Scary questions in Ukraine energy grid hack

Scary questions in Ukraine energy grid hack

American investigators are traveling to Ukraine to investigate a recent electricity blackout -- perhaps the first major act of cyberwar on a civilian population.

Ukraine's top law enforcement agency, the SBU, has publicly claimed this was a cyberattack by Russia, part of its ongoing war over the Crimean peninsula.

If that's true, this is a turning point for the use of computer hacking in warfare. It shows that military cyberattacks can be effective at physical disruption.

But right now, little is certain.

1. Parts of Ukraine's energy grid went down

On December 23, a vast region of Ukraine experienced a power outage. Prykarpattya Oblenergo, a power distributor that serves 538,000 customers, says 27 of its substations went dead. Immediately, 103 cities were "completely blacked out," and another 186 cities were left partially in the dark.

Meanwhile, Ukrainian customers were unable to report about the blackout. The call centers at Prykarpattya Oblenergo and another energy provider, Kyivoblenergo, were blocked.

Prykarpattya Oblenergo decided to switch to manual controls and engineering teams were dispatched around the region to flip switches back "on."

Within a few hours, electricity was flowing again.

Even now, nearly a month later, it's still unclear exactly what flipped the "off" switch. But there are clues about how this attack started.

2. Energy company computers were infected with malware

In a public statement three weeks after the incident, Prykarpattya Oblenergo claimed there had been "a hacker attack" on its computer network. Hackers had snuck into the extremely sensitive controls that manage electricity.

Engineers had tried to turn the power back "on," but they discovered that a virus had erased the computers engineers use to monitor equipment, according to the SANS Institute, whose international cybersecurity professionals have first-hand analysis of the malware itself.

The U.S. Department of Homeland Security, which tells CNNMoney it is now assisting Ukrainian investigators, backs up the claim that company computers were hacked. Apparently, someone at the energy company opened an infected Microsoft Word document.

DHS confirmed to CNNMoney that computers were infected with a new version of a high-powered malware called BlackEnergy 3.

This has stark implications.

3. That malware has ties to Russia

Cyberweapons are carefully crafted tools that can, at times, show hints of their authors. One particular American cybersecurity company, iSight Partners, has profiled the creators of BlackEnergy.

In the past, iSight discovered that the malware was built on computers set to the Russian language. It has also been used in other instances to spy on others perceived as Russian enemies: the Ukrainian government and a U.S. scholar who studies the Russia-Ukraine conflict.

The very same team that developed BlackEnergy is at it again, according to iSight. It points to an analysis of the latest version of the malware used in Ukraine.

"BlackEnergy is a distinctively Russian tool," said iSight's director of cyber espionage analysis, John Hultquist. The hacker in this latest attack is "a person with Russian origin, aligned with Russian interests."

4. Power companies' phone lines were simultaneously attacked

Though Kyivoblenergo initially blamed the call center outage as "a technical failure in the infrastructure," multiple investigators now say it was a coordinated attack to prolong the blackout.

It's still unclear where all these calls came from. But what's clear is that it was a deliberate attack.

"A remote adversary was flooding the call center," said Robert M. Lee, one of the world's top experts on these kinds of hacks, during a presentation at the S4X16 cybersecurity conference in Miami Beach. Lee is investigating this incident.

"It was a very deliberate... dialing of thousands of phone calls to deny access to... customers calling in and reporting the outage," he said.

5. Key details are missing

For now, it's still too early to place the blame on Russia.

Cybersecurity researchers caution that, while the BlackEnergy malware has Russian origins, any formidable hacker could have repurposed it for this attack.

Besides, it's possible that hackers didn't trigger the power outage -- malware might have just made it worse.

The questions that remain are monumental: Did the Russian government target Ukrainian civilians? How will Ukraine respond?

We may not have answers until the U.S. Cyber Emergency Response Team finishes combing through the evidence.

There is one grave takeaway for the United States. In the past, DHS has warned that BlackEnergy has infected many industrial control systems used to run America's backbone. The American energy grid is far more automated than the one in Ukraine.

If any American energy company succumbs to the same kind of attack as the one in Ukraine, manually flipping switches back "on" won't be as easy, Lee warned.