NEW WAVE OF CYBER ATTACKS IN UKRAINE Marina Krotofil Lead Security Researcher Honeywell Industrial Cyber Security Lab S4x17 Miami, Dec 10 2017

S4 krotofil morning_sesh_2017

Embed Size (px)

Citation preview

Page 1: S4 krotofil morning_sesh_2017


Marina KrotofilLead Security Researcher

Honeywell Industrial Cyber Security Lab

S4x17Miami, Dec 10 2017

Page 2: S4 krotofil morning_sesh_2017

Power failure in Dec 2016 in Kiev, Ukraine

Residential areas in the Right Bank area of Kiev and neighboring areas lost power

Power was restored at 01:05 am Initially both hacker’s attack and

equipment failure were among the possible causes

Ongoing investigation confirms cyber incident


Electrical transmission-level substation Pivnichna (330kV) suddenly cut off from main power grid Dec 17th 2016, at 23:53 (11:53 pm) We thank leadership of IT-department

Ukrenergo for supporting us in this talk

Page 3: S4 krotofil morning_sesh_2017

About ISSP

Shortly before midnight on December 17, someone started disconnecting circuit breakers through remote means until the electrical substation was completely disabled, Mr. Kovalchuk said. Utility employees re-energized the substation by manually restoring equipment to their “on” positions. Mr. Kovalchuk said he believes the latest attack was well planned because the targeted substation is one of the utility’s most automated.


Page 4: S4 krotofil morning_sesh_2017

Timeline of recent cyber-attacks in Ukraine

December 2016

Dec 6 Dec 13

Dec 12

Dec 14-15

Dec 16

Dec 17

Dec 20Ukrainian Sea Port Authority

Defense Ministry

Substation Pivnichna (UkrEnergo)

Ministy of Finance

State Tresury Service

Pension Fund

State Executive Service



. Ukrainian Railways

Near-Dnepro Railways



Ministry of Infrastructure

Major Internet provider „Volya“



PFTS Ukraine Stock Exchange



Page 5: S4 krotofil morning_sesh_2017

Ukrainian Railways Information systems and online resources affected

− Online train ticket selling system− Automated system for managing freight cars− Internal information resources (servers) htt







Attack on Freight Cars Management System is claimed to be a demonstration maneuver− The attackers targeted at stealing passenger traffic data− There are concerns about stolen passengers personal and payment data

Collateral damage due infrastructural interdependencies − Outage of freight cars where needed (interrupts in cargo shipments) − Manual dispatching of freight cars

Page 6: S4 krotofil morning_sesh_2017

General facts 6,500 attacks in the past 2 months

− 5 organizations and 31 information resources− Remote exploitation and DDoS attacks− NO maximum damage

Ministry of Finance and State Treasury declared some losses− Damage of network equipment− Loss of 3 Tb of data− Unable to carry out large number of transactions (typical # 150k per day)

SABOTAGE is widely hypothesized as most likely hacking campaign goal − Destabilization of overall political and financial situation− Security professionals believe Ukraine serves as one of the training grounds

for hacking R&D

Page 7: S4 krotofil morning_sesh_2017

Déjà vu and Jamais vu Similarly to 2015, the wave of spear fishing

− Everybody is in careless summer mood− Many people on vacation

In contrast to 2015 attacks grew in sophistication− New evasive techniques for establishing initial foothold − Much more complex and better organized

Similarly to 2015, there are “silence” & recon periods− Active phase has started in December (2016)− The same old tools are used (from BlackEnergy framework and alike)

started in month of July (2016)











Security Service of Ukraine (SBU) stated that recent attacks are similar to last year attacks on power utilities

Page 8: S4 krotofil morning_sesh_2017

We anticipated these attacksOct 31, 2016

Friendly visit of ISSP Labs in Kiev, Ukraine

Lab‘s screen


Page 9: S4 krotofil morning_sesh_2017

Thank you and see you in the afternoon

Marina [email protected]@marmusha