Hackers were able to cut the power to about 700,000 homes in Ukraine last month — marking the first time a cyberattack caused a blackout — and the way they did it was equal parts simple and scary.
Though the Dec. 23 attack on a power company in Ukraine's Ivano-Frankivsk region caused people to lose electricity for at least a few hours, it wasn't all that sophisticated. The hackers got malware called "BlackEnergy" onto the company's systems using little more than email.
"It was a targeted phishing email with an Excel spreadsheet attached," said Rohyt Belani, CEO of PhishMe, of emails designed to trick users into performing a task or giving up information. In the case of the Ukraine attack, Belani said those emails were sent to workers and tricked people into running malicious software.
It worked like this:
Cyberattackers conducted research on their target and identified people at the power company who might open and run their malware. Once identified, the attackers sent them a spoofed (faked as if it came from a different email address) message with an Excel spreadsheet attached.
After the user opened the Excel file, it told them the document was created in a newer version of Microsoft Office, and "Macros must be enabled to display the contents." It went on to show how a user could enable macros — a built-in feature that allows tasks to be automated in Office that hackers often use to insert malicious code.
Once macros were enabled, BlackEnergy was loaded onto the system, which gave the attacker the ability to control the computer, delete files, or make the system unbootable. In essence, there was very little "hacking" because users basically infected the machines themselves without even knowing it.
The hackers, which some believe to be a Russian-linked group dubbed Sandworm, then took some of the systems offline, triggering the blackout.
"It's certainly not surprising," Joanie Myers, a cybersecurity expert with Strategic Link Partners , told Tech Insider in a phone interview last month. "If you look at the power grid, it's a set of snapped-in associations ... an attack against one piece of it can cause multiple pieces to fail."
This style of attack is very common. Cybersecurity firm Trend Micro found a staggering 91% of targeted attacks involved spear-phishing emails, or emails that contained specifics on the person targeted.
"One of the things I find quite ironic," Belani said. "Is that we’ve been seeing this sort of script play out again and again. We’re still dealing with a very similar issue with sort of catastrophic consequences."
Belani's company PhishMe specializes in helping companies avoid these types of attacks, offering phishing simulators and detection software. But even with plenty of training and expensive cybersecurity solutions, he says there is no "silver bullet."
In fact, even his own company has suffered from phishing attacks. Belani once received an email that apparently came from his CTO Aaron Higbee, warning that there was a massive software bug in their new product. "[The attackers] knew the right emotional triggers to get me," he said.
In the email was a PDF, but just before he was going to open it, Belani said he took a step back to analyze the situation. His suspicions were raised by the attachment and by the message starting with "Dear Rohyt" — two things his CTO would never put in an email.
That skepticism is what Belani recommends for everyone when dealing with emails. Hackers can make an email look like it came from a trusted friend, or ask users to perform a task. So before doing so, users should double-check the message contents, and be wary about opening any attachments.
"The user is so unconditioned that email is the means of transporting attacks," he said.