Interview

Lights out over Ukraine

Hackers were most likely behind a power outage that affected 700,000 people in western Ukraine in December 2015. What actually happened?

Technologist spoke to Erik de Jong, head of Security Incident Response at Fox-IT, a cybersecurity firm in the Netherlands

Technologist: Was this really a cyberattack?

Erik de Jong: Yes, it looks like it was a targeted attack, in which someone deliberately caused multiple power outages. Sources indicate it was a combination of malware [malicious software] used to enter the network, a denial-of-service attack
to prevent customers from reporting power outages and malware designed to wipe out systems. The systems were no longer able to produce the right amount of power, causing the outage. There’s a 90% chance that the attack made use of an unsuspecting bystander: an employee who clicked on an infected attachment or who was lured to a website that damaged the system.

T. What are the weaknesses of the Ukrainian electricity-supply network?

E. J. We’re talking about an infrastructure made up of hundreds or thousands of machines that need to communicate  with each other, so that is a weakness in itself. If you manage to compromise the office network, it’s usually not that difficult  to jump into the production network. This is not particular to the Ukrainian situation – it’s a generic weakness.

cybersecurity hackers malware computer fullwidth - Lights out over Ukraine

T. Could such an attack occur anywhere in Europe?

E. J. If a determined attacker has enough time and resources, he can do this anywhere in the world. Even if different software is involved, and electricity systems are newer, it’s very hard to secure infrastructures well enough to keep out a determined attacker.

T. How difficult is it to trace the origins of such an attack?

E. J. It’s hard because there are many ways on the Internet to hide your tracks. You could look at which malware is being used or when the attacker is active, but a hacker could mislead you with false clues. Having said that, the malware thought to have been used in this attack is called Black Energy, and a number of experts believe it is of Russian origin.

Erik de Jong (head of Security Incident Response at Fox-IT)