A destructive cyber attack on power companies in Ukraine last month was an unprecedented event that increases the threat to critical infrastructure around the world, experts say.
Hundreds of thousands of homes lost power just before Christmas in western Ukraine after malicious code infected multiple utility companies. Radio Free Europe/Radio Liberty reports that some experts view the attack as the beginning of a doomsday scenario in which vital institutions—including airports and hospitals—are susceptible to cyber attacks:
Robert Lipovsky, senior malware researcher at ESET, said the incident in Ukraine was “unprecedented” and called it a “dangerous scenario.”
“The alarming aspect of this attack was that the infection vector that the malware was getting in was phishing” — a reference to the practice of gathering sensitive information like passwords or other confidential data, often to cause harm — “mail with a malicious attachment, which is quite a trivial way to get in,” Lipovsk says. “It’s alarming that it was so easy.”
Ukraine power company Prykarpattyaoblenergo reported the power outage on December 23 that left about half of the homes in the Ivano-Frankivsk region, in western Ukraine, without electricity. Similar malware was also found in the networks of at least two other utilities in Ukraine. All three blackouts occurred around the same time.
The Ukrainian Security Service attributed the cyber attack to Russia amid an ongoing conflict between Ukrainian forces and Russian-backed separatists in the eastern part of the country. Cyber security firms said the attack involved BlackEnergy, a malware system previously linked to Russia:
Until now, experts in cybersecurity and law enforcement say BlackEnergy has mainly been used to spy on news organizations, power companies, and other industrial groups. A Moscow-backed group, Sandworm, is suspected of using it for targeted attacks.
Lipovsky says the latest BlackEnergy also includes a covertly planted tool — referred to among experts as a “backdoored secure shell utility” — that gives attackers permanent access to infected computers.
Analysts also raised the possibility that an independent actor capitalized on the Ukraine-Russia conflict to test the malware.