By Jim Finkle and Dustin Volz
MIAMI/WASHINGTON Jan 12 The U.S. government
said it was helping Ukraine investigate an apparent cyber attack
last month on the country's power grid that caused a blackout
for an estimated 80,000 customers.
Experts have widely described the Dec. 23 incident at
western Ukraine's Prykarpattyaoblenergo utility as the first
known power outage caused by a cyber attack. Ukraine's SBU state
security service has blamed Russia for the incident, while U.S.
cyber firm iSight Partners linked it to a Russian hacking group
known as "Sandworm."
The Department of Homeland Security's Industrial Control
Systems Cyber Emergency Response Team, or ICS-CERT, said in an
alert emailed on Tuesday that it had analyzed malicious software
found in the utility's network. It identified it as BlackEnergy
3, a variant of malware that the agency previously said had
infected some U.S. critical infrastructure operators in 2014.
When ICS-CERT initially reported on that infection in
December 2014, it said that it did not know of any cases where
BlackEnergy caused physical disruption to U.S. power systems.
A DHS official said on Tuesday that government investigators
have not confirmed whether the BlackEnergy malware caused the
Ukraine incident.
"At this time there is no definitive evidence linking the
power outage in Ukraine with the presence of the malware," said
the official, who was not authorized to discuss the matter
publicly.
The ICS-CERT alert also said that the attackers appeared to
have spread the BlackEnergy malware in Ukraine through a
phishing campaign that used a malicious Microsoft Word email
attachment.
The alert marked the first time the U.S. government had
publicly commented on the Ukraine outage. It said ICS-CERT would
continue to study the attack, providing additional technical
data on a confidential government portal.(1.usa.gov/1Fbc9mQ)
Experts attending the S4 conference on securing critical
infrastructure from cyber attacks, which opened on Tuesday in
Miami, said they are eager for more information on what happened
in Ukraine.
Michael Toecker, a consulting engineer who advises utilities
on grid security, said that some clients are asking 'What do we
need to do to make sure this doesn't happen to us?'"
While security researchers widely believe that the outage
was caused by a cyber attack, a few experts at the conference
said they want more information before weighing in on what
happened.
Ralph Langner, managing principal of Germany's Langner
Group, said he is waiting to hear the results of a formal
Ukraine energy ministry probe of the incident.
