— -- U.S. government cyber security experts officially declared that hackers are to blame for a power outage in Ukraine that affected nearly a quarter million people in the latest significant attack on vulnerable “critical infrastructure.”
“Through interviews with impacted entities, the team learned that power outages were caused by remote cyber intrusions at three regional electric power distribution companies… impacting approximately 225,000 customers,” says a summary of a report from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published Feb. 25. “The cyber-attack was reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks. According to company personnel, the cyber-attacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities.”
Private security firms have previously reported that the Dec. 23 blackout was caused by hackers wielding malware including code known as BlackEnergy and KillDisk. Though ICS-CERT confirmed “remote cyber intrusions” were to blame and that BlackEnergy malware was found on the companies’ computers, the role of BlackEnergy in the attack is still under investigation.
Kyle Wilhoit, a Senior Threat Researcher at the cyber security firm Trend Micro who examined the malware, said he believes there’s a high likelihood BlackEnergy was modulated and used to carry out the attack, and then the hackers attempted to cover their tracks with another bit of malware called KillDisk.
The ICS-CERT report acknowledges that its officials were “not able to independently review technical evidence of the cyber-attack” and it does not discuss who is suspected to have perpetrated the attack. Ukraine’s state security service reportedly blamed Russian actors. A representative for the Russian Embassy in Washington, D.C. did not immediately respond to a request for comment for this report.
Questions also linger about what other entities may have been infected by the malicious code. Wilhoit said it appeared a coal mining company and a railroad company in Ukraine were also among the targets – presumably two of the three “other organizations” from “other critical infrastructure sectors” mentioned but not identified in the ICS-CERT report as having been “intruded upon.” ICS-CERT said the operations for those three companies were not impacted by the virus.
Wilhoit, who studies vulnerabilities in industrial control systems around the world, told ABC News that while the hack would’ve been “not incredibly difficult” to pull off in Ukraine, the relatively decentralized nature of America’s power distribution makes such an operation more difficult in the U.S.
“It would require a lot more effort and a lot more coordination from a much larger group, which makes it more difficult because then it’s easier to find,” Wilhoit said.
Still, U.S. officials and experts have been warning about the vulnerability of American “critical infrastructure” for decades, and recent years have seen groundbreaking cyber-attacks on infrastructure, most famously involving a computer worm called Stuxnet that infected an Iranian nuclear plant and physically destroyed centrifuges there.
In 2012, then-Director of the National Security Agency Gen. Keith Alexander said that the nation’s preparedness to deal with a major cyber-attack targeting infrastructure was a three out of 10.
“Somebody who finds vulnerability in our infrastructure could cause tremendous problems,” Alexander said then. “I’m worried most about power. I’m worried about water. I think those are the ones that need the most help.”
Just three years later, however, the Intelligence Community’s 2015 “Worldwide Threat Assessment” suggested that the probability of a serious cyber-attack on American infrastructure had slipped from the top of the cyber threat list.
“Rather than a ‘Cyber Armageddon’ scenario that debilitates the entire U.S. infrastructure, we envision something different. We foresee an ongoing series of low-to-moderate level cyber-attacks from a variety of sources over time, which will impose cumulative costs on U.S. economic competitiveness and national security,” the report says.