: Troj/BlackEn-C
• Various BlackEnergy components: Mal/BlackEn-(A,B,C)
• KillDisk and components: Mal/Defkill-A, Troj/Agent-(APPL,APUJ)
• DropBear-based SSH backdoor: Troj/DrpBear-A
(Note that BlackEnergy, KillDisk and the SSH backdoor are independent malware items that could be delivered separately or in combination with other malware, which is why we detect them separately.)
No power imagery courtesy of Shutterstock.
Mark Sitkowski
Really? They used Wintel computers on such a critical system?
Are the people who make these decisions actually that stupid/irresponsible?
Without going all the way, as New Zealand has, and running critical SCADA systems on RS232, the very least a responsible energy company should have done, is to run Unix, on a non-Intel CPU, like Sun, IBM, SGI or HP.
Viruses are written for Intel CPU’s, and Windows – which is, at best, a catastrophe waiting to happen and, at worst, a game of whack-a-mole which you can’t win.
Sounds to me like their managers made the decisions about system architecture, without consulting the engineers. Of course, that couldn’t happen here, could it?
Paul Ducklin
Why would a 20-year-old Irix workstation be more secure than a well-configured Windows 10 computer on the latest Intel chip. Why is RS232 more secure than TLS over IPv6?
As for “viruses are written for Windows,” you might want to listen to this podcast:
https://nakedsecurity.sophos.com/2015/07/28/malware-on-linux-when-penguins-attack/
Insecure Linux servers are the primary vehicle used by crooks for delivering malware to Windows – so the criticism about “whack-a-mole” applies equally weel to both platforms.
Chris Lee Khan
I suggest 36 bits PDP-10 systems under VIROS and apps coded with CORAL-66
It all existed, once. Trust me I’m an (old) expert.
mwearl
Mark Sitkowski has a point, though. There needs to be something more proprietary about critical systems than a “well-configured Windows 10 computer”. That’s almost an oxymoron. I would hate to support a Windows environment, connected to the internet, with the kind of target on it’s back that a public utility has. Between rootkits and code that can literally update firmware to hard drive and network controllers, there are Windows systems that have been infected for years that go undetected.
Paul Ducklin
Really? You’d back yourself to support and secure an internet-connected server running an operating system written in the days when *every* buffer overflow on the stack was an exploitable hole, probably giving you root, when telnet with a password was considered satisfactory security, and when password hashes were one iteration of MD5 if you were lucky, running on hardware that was built 20 years go, by a company that went bust back in the mists of time (well, before Google, anyway…Google took over a bunch of their buildings :-)…
I think what I am trying to say is that using RS232 with obsolete hardware and a long-dead operating system *just so you don’t have Windows and Intel* is, well, it’s security theough obscurity.
I can’t see any other reason why it might *inherently* be more secure. There may be reasons, but then you need to say what they are. “Just being different” is a reason, but it’s not a very good one IMO.