Step 1: Perimeter Compromise

The network perimeter was compromised via a spear phishing campaign, in which the attackers disguised themselves as legitimate system vendors and members of the government. They sent phishing emails to IT staff and system administrators at the utility companies and employees at targeted companies.

Believing the emails were legitimate, the individual victims opened the emails and the attached Microsoft Office documents, which contained a malicious macro. Though Microsoft prompted the users to verify if they wanted to run the macro, the employees complied since they believed the email was legitimate. As soon as the users opened the malicious macro, the malware installed itself on the users’ machines. The malware immediately installed a RAT, established a connection with its Command and Control server and began sending information to the C&C.

At this point, a secondary piece of malware known as KillDisk was installed in a dormant state. This KillDisk malware was capable of overwriting the vast majority of files on all infected systems and rendering each system unbootable. From there, the attackers began the reconnaissance phase of the attack. They used their remote access to log into systems and guess and steal credentials until they eventually captured admin credentials.

Step 2: Lateral Movement and Escalation

Using the compromised admin credentials, the attackers began moving laterally through the IT environment. Because they were masquerading as true, authorized users, they were able to stay under the radar of intrusion detection systems. As the attackers moved, they continued to install the KillDisk malware for use at a later time, and where necessary, set up SSH backdoors to ensure persistent remote access, just in case.

As the attackers roamed the network, they discovered that the back office workstations used to control the electric breakers could be accessed over an internal VPN.  Contrary to best practices, these systems were not air-gapped, and VPN access only required single factor authentication.

Using compromised credentials, the attackers logged into the VPN to remotely connect to workstations in the control room. For several weeks, the attackers simply watched and learned. They learned how the operators accessed and controlled the systems, and how updates were remotely applied to systems in the field. Prior to the final stages of attack, not only did the attackers continue to spread the KillDisk malware through the IT environment, but they also applied the malware to the grid systems via a firmware update and tested it to make sure that it would work.

Step 3: Attack Execution

When the attack team was ready, the attackers began to execute against their end goal: take down power across the Ukraine and disrupt remediation. The attackers took control of workstations in the control room and remotely disabled the mice and keyboards, so that system operators could not intervene in the event they noticed the takeover.

From the workstations, the attackers logged into the Human Machine Interface (HMI), which served as the UI to control the grid systems, and disconnected systems, opened breakers, and shut down electricity at 30 substations. The attackers next disabled backup power supplies to two of the three energy distribution centers. As the power went out throughout the Ukraine, the system operators were left without the ability to take back control of their machines and stop the attack.

Step 4: Proactively Block Remediation Efforts

As the final step, the attackers did their best to prevent a swift remediation of the incident.  First, they launched a DDoS attack against the companies’ call centers, overwhelming the phone lines, so that customers were unable to reach the power companies to report the outages.  This was done so that, in the event the companies did not see the machine takeover and detect the attack, customers would be unable to call in to report the outages.  This significantly delayed the time to detection for one of the victim utility companies.

Second, the attackers activated the KillDisk malware that was previously installed on both the IT systems and the grid systems. In the IT environment, the malware overwrote approximately 40 file types on all infected systems and then wiped the hard drives. In the OT environment, KillDisk was installed and activated on sixteen substations, leaving them unresponsive to remote commands by operators. Without functioning IT or OT systems, the utilities were delayed from remediating the incident and restoring service. To finally get electricity back up and running, utility workers had to drive to the power stations to manually reset the breakers. Even three months following the attack, workers must still manually control the breakers at the impacted substations.

The role of privilege in this historic cyber attack was significant for three major reasons. First, the attackers were able to guess and capture administrative credentials from infected endpoints. Second, using the compromised and static credentials, the attackers moved laterally throughout the environment, escalated privileges and installed SSH backdoors along the way.  This enabled persistent, privileged access to the network, and eventually enabled the attackers to VPN into the OT environment from the IT environment. And finally, using privileged access, the attackers shut down power systems, corrupted OT systems, and wiped endpoints and servers throughout the IT environment – leaving residents in the dark and leaving power companies with little ability to easily restore electricity.