No One Can Afford an Attack - Find the best Cybersecurity Pros to Protect Your Business Data
Welcome Guest | Sign In

Ukraine Mounts Investigation of Kiev Airport Cyberattack

By David Jones
Jan 20, 2016 7:00 AM PT

Ukrainian officials earlier this week said they had launched a probe into the source of a cyberattack that targeted the Boryspil International Airport in Kiev.

The attack may be related to the BlackEnergy malware attacks that recently targeted Ukrainian infrastructure facilities, apparently from a source inside Russia.

The Computer Emergency Response Team of Ukraine (CERT-UA) on Monday warned system administrators to be on the alert for the presence of BlackEnergy malware.

Links to Utility Attacks

The evidence shows a clear link to the BlackEnergy malware that took down utility companies and other targets in recent months, Robert Lipovsky, senior malware researcher at Eset North America, told TechNewsWorld.

The methodology often involves a spearphishing email, decoy document, or combination of both, according to Eset.

The BlackEnergy attack, which occurred in December, was a coordinated intentional cyberattack on Ukrainian power stations that reportedly left tens of thousands of customers in the dark.

"After analyzing the information that has been made available by affected power companies, researchers and the media it is clear that cyber attacks were directly responsible for power outages in Ukraine," noted John Hultquist, director of cyberespionage analysis at iSight Partners.

The attack on the Prykarpattyaoblenergo utility in the Western Ukraine was a "milestone" because it was the first major cyberattack to have a substantial effect on a civilian population, according to iSight. The malware intrusion and subsequent denial-of-service attack resulted in an outage that impacted at least 80,000 customers.

The Sandworm Team, a group that has been targeting various entities around the world -- including NATO, the European Union, and various telecommunications and energy sectors -- was responsible for the attack, according to iSight Partners.

The Sandworm Team has a history of targeting Ukrainian government officials, members of the EU and NATO. An attack in 2014 was linked to the use of zero-day exploit of CVE-2014-4114, a vulnerability Microsoft subsequently patched.

The recent attacks against Ukrainian utility companies employed a Trojan called "Trojan.Disakil," which also figured in recent attacks against Ukrainian media companies.

Breaking Down the Methodology

Researchers typically use several markers to discern the source of a cyberattack, noted Wes Widner, director of threat intelligence and machine learning at Norse.

One method is to analyze the command-and-control servers the malware attackers use, he told TechNewsWorld. Other methods include analyzing code similarities, strings found in the file, and general organization of the attack.

In this case, the Ukrainian officials determined that the C2 servers originated in Russia, Widner said.

"Just like fighting styles, malware tends to exhibit regional similarities," he pointed out.

Targeting an airport's IT network potentially could cause lasting damage, because airplanes are "fly-by-wire," and a disruption that affects the air traffic control system could lead to accidents during takeoff or landing, or a mid-air collision, Widner said.

"Moreover, controlling an airport's network can also have ramifications outside the airport, since airport instruments are often used by weather forecasters," he explained. "My guess is that the Ukraine either dodged a bullet, or else the attacker tipped their hand in order to let the Ukrainian government know how vulnerable they are."

David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain's New York Business and The New York Times.

Facebook Twitter LinkedIn Google+ RSS
What best describes your attitude toward social networks and politics?
The value of engaging in serious political discourse outweighs the negatives.
Most of the political conversations seem overheated and ignorant.
Social networks provide a lot of very good political information from reliable sources.
Almost every political post I see is skewed or totally fake.
Political interactions on social networks simply mirror those in the real world.
Social networks remove inhibitions, bringing out the worst in people and politics.