In 2017, ESET had noted the disturbing implications of that malware component; it hinted that Industroyer's creators might be bent on physical damage. But it was far from clear how the Siprotec-hacking feature could have actually caused more lasting damage. After all, the hackers had merely turned off the power at Ukrenergo, not caused the sort of dangerous power surge that disabling a protective relay might exacerbate.
The Dragos analysis may provide that missing piece of the Ukrenergo puzzle. The company obtained the Ukrainian utility's network logs—it declined to say from where—and for the first time was able to reconstruct the order of the hackers' operations. First, the attackers opened every circuit breaker in the transmission station, triggering the power outage. An hour later, they launched a wiper component that disabled the transmission station's computers, preventing the utility's staff from monitoring any of the station's digital systems. Only then did the attackers use the malware's Siprotec hacking feature against four of the station's protective relays, intending to silently disable those failsafe devices with almost no way for the utility's operators to detect the missing safeguards.
The intention, Dragos analysts now believe, was for the Ukrenergo engineers to respond to the blackout by hurriedly re-energizing the station's equipment. By doing so manually, without the protective relay failsafes, they could have triggered a dangerous overload of current in a transformer or power line. The potentially catastrophic damage would have caused far longer disruptions to the plant's energy transmission than mere hours. It could also have harmed utility workers.
That plan ultimately failed. For reasons Dragos can't quite explain—likely a networking configuration mistake the hackers made—the malicious data packets intended for Ukrenergo's protective relays were sent to the wrong IP addresses. The Ukrenergo operator ..
Support the originator by clicking the read the rest link below.
