use of the category of deception can mislead others “while they are actively involved in competition with you, your interests, or your forces.”79 Deception causes ambiguity, confusion, or misunderstanding in adversary perceptions.80 Cyber deception effects for the attacker include “fail to observe (prevent the defender from detecting the attack), misdirect (focus the defender on a different attacker), and misattribute (induce the defender into thinking that the attacker is someone else).”81 An example of technical means for the classification of “fail to observe” are DDoS attacks that serve as a diversion. For the second classification of “misdirect,” attackers use false flag operations, where false claims or implanted evidence imply that a third party was responsible.82 For instance, Russian hackers belonging to APT28 cyber-espionage group took control of the television channel TV5Monde in France in April 2015 and posted jihadist messages supposedly by the Cyber Caliphate (linked to the terrorist group ISIS), most likely to cover its destructive tracks.83 Likewise, an implanted language string, time zone, or build environment used does not mean the attack originated from a certain actor. For example, Russian hackers from the Main Intelligence Directorate, the GRU, used North Korean IP addresses to make an attack on South Korea during the 2018 Winter Olympic Games look like the work of North Korean hackers.84 Finally, for the classification of “misattribute,” states employ proxies to divert or take the blame. Proxies are generally defined as “non-state actors with comparatively loose ties to governments.”85 Proxies in cyber space are normally found in patriotic hackers, criminal organizations, hacker groups, or advanced persistent threat (APT) groups. Adm. Michael Rogers, the former commander of US Cyber Command, testified that foreign governments’ use of criminals and other hackers gives them the “ability to say, it’s not us, its criminal groups.”86
Framework Application
James Clapper, former director of national intelligence, testified that “Russia is assuming a more assertive cyber posture based on its willingness to target critical infrastructure systems.”87 An examination of Russian cyber operations employed in a 2015 cyber incident targeting critical infrastructure in the energy sector in Ukraine demonstrates an application of the technical and legal framework for classification of the attack and any allowable response. The Russians were able to breach isolated power systems by the theft of field workers’ credentials and eventually cause damage to systems and disrupt services. Their use of a proxy group hampered a definitive determination of attribution necessary to lay blame for a violation of sovereignty, which is an internationally wrongful act.
Ukraine Power Grid
On December 23, 2015, three different distribution oblenergos (energy companies) in Ukraine experienced unscheduled power outages starting at 3:35 p.m. local time. External hackers had remotely accessed their control centers to take over their supervisory control and data acquisition (SCADA) distribution-management system. The hackers opened breakers at thirty distribution substations, causing more than 225,000 customers to lose power.88 The cyberattacks appeared to have been synchronized and coordinated following extensive reconnaissance. Company personnel reported they occurred at the three locations within thirty minutes of each other.89 At the conclusion of the onslaught, hackers wiped some systems with KillDisk malware, most likely in an attempt to interfere with expected restoration efforts.90 The oblenergos were forced to move to manual operations and fortunately were able to restore service in several hours. In addition to the intrusions, the attackers conducted a remote telephonic denial of service during the period of the outage. Thousands of bogus calls flooded the energy companies’ call centers to prevent impacted customers from reporting the outages. The intent seemed to be to frustrate the customers since they could not find out when the lights and heaters were expected to come back on in their homes.91
At the onset of the attack, an operator at the Prykarpattya region oblenergo witnessed the cursor on his computer move purposely toward buttons controlling the circuit breakers at a regional substation. The cursor then clicked on a box to open the breakers, taking the substation off-line. The operator stared helplessly as one breaker after another was clicked open.92 However, the assault had begun long before this mysterious remote control occurred, when the perpetrators conducted reconnaissance of the company networks and stole operators’ credentials. The attacks began in the spring with a spear-phishing campaign that targeted both information technology (IT) staff and system administrators at multiple electrical distribution companies throughout Ukraine.93 The phishing emails, which appeared to come from a trusted source, contained Microsoft Word documents that were weaponized with embedded BlackEnergy 3 malware.94 When workers clicked on the attachment, a pop-up alert asked them to enable macros. If they complied, Black-Energy infected their machines and opened a backdoor avenue for further infections. This method for intrusion exploited an intentional feature in the Microsoft Word program, instead of a vulnerability in an operating system or application.95
After being downloaded, BlackEnergy 3 connected to a command-and-control channel for the hackers to communicate with the malware.96 The hackers mapped networks and moved laterally throughout the environment, blending into the target’s systems to evade detection.97 Eventually they gained access to the Windows domain controllers and harvested workers’ credentials. Even though the companies had segmented the corporate network from the SCADA networks that controlled the grid, the hackers now had a way to access the latter through virtual private networks (VPNs) the grid workers used to remotely log in.98 Once inside the SCADA networks, they reconfigured the uninterruptible power supply for two of the control centers so operators would lose and not regain power during the assault.99 They also wrote and uploaded malicious firmware for the serial-to-Ethernet converters at more than a dozen of the substations. Replacing legitimate firmware meant the attackers could prevent operators from sending remote commands to reopen breakers during the blackout. Now that they were “armed with the malicious firmware, the attackers were ready for their assault.”100
Shortly after the outage, the Security Service of Ukraine claimed that Russian security services were responsible for the cyber incident.101 Robert Lee, cofounder of Dragos Security, shied away from quick attribution but suggested different types of actors worked on different phases of the operation in saying, “It could have started out with cybercriminals getting initial access to the network, then handing it off to nation-state attackers who did the rest.”102 Eventually the cyber-threat intelligence firm iSight Partners blamed the Russian hacking group known as Sandworm for the power outage.103 Its conclusion was based on detailed analysis of the Black Energy 3 and KillDisk malware used in the operation. Although iSight said it was not clear whether Sandworm was directly working for Moscow, its director of espionage analysis, John Hultquist, stated that it was “a Russian actor operating with alignment to the interest of the state.”104 A profile of politically oriented operations by the Sandworm team suggests “some affiliation to the Russian government.”105 However, alignment with Russian state interests “does not prove state support.”106 No proof has been presented that Sandworm operated on the instructions of, or under the direction or control of, the Russian government.
Regardless of lack of clear attribution to the state, the fact remains that the pro-Russian group Sandworm conducted the first-ever cyberattack on another country’s electric grid.107 The hackers had the ability to cause more damage to the circuit breakers, permanently taking the stations off-line, but chose not to. This restraint may have been “meant to signal Russia’s capability to attack Ukraine’s physical infrastructure, but without doing irreparable damage.”108 The signal could have been more of a warning, for the Ukrainian parliament was considering at the time a bill to nationalize privately owned power companies in Ukraine, some owned by Russian oligarchs.109 Either way, the widespread impact, during winter, was mainly psychological. Power was restored in one to six hours, and even though the malicious firmware operationally impaired the breakers for months, workers could still control them manually.
