Anatomy Of A Computer Network Attack (CNA) – Part 1

May 27, 2020 137 Comments

It was December the 23rd of 2015 when, nearly instantly, over 220,000 people in the Ukraine sat in the dark. While the power outage only lasted for 6 hours for a few people at most, it was the first known successful cyber attack on a power grid.

What actually happened on December 23, 2015 and in the weeks, months, or even years leading up to the attack? While there are still many unknowns and broad estimates to this day, it is known that it was not just a ‘regular’ cyber attack. It was a complex operation that had been planned over a long period of time and was executed meticulously, which makes it a perfect example of how real world threat modeling works.

While there are several things that paved the way to what resulted in 30 power substations being shut down, the main attack was on an Industrial Control System (ICS) via the SCADA bus. Now you might ask yourself: what is SCADA? SCADA stands for 'Supervisory Control and Data Acquisition' and it is simply a subset of the more complex overlying ICS. SCADA takes data from many different sensors and other sources and puts them in a form you can work with. It also gives you options on how to interact and supervise these systems. In this case, SCADA-controlled circuit breakers in the power substations. Maybe a few of you reading this now are thinking: “Just reset the breaker, problem solved”, while this is true in reality, it is of course not that simple.

Why is it not that simple? Because it was a very well planned, multi vector attack. To really understand how big this thing actually was we need to move back in time. The attackers actively started conducting phishing attacks as early as May 2014, 1.5 years before the attack itself happened. By March 2015 the phishing, spear-phishing to be exact, reached their peak. How did they actually do it? They exploited the human need for closure. The Donbass conflict, still ongoing today, started following the annexation of the Crimea peninsula by Russia in early 2014 and was still going strong in 2015. The attackers sent out a weaponized fake spreadsheet with names drafted for service a day or two before they officially were published.

How did this work? They used VBA, Visual Basic For Applications, a version of Microsoft's Visual Basic programming language as their attack delivery system. While VBA is widely known to be extremely insecure and exploitable, it is still in use today even though it was declared ‘legacy’ in 2008. Simply speaking it is no longer maintained by the vendor. So why was it still there in 2014 and 2015? There is no answer to this question other than out of date software is still used on more systems than you could think of. And it has always been done this way. The key takeaway here is to patch your software and only use software that is still maintained and updated by the vendor/developer.

They used an exploit based in VBA as a dropper for their main malware. A dropper is simply a piece of malware that is designed to install the malware/virus after it has been deployed. This is one of the crucial points in the entire attack operation, the attackers established their bridgehead inside the network of the electricity provider via the “BlackEnergy 3” malware. From this point on, the attackers were “in” and so began months of internal reconnaissance and lateral movement inside of the electricity providers network.

Lets take a closer look at this piece of malware that goes under the mysterious name of ‘BlackEnergy 3’ (BE3). As you would have guessed there was a ‘BlackEnergy 1’ and ‘BlackEnergy 2 ‘ prior to BE3 but I don’t wanna go too much in detail here on those. BE3 popped up for the first time in 2014. It is a rootkit that has very extensive capabilities ranging from simply downloading and executing other malicious code on the computer, to coming with a set of specific plugins. These plugins allow all kinds of things you would need for digital reconnaissance and exploitation from inside the system like keylogging, remote desktop viewing capabilities, extracting information of all kinds from the host system as well as the network the host is connected to and of course the ability to spread itself laterally throughout the hosts network and infect other systems. Also the option to just plainly destroy the system via various means.

The attackers started to collect data important to them. They mapped the entire network structure and harvested passwords and credentials to access all kinds of systems via simple keylogging and the collection of local data like User Tokens for example. They identified key IT- , as well as ICS targets they needed to take control of.

This is the end of Stage 1 of the attack operation. In the next part of the article we will be taking a look on how the attack itself actually happened, how it could have been way worse than it actually was and what measures could have been taken to prevent this or defend infrastructure better.