In our previous article, we started to lay out some important social engineering terms, such as phishing, spear-phishing and pretexting. We even introduced to you what we call “Potentially Unwanted Leaks” (PUL) as tidbits of information that, when out in the wild, become valuable nuggets to be used against you in a social engineering attack.

This last installment in our ICS/SCADA series shows how social engineering was used to cause a blackout, the first known case of a cyberattack being directly responsible for a power outage.

On December 23, 2015, at 3:35 pm local time, in Ivano-Frankivsk Oblast (a southwestern region of the Ukraine that borders Romania and is in close proximity to the borders of Hungary, Slovakia, and Poland), seven 110 kV and twenty-three 35kV substations were disconnected for three hours.

The power outage, which took out 30 substations, could have impacted up to three different energy distribution companies, causing 225,000 customers to lose power. Shortly thereafter, Ukraine’s SBU state security service responded by blaming Russia, not an unreasonable assertion given that plenty of lead time was required to conduct this operation.

How was this allowed to happen?

Social engineering is how. It all started with a spear-phishing attack using spoofed address that made it seem as though the emails were coming from the Rada, the Ukrainian parliament. Rejecting such an email is always a tough proposition for any employee, and in certain social structures, ignoring an email from parliament could result in some unpleasant misfortune.

So, what happens? The employees open up the email, open an attachment, allow a macro to compile, and all nastiness breaks loose. After opening the email, using a manipulate Office document (screen capture below, credit: CyS Centrum), the user is asked to allow a macro to compile.

Here comes (Read more...)