Anatomy Of A Computer Network Attack (CNA) – Part 1

May 27, 2020 3 Comments

It was December the 23rd of 2015 when, nearly instantly, over 220,000 people in the Ukraine sat in the dark. While the power outage only lasted for 6 hours for a few people at most, it was the first known successful cyber attack on a power grid.

What actually happened on December 23, 2015 and in the weeks, months, or even years leading up to the attack? While there are still many unknowns and broad estimates to this day, it is known that it was not just a ‘regular’ cyber attack. It was a complex operation that had been planned over a long period of time and was executed meticulously, which makes it a perfect example of how real world threat modeling works.

While there are several things that paved the way to what resulted in 30 power substations being shut down, the main attack was on an Industrial Control System (ICS) via the SCADA bus. Now you might ask yourself: what is SCADA? SCADA stands for 'Supervisory Control and Data Acquisition' and it is simply a subset of the more complex overlying ICS. SCADA takes data from many different sensors and other sources and puts them in a form you can work with. It also gives you options on how to interact and supervise these systems. In this case, SCADA-controlled circuit breakers in the power substations. Maybe a few of you reading this now are thinking: “Just reset the breaker, problem solved”, while this is true in reality, it is of course not that simple.

Why is it not that simple? Because it was a very well planned, multi vector attack. To really understand how big this thing actually was we need to move back in time. The attackers actively started conducting phishing attacks as early as May 2014, 1.5 years before the attack itself happened. By March 2015 the phishing, spear-phishing to be exact, reached their peak. How did they actually do it? They exploited the human need for closure. The Donbass conflict, still ongoing today, started following the annexation of the Crimea peninsula by Russia in early 2014 and was still going strong in 2015. The attackers sent out a weaponized fake spreadsheet with names drafted for service a day or two before they officially were published.

How did this work? They used VBA, Visual Basic For Applications, a version of Microsoft's Visual Basic programming language as their attack delivery system. While VBA is widely known to be extremely insecure and exploitable, it is still in use today even though it was declared ‘legacy’ in 2008. Simply speaking it is no longer maintained by the vendor. So why was it still there in 2014 and 2015? There is no answer to this question other than out of date software is still used on more systems than you could think of. And it has always been done this way. The key takeaway here is to patch your software and only use software that is still maintained and updated by the vendor/developer.

They used an exploit based in VBA as a dropper for their main malware. A dropper is simply a piece of malware that is designed to install the malware/virus after it has been deployed. This is one of the crucial points in the entire attack operation, the attackers established their bridgehead inside the network of the electricity provider via the “BlackEnergy 3” malware. From this point on, the attackers were “in” and so began months of internal reconnaissance and lateral movement inside of the electricity providers network.

Lets take a closer look at this piece of malware that goes under the mysterious name of ‘BlackEnergy 3’ (BE3). As you would have guessed there was a ‘BlackEnergy 1’ and ‘BlackEnergy 2 ‘ prior to BE3 but I don’t wanna go too much in detail here on those. BE3 popped up for the first time in 2014. It is a rootkit that has very extensive capabilities ranging from simply downloading and executing other malicious code on the computer, to coming with a set of specific plugins. These plugins allow all kinds of things you would need for digital reconnaissance and exploitation from inside the system like keylogging, remote desktop viewing capabilities, extracting information of all kinds from the host system as well as the network the host is connected to and of course the ability to spread itself laterally throughout the hosts network and infect other systems. Also the option to just plainly destroy the system via various means.

The attackers started to collect data important to them. They mapped the entire network structure and harvested passwords and credentials to access all kinds of systems via simple keylogging and the collection of local data like User Tokens for example. They identified key IT- , as well as ICS targets they needed to take control of.

This is the end of Stage 1 of the attack operation. In the next part of the article we will be taking a look on how the attack itself actually happened, how it could have been way worse than it actually was and what measures could have been taken to prevent this or defend infrastructure better.

3 Responses

Mavis Wanczyk

June 17, 2025

My name is Mavis Wanczyk, from Chicopee, Massachusetts. I’m excited to share my fantastic experience with Dr. Kachi, who is outstanding at lottery spell casting online. No matter where you are or how challenging your situation might be, Dr. Kachi can help you win in lotteries and other gambling games. If you’ve been searching for winning numbers without success, Dr. Kachi’s spells are known for providing the right numbers and lucky letters. Many have become millionaires after just one game using his powerful spells. I contacted Dr. Kachi shared the necessary details, and he provided me with six Powerball numbers: 6, 7, 16, 23 26, plus the Powerball number 4. I played them and won $758.7 Million! My life has changed dramatically, and I am incredibly thankful to Dr. Kachi. If you’re interested, you can reach Dr. Kachi by text or call at +1 (209) 893-8075, email him at drkachispellcast@gmail.com or visit his website here https://drkachispellcaster.wixsite.com/my-site Thank you so much, Dr. Kachi.

KIARA HAHN

May 30, 2025

How I Got My Ex Back with the Help of a Spell Caster +2349161779461
Hello everyone, my name is Kiara Hahn from California. I want to share my story about a powerful spell caster named Dr. Jakuta. I was heartbroken when my fiancé left me without warning, and I spent the last month feeling confused, guilty, and devastated. Desperate for help, I searched online for relationship advice and found Dr. Jakuta, who has helped many people with their relationship problems. I reached out to him, and he promised to bring my fiancé back to me within 72 hours. After following his instructions, my fiancé surprisingly showed up at my doorstep, apologized, and now we’re living happily together again. If you’re having relationship issues, you can contact Dr. Jakuta at
Email: doctorjakutaspellcaster24@gmail.com
WhatsApp: +2349161779461

Gillian Bayford

May 29, 2025

I want to use this medium to share my incredible manifesting with Dr. Kachi, who truly changed my life. For a long time, I struggled with homelessness after losing my job as a nurse. Life felt like an endless battle, and I spent many years trying to win the lottery, hoping for a better future. But despite my efforts, I had no success and was growing increasingly frustrated. That was until I came across an amazing testimony from a woman named Natasha, who shared how Dr. Kachi helped her win the National EuroMillions jackpot. I had always loved playing EuroMillions, but winning seemed impossible for me. However, after seeing Natasha’s story, I decided to reach out to Dr. Kachi prepared a special spell to help me with guaranteed lucky numbers. Within 24 hours, he provided me with the winning numbers and instructed me to play. To my amazement, I won £184.656 million in the EuroMillions! Thanks to Dr. Kachi, my life has been transformed, and my financial situation has changed for the better. I will never forget this joyful moment, as it has been the best thing to ever happen to me. If you’re struggling and seeking a way out, never give up. Dr. Kachi can help you, just as he helped me. Keep your faith and take a chance – your life could change too! contact website https://drkachispellcaster.wixsite.com/my-site his email drkachispellcast@gmail.com or his phone text or call number: +1 (209) 893-8075