Three power cuts reported in separate areas of western and central
Ukraine in late December were the first known electrical outages
caused by cyber attacks, causing consternation among businesses and
officials around the world.
The consultant, Oleh Sych, told Reuters a fourth Ukrainian energy
company had been affected by a lesser attack in October, but
declined to name it.
He also said a similar type of malware had been identified by the
Ukrainian anti-virus software company Zillya! where he works as far
back as July, making it impossible to know how many other systems
were at risk.
"This is the scariest thing - we're living on a powder keg. We don't
know where else has been compromised. We can protect everything, we
can teach administrators never to open emails, but the system is
already infected," he said.
Sych, whose firm is advising the State Security Service SBU and a
commission set up by the energy ministry, said power distributors
had ignored their own security rules by allowing critical computers
to be hooked up to the Internet when they should have been kept
within an internal network.
This so-called "air gap" separates computer systems from any outside
Internet connections accessible to hackers.
"A possible objective was to bring down some branches (of the
Ukrainian energy system) and create a 'domino effect' to collapse
the entire system of Ukraine or a significant part," Sych said.
Ukraine has also been targeted in other cyber attacks, which
included hacking into the system of Ukraine's biggest airport and TV
Security services and the military blamed the attacks on Russia, an
allegation dismissed by the Kremlin as evidence of Ukraine's
tendency to accuse Russia of "all mortal sins".
Russia annexed Crimea from Ukraine in 2014 and has supported
separatist rebels in east of the former Soviet republic, arguing
that Kiev's Western-backed government, elected after the
Moscow-backed president fled widespread protests, was illegitimate.
Sych, who said he could not reveal all the details of the probe,
said there was no conclusive evidence that the attacks originated in
Russia. One of the emails was sent from the server of a German
university, another from the United States, he said.
International cyber-security researchers who have studied the
attacks believe the attackers broke into networks by sending
targeted emails designed to trick utility insiders to click on Excel
documents that were poisoned with malware used to gain control
inside the networks.
Sych agreed, saying:
[to top of second column]
"We understand that this couldn't have happened without an insider.
To carry out this kind of attack you need to know what kind of
operating system and SCADA (supervisory control and data
acquisition) are used and what software controls the industrial
facility," he said.
SCADA software is widely used to control industrial systems
"The attackers must have known what software was installed ... to
test (the malware) on it. Clearly preliminary investigations were
carried out and this was easy to do with this kind of insider
He said the hackers had sent the e-mails in question to workers at
the affected power distribution companies with infected Word or
Excel files that were meant to look like official correspondence
from the energy ministry.
They contained topics that would have been recognizable to the
workers and were not sent out en masse but targeted certain
individuals instead. One of the emails was about regional
electricity production levels, he said.
"It was all very simple and stupid," Sych said, adding that the
hackers totally wiped the data of some of the computers in one of
Details of the impact of the attacks have been sketchy, but one is
reported to have affected 80,000 customers for two hours. The three
named companies declined to comment on Sych's remarks.
"All experts agree this sort of attack on electric utilities or
other critical infrastructure was bound to happen because
engineering-wise, physics-wise it is technically possible to do,"
said Kenneth Geers, a Kiev-based national security analyst who
worked for U.S. intelligence agencies for 20 years until 2013.
All it takes is political will or opportunism to try something like
this, he said.
Ukrainian Deputy Energy Minister Oleksander Svetelyk has also
accused the companies of lapses, saying on Tuesday there had been a
"a lot of errors". He added that U.S. cyber experts would come to
Kiev later this week to help with the investigation.
(Additional reporting by Maria Tsvetkova in MOSCOW and Eric Auchard
in BRUSSELS; Writing by Matthias Williams; Editing by Philippa
[© 2016 Thomson Reuters. All rights
Copyright 2016 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.