Business Continuity Management / Disaster Recovery
Critical Infrastructure Security
DTEK Group Alleges Russian Hackers/Military Behind Hybrid Attacks
Ukrainian private energy firm DTEK Group alleges that the Russian federation has carried out a cyberattack against its facilities, crippling its infrastructure in retaliation for its owners’ support of the country in its war against Russian invaders.
“The attackers’ goal was to destabilize the technological processes at power generating and distribution companies and undermine Ukraine’s energy security as well as to spread deliberately false information about the companies’ operation through state propaganda agencies and as a result, leave Ukrainian consumers without power,” the group says in a statement.
— DTEK Group (@dtek_en) July 1, 2022
The cyber incident was reported at the same time as it was reported that a missile attack on the Kryvorizka Thermal Power Plant took place, also attacking the company’s digital infrastructure.
“Cyberattacks are very much embedded and an integral part of traditional warfare. Rather than disrupting power through physical force, if the same outcome can be achieved through digital means, it will remain an appealing option,” says Javvad Malik, lead security awareness advocate at security firm KnowBe4. “It is why nations need to invest in the digital security of their critical infrastructure, just as much as they invest in the physical security because either form of attack can have an equally adverse impact.”
More details about the attacks are awaited. A spokesperson for DTEK was not immediately available to comment.
XakNet Claims Responsibility
XakNet Team, a hacking group, claimed the responsibility for the attack on DTEK and said that it will send a proposal with demands to Ukrainian billionaire, Rinat Akhmetov, who is also the owner of the DTEK group.
Мы вчера взломали ДТЭК. Ринату Ахметову в течении 30 минут передадим свои требования. Кстати, после вчерашней публикации и ряда мер со стороны ДТЭК, сегодня мы вошли туда снова. Опубликуем свежий файл с их уязвимостями 😀
— XakNet team (@XaknetTeam) June 29, 2022
“I confirm XakNet Team Telegram chatter claiming to have breached DTEK on June 29th. The chats mention that no harm was done to the operations, but XakNet Team said they would come back with terms for an exchange of the backdoors they found in the DTEK network. They also added they are not out for money, which fits the narrative of a Hacktivist group,” says Pascal Geenens, director of threat intelligence at Radware.
Geenens says it is unclear who is connected to whom, or who accepts tasks from whom in this cyberwar and hacktivist groups can serve as proxies for nations, while others are fighting for what, from their point of view, is justice for their people.
“There is a lot of activity and cross chatter with many groups being active and sharing their exploits and tasks across multiple groups. These are challenging times for attribution or even understanding to the full extent of the motivations and drivers behind each group,” Geenens says.
In an interview with Russian OSINT, a spokesperson said that the group is a qualified specialist in information security, with good salaries.
“The costs are not as much as it seems. And with a salary of 300+ thousand rubles + additional work, to provide some illegal services is just stupid. We do not accept donations, although they are often offered. If they ask persistently, we send them to any Russian charitable foundation, where they help sick children at the discretion of the donor. Why accept donations when you have enough financial resources? The idea is not traded, it is lived,” the hacking group says.
In April, members of the Five Eyes intelligence alliance, in a joint cybersecurity advisory, warned that the Russian government hackers and cybercrime groups are teaming up to launch cyberattacks against the West in retaliation for its support of Ukraine.
The advisory had also mentioned XakNet Team posing a threat to critical infrastructure (see: Five Eyes Warns of Russian Hacks on Critical Infrastructure).
The DTEK group says it registered a “significant” spike in the enemy’s cyber activities in March, while it was promoting the Stop Bloody Energy project, a project by the Ukrainian energy companies urging Western companies to stop cooperating with Russia in the fuel and energy sector.
The group also alleges that several large investors withdrew from the aggressor’s energy projects after their active participation in promoting the Stop Bloody Energy project, which was actively supported by Ukrainian society and the global cyber community.
“The enemy’s special focus on actively attacking DTEK’s facilities can be explained by the firm and proactive position taken by the company’s (primary) shareholder Rinat Akhmetov with regards to Russia’s barbaric war against Ukraine and massive assistance provided to the Ukrainian army and support to Ukrainians,” DTEK says. Akhmetov, originally from Crimea, which is now occupied by Russia, owns significant heavy industry facilities, including power stations and coal mines in the Donetsk region of Ukraine, the area which is a primary objective of Russia’s invasion.
Jim Simpson, director of threat intelligence at Searchlight Security, tells Information Security Media Group that it spotted a post on RaidForums in January, showing a user selling DTEK employee credentials and the vulnerability used to extract them.
“While it is not guaranteed that the post is related to this recent attack, it does support the idea that the conglomerate has been a target for several months,” Simpson says.
However, this is not the first large attempt by cybercriminals to interfere with the operation of Ukraine’s power system. In April, the Computer Emergency Response Team of Ukraine (CERT-UA) confirmed reports about the targeted attacks on a Ukrainian energy facility (see: Russia-Linked Sandworm Attacks Ukrainian Energy Facility).
In a joint operation carried out by the Ukrainian CERT with security companies Microsoft and firm ESET, it was found that an ICS-capable malware and several regular disk wipers for Windows, Linux, and Solaris operating systems were used in the attack.
CERT-UA said that it averted the execution of these malware that were scheduled to trigger at very specific times on the evening of April 8, and prevented further damages.
In a press briefing held by the Ukrainian government, Farid Safarov, Deputy Minister of Energy for Digital Development, Digital Transformation and Digitization, says that this attack was targeted at a single private energy company with operations at a couple of locations, and had the attack been successfully executed, it would have impacted two million civilians in the region where the energy company supplies electricity.
Ukraine’s power infrastructure has been the target of Russian Groups several times over the past decade (see Ukraine Blackout Redux: Hacking Confirmed)