So on december 23rd, parts of the Ukranian, Ivano-Kranvisk region suffered from a major blackout when substations got remotely disconnected. In what some have theorized to be a tactical hack by pro-russian forces. The reason why this is interesting to me is because it seems to be one of the first attacks of this kind in which malware was employed to achieve malicious acts beyond the stealing of sensitive data in industrial/strategical systems. Below an article by ars technica gives some interesting insight into this.
http://arstechnica.com/security/2016...ng-escalation/Samples of the malware have been analyzed and here is what was found: Delivery of the malware was via a word document macro virus which leveraged a vulnerability dubbed SandWorm(
CVE-2014-4114) which allows for remote code execution. The malicious code would then contact a C&C server and upload basic system information, download additional malware and scan the internal network. One of the additional pieces of malware would setup a backdoor by establishing a SSH server listening on port 6789 for remote access. While the other would inject certain drivers for internal network communications control and a service to hide it's behavior, furthermore the second piece of malware had a certain payload on standby to be run when the attacker(s) were ready. This payload, when executed would render the affected devices unbootable, to do further damage to the system and frustrate forensic analysis.
So once these industrial systems were infected the substations were remotely accessed to disable them. After that, the payload to render the affected devices unbootable would be executed to delay repairing and forensic efforts thereby effectively ensuring a tactical blackout for a certain amount of time.
If you're interested KnownSec has released their analysis of the malware and attack in general which can be read by clicking the link below.
http://blog.knownsec.com/wp-content/...nt-L150113.pdfAll in all, bretty cool.
