Attack Against Poland's Grid Disrupted Communication Devices at About 30 Sites
The hackers behind a cyberattack that targeted Poland's grid infrastructure in December disabled communication devices for at least 30 sites across a number of energy facilities in different parts of the country.
The hackers succeeded in disabling the communication systems, known as remote terminal units or RTUs, that are used to monitor and control other equipment, and they were able to render the RTUs inoperable and beyond repair. But they did not cause an outage or otherwise have an impact on generation and transmission equipment at these nearly three dozens sites, according to Dragos, a US-based company that participated in the forensic investigation of one of the entities that was hit in the attack.
Most of the devices they targeted were not directly part of control infrastructure, Dragos says, but were instead systems related to grid safety and stability monitoring rather than active generation control. Nonetheless, the systems the attackers targeted do play a role in monitoring functions and maintaining grid stability, and had the attackers gained full operational control of these systems, could have created an impact that would have been "significantly different,” Dragos notes. Dragos also says the attack appears to have been "opportunistic" rather than fully targeted and well planned.
The sites that were impacted are managed by several energy entities, including two combined-heat-and-power plants and a number of facilities used to manage the dispatch of renewable energy from wind and solar sites. Dragos did not identify which entity was part of its investigation.
The Dragos report follows information that Zero Day published last week revealing that the attack involved malicious code known as a wiper that was aimed at erasing files on IT systems at the targeted facilities. It's not clear if the attackers initiated the wiping capability to erase those systems, however.
The information about the wiper, discovered by the security firm ESET, combined with the new information revealed by Dragos, shows that the cyberattack was a multi-pronged operation targeting both IT systems (which are generally laptops or desktop Windows systems used by engineers to monitor and manage operations) and OT or operational technology systems (the industrial equipment that performs functions or operations at a plant or facility). By going after both IT and OT systems, an attacker can both disrupt operations as well as the ability of engineers to monitor those functions or restore operations, increasing its impact. This is what occurred in an attack that targeted Ukraine's power grid in 2015 that is believed to have been conducted by the same group that attacked Poland.
In that earlier operation, the hackers combined a number of activities to increase the impact of the outage. They used a script to disconnect breakers and cause a power outage and also overwrote the firmware on RTUs to prevent operators from issuing commands to the RTUs to reconnect the breakers and restore power. They also wiped IT systems belonging to operators to cause chaos and make it more difficult for them to recover from the attack and restore power.
Dragos says the Poland attack lacked this kind of coordinated sequencing, likely because each of the nearly three dozen sites the hackers hit required that they perform different manual actions to produce an impact, rather than allowing for a single automated tool to hit them all.
Although the attack in Poland was caught before it could have any impact on the grid, Polish authorities have stated that if successful it could have taken out power to 500,000 people in Poland – meaning that had they manipulated or disabled the OT equipment they gained access to, they may have been able to cause a blackout.
Dragos says the attackers possessed the ability to do more harm than disabling the communications devices but that the attack appeared to be opportunistic rather than targeted and well planned. More likely, the hackers found vulnerable systems they were able to access and were testing and exploring what they could achieve, but lacked the time and preparation to do more. Given more time, the attackers could have had a more significant impact. Instead they simply exploited whatever they could.
"It appears the operation was rushed, but Dragos cannot make an assessment as to why,” the company wrote.
Even if they had done more, however, the attack likely would have resulted in localized outages not a widespread outage across Poland, Dragos notes, due to how the country’s grid is currently structured.
Regardless, Dragos says that what occurred in Poland is a warning to grid operators that smaller renewable energy resource systems are now a target for attackers. It’s the first major cyberattack targeting distributed energy resources — the smaller wind, solar, and combined heat-and-power facilities — that are a growing part of power grids across the world.
Sandworm Blamed for Attack
Dragos provided this new information in a report it released late Tuesday in advance of a more technical report expected to be released this Friday by the Polish government and Poland's Computer Emergency and Response Team.
The Polish government has attributed the attack to a Russian hacking group known commonly as Sandworm, which is associated with Russia's military intelligence agency known as the GRU. Dragos appears to agree with that assessment, though it calls the group by the name Electrum.
Sandworm was responsible for previous coordinated attacks against parts of Ukraine's power grid in 2015 and 2016. Those attacks have some similarities but also important differences to the attack in Poland.
Whereas these previous attacks targeted centralized facilities or substations responsible for controlling the distribution of energy to large areas — the 2015 attack targeted distribution control centers that managed energy flow across regions, and the 2016 attack targeted a transmission substation — the Poland attack targeted devices and systems that are upstream from these types of facilities and that feed into them. These systems are more numerous but are responsible for smaller part of power generation and distribution, therefore more of them need to be targeted to have a significant impact.
Due to the distributed nature of these systems, however, operators rely on remote connectivity over the internet to manage and control them, which makes them potentially accessible to hackers. And because these systems often receive less security attention than large centralized systems they are more vulnerable.
Vulnerabilities Aided Attack
Dragos says that to get to the RTUs, the attackers first exploited vulnerabilities in "edge systems such as firewalls" — firewalls serve as a gateway between the internet and equipment behind them to protect those systems from unauthorized access. But the firewalls or "edge systems" in Poland had vulnerabilities that allowed the attackers to bypass them to get to the RTUs. Dragos did not indicate the nature of the vulnerabilities the attackers exploited, such as whether they involved unpatched security holes in the software of the firewalls or mistakes in how operators configured them that let the hackers bypass them. But because the devices all had the same configuration or vulnerability, the attackers were able to bypass them at nearly three dozen sites.
Operators use RTUs to manage large numbers of facilities from a single SCADA system. And for efficiency purposes, owners often use the same RTUs with the same configuration across all of their sites, which makes it easy for an attacker to compromise and design a coordinated attack against multiple RTUs simultaneously
“When the same firewall model with the same vulnerability or misconfiguration is deployed at multiple generation sites, a single exploit becomes a system-wide compromise,” Dragos nows.
Dragos notes that the attackers were able to compromise the systems “without triggering detection” at many of the sites they hit. This combined with insufficient network logging meant that after the operation was discovered, investigators had difficulty determining whether the attackers attempted to issue commands that could have impacted power distribution.
Although the attackers did not appear to issue commands to the RTUs and equipment they control, Dragos says that due to insufficient logging of the devices and network, it could not determine if they did attempted this or focused solely on disabling the RTUs.
Poland, like many grids, relies on some of its generation from numerous small renewable energy resources; it gets about a quarter of its power generation from renewable sources.
The systems for managing this is often geographically dispersed across regions. Targeting individual renewable facilities means that taking one out has a smaller impact than going after centralized substations, but a coordinated attack targeting many of them could still result in widespread impact if an attacker can manipulate them, Dragos notes.
This was demonstrated by an outage that occurred in Spain and Portugal last year when fluctuations in frequencies involving renewable energy systems caused instability and a cascading effect on the Iberian power grid. The blackout in Spain has not been attributed to a cyberattack, but it demonstrated what can occur when these distributed systems cause frequency fluctuations that impact how other parts of the grid adjust and react to these fluctuations in order to manage supply and demand of power.
Although the facilities impacted provide only a small part of Poland's energy supply, a sudden and simultaneous loss of this amount of generation would have a noticeable impact on the frequency to such a degree that it could cause cascading failures in other systems, Dragos notes. Such a frequency fluctuation played a role in last year's Iberian grid collapse as well as most major blackouts of the last decade.
See also: