Ukraine power company outage shows the diminishing role of malware in complex cyber attacks

Published information around the December attacks targeting two Ukrainian power companies highlights two developments in cyber security: the rise of more sophisticated attacks and the diminished role malware is playing in those campaigns.

Increasingly, malware is just one piece of a very advanced operation comprised of ambitious goals that go beyond stealing log-in credentials or bank account information.

And attackers aren’t using these tactics just on utility providers. Enterprises are also vulnerable, particularly those that only focus on detecting and eradicating malware. This mindset can lead to security teams missing far more damaging activity.

Malware leads to more damaging attacks

In the case of the Ukrainian attacks, the perpetrators employed a three-part operation to ultimately cut electricity to at least 80,000 people for six hours. To initially infiltrate the companies, the perpetrators used malware. That foothold allowed them to access key networks and open circuit breakers to cause the power outage. They also used a denial-of-service attack to disrupt the utility providers’ phone systems, preventing customer calls from going through.

The malware facilitated the attack, but didn’t cut the electricity, according to a report from the SANS Institute division that handles industrial control system research.

“Current evidence and analysis indicates that the missing component was direct interaction from the adversary and not the work of malware. Or in other words, the attack was enabled via malware but consisted of at least three distinct efforts,” the report said.

Organizations that focus only on finding malware risk missing advanced campaigns

While most organizations don’t operate the industrial software used by electric companies, the attacks in the Ukraine still hold lessons for enterprises. Security teams need to remember that a piece of malware is just one component of an attack. In many cases, malware offers access to an organization but sophisticated hackers interactively working on a system carry out the real operation.

Businesses, though, often operate under the myth that discovering and eradicating malware completely shuts down the attack. In reality, malware often serves as the initial component in an advanced operation, while in other cases it serves as a decoy to distract security teams from the main attack. When investigating incidents, security teams should keep in mind that attacks are often more nuanced and layered than they first appear and that removing malware does not necessarily mean an adversary has been eradicated.

To learn about other common cyber-security misconceptions and how to overcome them, read our report “The Five Most Common Cyber-Attack Myths Debunked”.

Additionally, security teams that only focus on detecting malware will miss campaigns that use more advanced methods, such as fileless malware. These types of attacks, which use an OS’ legitimate tools for conducting malicious activities, are on the rise, according to a report from Cybereason Labs. In fact, Cybereason’s security researchers predict these types of attacks will take off this year after becoming an emerging threat in 2015.

Amit Serper
About the Author

Amit Serper

Amit Serper is Principal Security Researcher at Cybereason. He specializes in low-level, vulnerability and kernel research, malware analysis and reverse engineering on Windows, Linux and macOS.