A power outage in the Ukraine appears to have been caused by a cyber attack. Security researchers are currently investigating the incident, which occurred in the eastern part of the country on December 23. It is still uncertain whether the event was indeed caused by a cyber attack, but early indications from investigations done by security researchers suggest that it was.
The code that researchers are currently studying is a 32-bit Windows module that appears to be part of a larger program and that references code from other libraries and programs. This suggests that it might be part of, or at least closely related to, other software that targets industrial control networks. There is speculation, for example, that it is related to the work of the group BlackEnergy2, which has been responsible for a number of attacks against industrial control networks. However, such links have not been definitively established.
The malware attempts to wipe itself from the affected system after it does its job, so that forensic experts wouldn’t be able to find it later, but this wasn’t entirely successful, which is why researchers now have something to study. The malware does try to hide the function calls it makes using a very crude obfuscation approach: it simply hyphenates the names of the functions and modules it references. See the code excerpt for an example. This is enough to thwart pattern matching in automated malware analysis tools, but it certainly won’t fool a human investigator. This suggests that the authors of the malware simply wanted it to evade malware detection mechanisms and slip inside the Ukranian network and that they weren’t as concerned about whether investigators could see how it works or trace its lineage, perhaps because they believed the malware would be able to wipe traces of itself from the system. The fortunate result for researchers is that they can more easily trace how the malware works and relate it to other known malware that have attempted similar attacks. Relating new suspected malware to what has come before can help attribute responsibility. It can also help organizations establish defenses that cast a wider net.
Malware that target critical infrastructure like electric utilities take a variety of approaches. Some try to flood the targeted network so that SCADA systems can’t communicate conditions to system operators and automatic control mechanisms. Some try to take equipment in and out of service. Some combine actively modifying the system with flooding its communication channels so that it is hard to see the malicious acts as they occur. It is still too early to tell exactly how the Ukranian system was disrupted, but continued examination of this malware will hopefully reveal both the strategy and the source.