Ukraine Mounts Investigation of Kiev Airport Cyberattack
Jan 20, 2016 7:00 AM PT
Ukrainian officials earlier this week said they had launched a probe into the source of a cyberattack that targeted the Boryspil International Airport in Kiev.
The attack may be related to the BlackEnergy malware attacks that recently targeted Ukrainian infrastructure facilities, apparently from a source inside Russia.
The Computer Emergency Response Team of Ukraine (CERT-UA) on Monday warned system administrators to be on the alert for the presence of BlackEnergy malware.
Links to Utility Attacks
The evidence shows a clear link to the BlackEnergy malware that took down utility companies and other targets in recent months, Robert Lipovsky, senior malware researcher at Eset North America, told TechNewsWorld.
The methodology often involves a spearphishing email, decoy document, or combination of both, according to Eset.
The BlackEnergy attack, which occurred in December, was a coordinated intentional cyberattack on Ukrainian power stations that reportedly left tens of thousands of customers in the dark.
"After analyzing the information that has been made available by affected power companies, researchers and the media it is clear that cyber attacks were directly responsible for power outages in Ukraine," noted John Hultquist, director of cyberespionage analysis at iSight Partners.
The attack on the Prykarpattyaoblenergo utility in the Western Ukraine was a "milestone" because it was the first major cyberattack to have a substantial effect on a civilian population, according to iSight. The malware intrusion and subsequent denial-of-service attack resulted in an outage that impacted at least 80,000 customers.
The Sandworm Team, a group that has been targeting various entities around the world -- including NATO, the European Union, and various telecommunications and energy sectors -- was responsible for the attack, according to iSight Partners.
The Sandworm Team has a history of targeting Ukrainian government officials, members of the EU and NATO. An attack in 2014 was linked to the use of zero-day exploit of CVE-2014-4114, a vulnerability Microsoft subsequently patched.
The recent attacks against Ukrainian utility companies employed a Trojan called "Trojan.Disakil," which also figured in recent attacks against Ukrainian media companies.
Breaking Down the Methodology
Researchers typically use several markers to discern the source of a cyberattack, noted Wes Widner, director of threat intelligence and machine learning at Norse.
One method is to analyze the command-and-control servers the malware attackers use, he told TechNewsWorld. Other methods include analyzing code similarities, strings found in the file, and general organization of the attack.
In this case, the Ukrainian officials determined that the C2 servers originated in Russia, Widner said.
"Just like fighting styles, malware tends to exhibit regional similarities," he pointed out.
Targeting an airport's IT network potentially could cause lasting damage, because airplanes are "fly-by-wire," and a disruption that affects the air traffic control system could lead to accidents during takeoff or landing, or a mid-air collision, Widner said.
"Moreover, controlling an airport's network can also have ramifications outside the airport, since airport instruments are often used by weather forecasters," he explained. "My guess is that the Ukraine either dodged a bullet, or else the attacker tipped their hand in order to let the Ukrainian government know how vulnerable they are."