"Through interviews with impacted entities, the team learned that power outages were caused by remote cyber intrusions at three regional electric power distribution companies (Oblenergos) impacting approximately 225,000 customers," the statement reads. "While power has been restored, all the impacted Oblenergos continue to run under constrained operations. In addition, three other organizations, some from other critical infrastructure sectors, were also intruded upon but did not experience operational impacts."ICS-CERT goes on to explain that those responsible for the intrusions likely acquired legitimate credentials prior to the attacks, citing spear-phishing emails laced with BlackEnergy malware as a possible initial access vector. The bad actors in turn leveraged those credentials for malicious remote operation of the breakers, which caused the outages. At the conclusion of the targeted attacks, the threat actors wiped some of the systems with KillDisk malware.
"The focus on application whitelisting and patching infrastructure is misplaced," he observes. "These are good starting places. However, nothing listed in the ICS-CERT report would have stopped the attack. The threat was a focused and persistent human threat that took months to learn their target and attack it with highly professional logistics and operational planning. They did and would have further adapted to whatever passive defenses that were placed in their way. Recommendations around limited VPN access, two form authentication, patching, etc. are really good places to start. They help build a defensible ICS. They buy defenders time and visibility. But they do not make the ICS defended."https://twitter.com/RobertMLee/status/702925478693175296 Lee recommends instead that organizations invest in creating "empowered and trained human defenders" who can together create, maintain, and enhance a defensible ICS environment.