Sign in Subscribe

Polish Grid Systems Targeted in Cyberattack Had Little Security, Per New Report

Kim Zetter

6 min read
comment-1 Created with Sketch Beta.
Polish Grid Systems Targeted in Cyberattack Had Little Security, Per New Report
Photo by Taweesak Jang on Unsplash

The hackers behind a cyberattack that targeted Poland's grid infrastructure met little resistance when they hit systems at a heat-and-power plant and wind and solar farms last month.

The intruders were able to easily access numerous systems at the affected facilities because the systems were configured with default usernames and password and did not use multi-factor authentication that would have helped keep intruders out even if they discovered the default credentials. The attackers were in the heat-and-power plant's network at least five to nine months before they unleashed malicious code on more than 100 of the plant's workstations that was aimed at wiping files and rendering the systems inoperable. Luckily the wiping triggered an alert in an intrusion-detection system, which succeeded to halt the wiping before it could destroy the systems. This wasn't the case at the wind and solar farms, however, where a wiper did succeed in rendering inoperable some devices used for monitoring and controlling grid systems.

Despite this, the attackers were never able to disrupt power, though it's not clear if this was their end goal. But even if the attackers had succeeded to disrupt electricity generation at all 30 sites that the attackers had accessed, investigators say based on the combined amount of energy these sites produced it "would not have affected the stability of the Polish power system during the period in question" had the attackers succeeded to cut power. This is in contrast to previous statements by Polish officials that the attackers were in a position to cut power to 500,000 users had they tried to do so.

The new information comes in a detailed technical report issued today by Poland's Computer Emergency Response Team, which provides a more expansive look at how the coordinated attack unfolded and the poor security that enabled it. The new report departs from previous claims about who was behind the hack. Last week the Slovakian security firm ESET said it believed "with medium confidence" that a wiper used in the attack was the work of Sandworm, a hacking group associated with Russia's GRU military intelligence agency. This week, the US-based security firm Dragos seemed to agree with this attribution.

But Polish CERT investigators are attributing the attack to a different Russian hacking group known as Berserk Bear, Dragonfly and other names given to it by various security vendors and Microsoft. Berserk Bear is linked to the FSB, Russia's domestic intelligence agency and successor to the KGB. Unlike Sandworm, Berserk Bear has not in the past conducted destructive operations; instead it has focused on cyberespionage against targets in the energy sector and other critical infrastructure. If it did perform the destructive operations in Poland, this would be an evolution in its attacks.

Investigators say infrastructure and other elements used in the Poland attack are the same or similar to infrastructure used in other Berserk Bear operations, leading to the attribution to that group. Although a wiper used in the Poland operation shares similarities to wiper code previously used by Sandworm, investigators say the similarities are "too low" to attribute the Poland wiper to previous Sandworm ones and therefore Polish investigators say they cannot conclusively determine whether Sandworm was involved in the Poland attack.

Wide Open

As previously reported, the attacks targeted about 30 remote sites managed by several different types of energy producers in Poland. They include a combined-heat-and-power plant that supplies heat to about half a million customers in Poland and an unspecified number of wind and solar farms. The Polish report reveals that a private company in the manufacturing sector was also targeted at the same time as these others.

Polish investigators say all of the attacks were "purely destructive in nature" and and highlight the fact that the attacks on the energy systems occurred during a period of low temperatures and snowstorms in the affected areas in Poland. Investigators liken the operation to "deliberate acts of arson."

As previously reported here, the attack was a multi-pronged operation targeting both IT systems (laptops or desktop workstations used by engineers to monitor and manage operations) and OT or operational technology systems (used to control operations at a plant or facility). By going after both IT and OT systems, an attacker can both disrupt operations as well as the ability of engineers to monitor systems or restore operations, increasing an attack's impact. But because the attackers in this case didn't manage to take down systems that generate power, their attack on the OT systems had little impact.

The authors of the Polish report detail numerous security issues that allowed the attackers to easily gain access and administrative-level privileges on a variety of devices across all of the nearly three dozen sites. In some cases, they were able to wipe system files and disable devices – preventing operators from having the ability to monitor and control grid systems.

Zero Day published a story last week revealing that the attack involved a wiper – dubbed DynoWiper by researchers at the Slovakina security firm known as ESET – that was aimed at erasing files on IT systems at one of the targeted facilities. According to the new report, these were Windows 10 systems used for monitoring and controlling grid systems at the heat-and-power plant. The systems had Mikronika Syndis software installed on them and were using a default password to secure them. Once the attackers gained access to these systems, they had administrative-level privileges to take control of them

At the wind and solar farms, the attackers focused on wiping remote terminal units, or RTUs, which are communication systems used to monitor and control other industrial equipment. Many of the sites were using Hitachi RTU560 controllers with default credentials that were never changed, including one that used a default account called "Default" that gave the attackers administrative-level privileges. With this access, they were able to replace the firmware on the RTUs with a malicious one the attackers created.

Heat-and-Power Plant

The earliest activity noted in the report occurred months before the destructive wiping activity occurred in December. This early activity occurred at the heat-and-power plant where the intruders appeared to gain access some time between March and July, six to ten months before executing their destructive wiping activity.

Logs that investigators examined showed the attackers were conducting reconnaissance during the early months, and attempting to obtain user credentials and access data. During this time, they stole sensitive information related to the plant's industrial automation systems and other operations.

On December 8, the intruders made configuration changes to Windows monitoring stations at the plant, which gave them the ability to execute commands and malicious code on the machines. On December 25, they conducted network scans and attempted to log into RTU devices. Then on December 29, they installed the DynoWiper on the network, which went undetected by the plant's antivirus software. When they attempted to execute the wiper simultaneously on more than 100 workstations, however, this triggered an alert and an intrusion-detection system blocked the malicious code from fully executing. After modifying the wiper the attackers tried to execute it again, but the detection system blocked this version as well.

Wind and Solar Farms

At the wind and solar farms, the attackers focused on taking out RTUs. The targeted facilities used at least two different RTU brands made by Hitachi and Mikronika. To get to the RTUs, the attackers first exploited vulnerabilities in FortiGate VPN-firewalls, which were not using multi‑factor authentication. The attackers were then able to get administrative-level privileges in order to swap out the firmware on the Hitachi devices and replace it with their own malicious firmware. The latter threw the RTUs into a continuous reboot loop, essentially bricking them.

Some of the RTUs had been running outdated firmware versions that contained an unpatched vulnerability, and some were running a more recent version that had a security feature to prevent someone from installing unauthorized firmware on the RTUs. The security feature was not enabled by default, however, and workers had failed to enable it on the devices, allowing the attacker to install their malicious code.

In addition to their attack on the heat-and-power plant and the wind and solar farms, the attackers also breached a company in the manufacturing sector and on December 29 while wiping and attempting to wipe systems at those facilities, they also attempted to interrupt operations at this manufacturing plant. The report doesn't indicate the nature but it notes that the activity against the manufacturing plant was "opportunistic" and "not linked to the other affected organizations."

The report indicates that the attackers deployed a wiper – in this case dubbed LazyWiper – on the manufacturer's network, but don't say if it was detected and halted or if it successfully wiped systems.

See also:

Attack Against Poland's Grid Disrupted Communication Devices at About 30 Sites

Cyberattack Targeting Poland's Electric Grid Used a Wiper

Share this post: