First known hacker-caused power outage signals troubling escalation

Highly destructive malware that infected at least three regional power authorities in Ukraine led to a power failure that left hundreds of thousands of homes without electricity last week, researchers said.


The malware led to "destructive events" that in turn caused the blackout. If confirmed it would be the first known instance of someone using malware to generate a power outage.

"It's a milestone because we've definitely seen targeted destructive events against energy before—oil firms, for instance—but never the event which causes the blackout," John Hultquist, head of iSIGHT's cyber espionage intelligence practice, told Ars. "It's the major scenario we've all been concerned about for so long."

Researchers from antivirus provider ESET have confirmed that multiple Ukrainian power authorities were infected by "BlackEnergy," a package discovered in 2007 that was updated two years ago to include a host of new functions, including the ability to render infected computers unbootable. More recently, ESET found, the malware was updated again to add a component dubbed KillDisk, which destroys critical parts of a computer hard drive and also appears to have functions that sabotage industrial control systems. The latest BlackEnergy also includes a backdoored secure shell (SSH) utility that gives attackers permanent access to infected computers.

Researchers from antivirus provider ESET:
<blockquote>Our analysis of the destructive KillDisk malware detected in several electricity distribution companies in Ukraine indicates that it is theoretically capable of shutting down critical systems. However, there is also another possible explanation. The BlackEnergy backdoor, as well as a recently discovered SSH backdoor, themselves provide attackers with remote access to infected systems. After having successfully infiltrated a critical system with either of these trojans, an attacker would, again theoretically, be perfectly capable of shutting it down. In such case, the planted KillDisk destructive trojan would act as a means of making recovery more difficult.</blockquote>
According to ESET, the Ukrainian power authorities were infected using booby-trapped macro functions embedded in Microsoft Office documents. If true, it's distressing that industrial control systems used to supply power to millions of people could be infected using such a simple social-engineering ploy. It's also concerning that malware is now being used to create power failures that can have life-and-death consequences for large numbers of people. 

Technische Details finden sich in diesem Beitrag

Manchmal ist die Realität schneller als uns lieb sein kann. Noch scheinen die Informationen nicht ganz gesichert zu sein. Sollten sie stimmen, hätten wir eine neue Eskalationsstufe erreicht. Die entsprechenden Warnungen gibt es ja schon länger, die meist abgetan und verharmlost werden, wie etwa nach dem Vortrag 32C3 lecture: Wie man einen Blackout verursacht. Ja, es ist weiterhin nicht ganz einfach, ein Stromversorgungssystem durch Cyber-Angriffe lahm zu legen. Sollte es aber gelingen, könnte es sehr nachhaltig sein und eine Wiederherstellung der Infrastruktur wesentlich länger dauern, als im Roman "Blackout - Morgen ist es zu spät" von Marc Elsberg.

Siehe etwa auch