Cyber Attacks Target Utilities; IT Risk Managers Now on Alert

April 22nd, 2016

Earlier this year, cyber terrorists launched a well-organized and highly effective attack that cut power to millions serviced by Ukrainian electricity distribution companies, the first verified and successful intrusion into a utility information technology (IT) network.

The sophisticated attack was launched through a well-planned campaign that sent fake emails containing a BlackEnergy-type computer virus to the Ukrainian utilities’ employees. Social engineering techniques such as “spoofing” real email addresses convinced the recipients that the email was legitimate and opened the malware file. The deployed virus and external programming let the hackers collect information on the structure of the utilities’ IT systems and identify programming resources and their methods for external access to utility IT infrastructure.

The cyber-attack consisted of five elements:

1) Infecting the networks via emails;

2) Assuming control of the administration of the automated system for dispatch/control that shuts off sub-stations;

3) Disabling IT infrastructure, including modems, switchboards, and uninterrupted power supply devices;

4) Destroying information on servers and at work stations; and

5) Attacking telephone numbers of utility call centers to deny service to customers experiencing an outage.

 

Utility companies around the world are now on higher alert that relatively low-tech but increasingly sophisticated email “spoofing” scams could take down a power grid.

There are other threats as well. Several Hays clients have documented receipt of fraudulent emails purporting to be from senior officers. The emails told recipients to transfer money to a bank account (controlled by perpetrators) and advised that the necessary documentation supporting the payment would be made later. So far, quick-thinking employees who questioned the request or deviation from proper procedure have thwarted these attempts.

In another case, which unfortunately may have been successful, a fake email supposedly from a company officer directed an employee in the utility’s HR department to send an electronic file with sensitive employee information. In this type of social engineering scam, emails with spoofed addresses said things such as:

  • “Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
  • “Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)?”
  • “I want you to send me the list of W-2 copy of employees wage and tax statement for 2015. I need them in PDF file type, and you can send it as an attachment. Kindly prepare the lists and email them to me asap.”

 

It is clear by the manner in which these fake internal emails were written — they often imitated the writing style of individual officers — that the perpetrators had gained access to the utilities’ systems for quite some time prior to the events.

The key point for risk managers is to not only ensure these attacks can’t happen because incoming emails are scanned for the latest malware and viruses, but also to identify and educate employees whose responsibilities and IT access make them prime potential targets. By properly informing workers about the various methods used, how to spot a potential fake email, how to effectively confirm legitimate requests, and when to be suspicious about attachments that could contain IT-compromising viruses, utilities companies have a chance to stay a step ahead of clever cyber criminals.

 

For more information on Hays Companies’ Cyber and Power and Utility consulting services, please contact either Dain Jorgenson (djorgenson@hayscompanies.com), Dave Wasson (dwasson@hayscompanies.com) or Michelle Carter (mcarter@hayscompanies.com).