Ukraine at D+48: A look at a thwarted grid hack.
N2K logoApr 13, 2022

Russia continues artillery strikes and cyberattacks as it prepares for a renewal of its ground offensive in the Donbas. 

Ukraine at D+48: A look at a thwarted grid hack.

The UK's Ministry of Defence this morning offered an appreciation of General Dvornikov's appointment to command Russian forces in Ukraine. "Russia’s appointment of Army General Alexander Dvornikov as commander of the war in Ukraine represents an attempt to centralise command and control. An inability to cohere and coordinate military activity has hampered Russia’s invasion to date. Like many senior Russian Generals, Dvornikov has previous command experience in Syria. Furthermore, since 2016 he has commanded Russia’s Southern Military District bordering Ukraine’s Donbas region. Russian messaging has recently emphasised progressing offensives in the Donbas as Russia’s forces refocus eastwards. Dvornikov’s selection further demonstrates how determined Ukrainian resistance and ineffective pre-war planning have forced Russia to reassess its operations."

That emphasis on the Donbas is a departure from prewar planning, a departure driven by the invasion's failure in the northern part of Ukraine. The MoD yesterday offered a terse rebuttal of President Putin's claim that his war against Ukraine was going according to plan. "The Kremlin says [its] war in Ukraine is going to plan. But it's not. Russia's plan is failing." As evidence the MoD cites the loss of "at least six Russian generals" killed in action, instances of Russian troops turning on their commanding officers, and 2151 vehicles, artillery pieces, or aircraft "damaged, abandoned, destroyed or captured," (that is, more than three times the rate of comparable Ukrainian losses), the forced retreat of Russian forces into Russia and Belarus, and Russian aircraft lost to friendly fire, All armies face friction in real war, but Russia's record seems to go far beyond the normal difficulties, and it hardly seems that much at all has gone according to plan.

Indestroyer2 and Ukraine's power grid.

The GRU's attempt against the Ukrainian power grid appears to be the cyberattack most people were expecting back in February, especially because of the way it tracked earlier GRU takedowns of sections of Ukraine's power grid. It also appears to have failed, and that failure may be attributed in part to successful Ukrainian defenses as well as to the methods Russia chose to use. In cyberspace as well as on the ground, Ukraine appears to have proved a tougher opponent than Russia expected.

In the December 2015 attacks, the GRU's Sandworm unit pivoted into the grid via spearphishing emails that carried BlackEnergy malware as their payload. The outages then induced lasted up to six hours. The 2016 attack against Ukraine's grid used Industroyer malware (also called Crashoverride), an updated version of which was used in this month's attempt. ESET, which provided some of the initial response to the attacks, did not speculate on how the GRU gained access to the systems it hit, but the Record cited CERT-UA as saying that the attackers moved laterally between different network segments “by creating chains of SSH tunnels.” While the overall effect of the recent attempt on the grid may have been negligible, reports obtained by MIT Technology Review indicate that the attack did succeed in taking some electrical substations offline.

Lorri Janssen-Anessi, Director of External Cybersecurity Assessments at BlueVoyant, commented on the significance of the GRU's attempt on Ukraine's power grid:

"The reported cyberattack on the electricity grid only serves to highlight a long-standing reality; organizations that have substantial gaps in their cyber defense capabilities are operating at risk, and when the threat landscape changes, as it has now, we become more aware of the vulnerabilities that we have carried for some time. In addition, the reported attack highlights that when threat actors attack critical sectors infrastructure the results could be actual damage and human harm. Cyber attacks with physical effects are unfortunately becoming a tool in the war arsenal.

"Energy and critical infrastructure have faced attacks in the past that can have far-reaching effects, including some attacks allegedly linked to Russia or Russian cybercriminals, such as the Colonial Pipeline ransomware attack. The energy sector has specific vulnerabilities, such as a complex infrastructure that often involves physical and cyber-infrastructure across many countries, suppliers and distributors, the need to run 24/7 with no downtime, and being a high-profile target. The energy industry is already on alert, but must use the current climate to once again take a hard look at its internal and external attack surface.

"The best thing security leaders can do now is to identify and remediate any high-priority vulnerabilities and ensure you have resources to detect, mitigate, and remediate if an attack does occur. Security leaders should also understand that partner assets in the area of potential hostilities may fall victim to degradation, either from targeted cyber activity or physical destruction of carrier equipment. Understanding your own capacity, and that of the partners you rely on, is critical to ensuring business continuity. From a medium and long-term perspective, enterprises need to become more proactive than reactive and make cybersecurity a priority from the ground level to the board.”

Padraic O'Reilly, DoD & Critical Infrastructure Advisor and Co-Founder of cybersecurity risk management firm, CyberSaint wrote to point out the importance of not dropping one's guard, that this threat will be here for the foreseeable future: 

"The incident prevented in Ukraine is an international reminder that most critical infrastructure are unable to maintain a "Shields Up" approach or environment for the long term. As these new attacks come out into the public forum, operators should be aware of the TTPs for this particular Sandworm group, which include spear phishing and malware. Through user training and alerts, as well as monitoring endpoints and networks, operators need to keep a close eye on this one. At a moment where transparency is paramount across all areas of critical infrastructure, boards and operators should be letting key stakeholders know how they are handling this issue."

Chris Grove, CISSP, NSA-IAM, Dir. Cybersecurity Strategy at Nozomi Networks, points to evidence that the attackers had "intimate knowledge" of the systems against which they were working:

“The nature of this attack is one that everyone in the international critical infrastructure community should note, as it's one of a handful of attacks that has directly hit OT systems. According to Nozomi Networks Labs, there have been reports of some hardcoded IPs in the malware sample, which is an indication that the threat actors had intimate knowledge of the environment they were deploying this in. Much like the similar malware that Sandworm deployed in Ukraine in 2016, ICS operators must monitor their networks for any strange activity, as Russian tactics prove to sit in environments for weeks to months before executing these attacks.”

Update on last week's distributed denial-of-service attack against Finland.

Security Scorecard has published a study of the distributed denial-of-service (DDoS) attack against Finnish government sites last Friday. The incident coincided with an address to Finland's government by Ukrainian President Zelenskyy, and during a period of speculation that Finland is preparing to apply for EU and NATO membership.

The researchers attribute the DDoS attack to the Zhadnost ("Greed," in Russian) botnet, which they had observed in attacks against Ukraine in late February and early March. Security Scorecard says they've identified some three-hundred-fifty bots, most of them located in Bangladesh and a range of African countries. "The majority of the bots are MikroTik routers, running various MikroTik services, or devices running Squid Proxy and vulnerable Apache web servers," the report says. Attribution is, as usual, difficult and heavily circumstantial, but Security Scorecard assesses, "with moderate confidence," that Russian units or some threat actor aligned with Russian interests were responsible for the attack. The consequences of the attack were temporary and not particularly damaging, but the researchers add that subsequent attacks might be more consequential. If one were to bet on form, one would expect the next move from the "Russian cyber threat actor playbook" to include deployment of wiper malware.

Anonymous claims to have doxed Russia's Ministry of Culture.

The hacktivist collective, which is working in sympathy with if not under the direction of Ukraine, has released 446 GB of data to the DDoSecrets dump site, emails for the most part. According to HackRead, Anonymous claims now to have hit the following Russian organizations during Russia's war against Ukraine: Forest, Aerogas, VGTRK, Petrofort, Mosekspertiza, Marathon Group, Capital Legal Services, the Tver Governor’s office, the Blagoveshchensk City Administration, the aforementioned Ministry of Culture of the Russian Federation, and the Russian Orthodox Church's Department for Church Charity and Social Service.