Proact Blog

Cyber warfare: Targeting national infrastructure

Euan Birch, Security Operations Lead at Proact UK

The water we drink, the train we get to work, the hospital we get better in – everything from our police force, fire service, coast guard, banks and SPACE! We rely on all of these to survive day-to-day and our government knows it. That’s why they’re protected and classified as critical national infrastructure.

Just a normal day

On a snowy day in December 2015, the 23rd to be precise, an engineer sat at their base station on the outskirts of Kiev, Ukraine. Expecting a normal, quiet nightshift at the office, they put their feet up with a hot cup of coffee and start monitoring the grey-scaled televisions in front of them. The room is like a train station control centre. But, instead of monitoring electric trains and guiding them into each platform, the engineer is looking for outages on the national grid infrastructure. They’re looking for problems and anomalies at the substations in the areas in and around the Ukrainian capital. When issues are identified, the engineer arranges incident response to quickly fix them. Customers simply can’t be without their energy at this time of year.

Nothing to see here

Sitting in their home near Pirogovo, a family settles down for the evening sipping hot cocoa while watching a movie. Suddenly, they’re plunged into darkness. Searching about they find a phone and turn on a torch to go and search for the problem. They look out of their window and see that the whole street is in darkness.

What’s going on?

The engineer frantically begins searching amongst the red flashing flights. Only two minutes before their screens were completely grey with no issues – they’re now red and screaming for attention. Every substation has gone off. Every light in Ukraine is out and backup generators have had to fire-up which run on expensive diesel fuel. Scared and confused, the engineer frantically calls their bosses and begins with incident response to find out what went wrong.

What happened

Ukraine lost its light for 24 hours. Spear phishing emails with ‘BlackEnergy’ malware infected and seized control of SCADA systems and remotely controlled and switched off over 30 substations. Uninterruptible power supplies, modems, servers, workstations and programmable logic controllers were destroyed by the KillDisk malware, leaving over 230,000 homes without power. A total of 73 MWh of electricity was not supplied in this critical situation. Imagine being left in the dark at that time of year. It could affect people’s lives and livelihoods should workplaces and hospitals have to close for fear of not having power.

This is reality

This is a real story. These types of attack are prevalent and critical national infrastructure is a massive target for cyber warfare. In this case the attacks were found to be connected to the advanced persistent threat group based in Russia called “Sandstorm”. It was the first attack of its kind but it won’t be the last.

Your business, no matter how big or small, could be affected by advanced persistent threats where cyber-crime groups and/or state actors seek to cause damage and destruction to further their own interests. By law, all critical national infrastructure providers in the UK must follow the NIS Directive and comply by monitoring security events, being prepared for attacks, taking action to prevent attacks and ensuring users know how to react and avoid them.

Proact can help

We can help. We monitor your critical assets via our SIEM as a Service offering and inform you of conditions that could indicate the early stages of an attack. This helps to prevent and discourage advanced persistent threats from targeting you. We also help you understand holes in your defences by scanning for vulnerabilities in your infrastructure and by providing advice on how to fix them. We also offer actionable intelligence to help remediate critical vulnerabilities.

Our Anti-Phishing service is there to assist with the threat of phishing attacks and to provide user awareness. Your employees are specifically targeted by attackers as a way to get into your network and our team at Proact can help mitigate these threats.

Get in touch

By clicking Send now, I agree to the terms and conditions outlined in the Proact Privacy Policy.