The cyber attacks that downed two power suppliers in Ukraine in December 2015 were not isolated, but part of a multi-stage, targeted attack on the Ukrainian industrial network, say researchers.

The attacks are the first known examples of cyber attacks directly responsible for power outages, according to the report by the industrial control systems (ICS) team of the Sans Institute.

A key element of the cyber attacks was the BlackEnergy Trojan used to deploy a destructive disk-wiping component, known as a “KillDisk”.

Around half the homes in Ukraine’s Ivano-Frankivsk region plunged into darkness for several hours; but researchers at security firm Trend Micro also discovered that a major mining company and large railway operator – part of the national railway system – were also targeted.

These attacks appear to have been aimed at crippling Ukrainian public and criticial infrastructure in a politically motivated strike, according to Kyle Wilhoit, senior threat researcher at Trend Micro.

In hunting for additional infections or malware samples related to attacks on the power companies, Wilhoit and his colleagues found samples of BlackEnergy and KillDisk that may have been used against the mining and rail companies.

“The possible infections in the mining and railway organisations appear to use some of the same BlackEnergy and KillDisk infrastructure that were seen in the two power facilities attacks,” Wilhoit wrote in a blog post.

Malware and timing overlap One sample from the mining company, he said, appears to have been used in November 2015 to infect its target, while another sample had exactly the same functionality and used the same communication infrastructure as the samples seen in the Ukrainian power utility attack. In the case of the railway company, the researchers found indications of the same KillDisk malware used against the power companies and the mining company. “This appears to be the only spillover from the Ukrainian power utility infection. However, we have no proof showing that BlackEnergy was present on the railway systems, it could be assumed that it was likely present somewhere in their network,” said Wilhoit. The researchers believe the same actors were responsible for all four attacks because of the overlap between the malware used, infrastructure, naming conventions, and the timing of the attacks. “This proves that BlackEnergy has evolved from being just an energy sector problem to a threat that organisations in all sectors—public and private—should be aware of and be prepared to defend themselves from,” said Wilhoit.

Weapons testing theory The researchers believe the attacks may have wanted to destabilise Ukraine through a substantial or persistent disruption involving power, mining and transportation facilities. Another possibility, said Wilhoit, is that they have deployed the malware to different critical infrastructure systems to determine whic- is the easiest to infiltrate and subsequently wrestle control over. A related theory is that the infections in the mining and train companies may have just been preliminary infections, where the attackers are just attempting to test the code base. “Whichever is the case, attacks against industrial control systems (ICS) should be treated with extreme seriousness because of the dire real-world repercussions,” said Wilhoit. Ed Cabrera, vice-president of cyber security strategy at Trend Micro, said the co-ordination and sophistication of these attacks suggested a “menacing pattern” to disable Ukraine’s critical infrastructure supply chain. “By permeating both public and private sectors, these destructive efforts are going far beyond what was originally detected,” he said.