The Ukrainian government said that Russia is behind cyber-attacks that have left its largest airport infected with the Black Energy malware.
Ukraine's Computer Emergency Response Team (CERT-UA) warned of the threat of further attacks.
Black Energy malware, which previously was found to have infected three Ukrainian power firms in late December, was detected on a server in the network of Kiev's main airport, Boryspil, last week. The infrastructure also includes the airport's air traffic control systems.
The importance of the airport to Ukraine cannot be underestimated as it handles around 65 percent of the country's air traffic.
"Specialists of the State Service of Special Communications prevented a possible hacker attack by Russia," said Andriy Lysenko, presidential administration spokesman for the Anti-Terrorist Operation (ATO), according to reports from the Ukrainian Interfax news agency.
“Yesterday, the communications specialists established that one of the workstations at the Boryspil airport was infected by Black Energy virus. The PC was disconnected from the airport's network, and the experts from the CERT UA group were informed on the incident," he added.
He said that the attack was under investigation and that malware similar to this current one was discovered during an attack on Prykarpattiaoblenergo, a Ukrainian power supply company. This attack led to power outages throughout the country. That malware was later confirmed by Eset to be from a known nation-state hacking group with links to Russia.
In a statement, Ukraine's CERT-UA cyber-security organisation said that systems administrators should check log files for signs of suspicious activity.
Chris Boyd, malware intelligence analyst at Malwarebytes, told SCMagazineUK.com that while there is always a strong temptation to definitively state who is responsible for attacks such as these, “I feel it rather plays into the hands of the people behind it – nobody attempts something like this without a plausible alibi, and all too often we see further fallouts as a result of wrongly apportioned blame.”
He added: “It's more prudent to try and figure out how they did it, and take steps to ensure it can't happen again – or at the very least, make it much more difficult to achieve next time around.”
Tim Erlin, director of security and product management at Tripwire, told SC that cyber-attack attribution isn't always easy to get right, and rarely does the technical evidence for assigning responsibility to a nation-state get presented publicly.
“Cyber-attacks are now part of the political climate. Anytime one nation blames another for a breach, we have to consider the political motivations as well as any evidence presented,” Erlin said.
Chris McIntosh, CEO of security and communications company ViaSat UK, told SC that the Ukraine hack represents a key security issue facing critical infrastructure – be it airports, railways, power plants or water supply – and the growth in incidents of this type of attack is going to be astronomical.
“I see nations and governments being involved in cyber-attacks becoming the norm, since these attacks are relatively cheap and effective. Therefore, when countries are considering how they can disrupt, how they can have political power and force over another nation, cyber is going to become the way that it will be done,” he said.
Dave Palmer, director of technology at Darktrace, told SC that learning from successful new attacks and applying this knowledge to other networks has helped to identify the attacks against the airport system.“However, the approach is of course retrospective, so forward-looking companies are adopting ‘immune systems' that learn what is normal within the organisation and can detect a threat as soon as it starts to emerge, enabling them to respond before an attack becomes a business crisis,” he said.