* [Blog](https://www.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/)
* [SCADA \& ICS](https://www.paloaltonetworks.com/blog/category/scada-ics/)
* Hack on Ukrainian Power G...

# Hack on Ukrainian Power Grid Highlights the Urgency for Accelerated Threat Intelligence in Industrial Control Systems

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2016%2F04%2Futilities-pan-os-7-1-utilities%2F)  
[](https://twitter.com/share?text=Hack+on+Ukrainian+Power+Grid+Highlights+the+Urgency+for+Accelerated+Threat+Intelligence+in+Industrial+Control+Systems&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2016%2F04%2Futilities-pan-os-7-1-utilities%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2016%2F04%2Futilities-pan-os-7-1-utilities%2F&title=Hack+on+Ukrainian+Power+Grid+Highlights+the+Urgency+for+Accelerated+Threat+Intelligence+in+Industrial+Control+Systems&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2016/04/utilities-pan-os-7-1-utilities/&ts=markdown)  
\[\](mailto:?subject=Hack on Ukrainian Power Grid Highlights the Urgency for Accelerated Threat Intelligence in Industrial Control Systems)  
Link copied  
By [Del Rodillas](https://www.paloaltonetworks.com/blog/author/del-rodillas/?ts=markdown "Posts by Del Rodillas")  
Apr 07, 2016  
6 minutes  
[SCADA \& ICS](https://www.paloaltonetworks.com/blog/category/scada-ics/?ts=markdown)  
[Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown)  
[AutoFocus](https://www.paloaltonetworks.com/blog/tag/autofocus/?ts=markdown)  
[PAN-OS 7.1](https://www.paloaltonetworks.com/blog/tag/pan-os-7-1/?ts=markdown)  
[WildFire](https://www.paloaltonetworks.com/blog/tag/wildfire/?ts=markdown)

Recent and more conclusive reports on the cyberattack of a Ukrainian power grid, such as the article reported in [Wired Magazine](http://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/), confirmed the level of sophistication of this campaign. The net result of a mass power outage for hundreds of thousands of people is mind-blowing, but the highly coordinated events leading up to the outage were, perhaps, even more so. If one could call advanced persistent threats artists, this campaign would be up there as one of the hacking community's best masterpieces to date.

### Considerations for the Operational-Technology Attack Phase

The components of the OT portion of the combined IT-OT "pivoted" attack (which was the pathway used in the German steel mill hack of 2014) were precisely integrated and serve as evidence of the attackers' deep knowledge of OT and this particular utility's infrastructure. From the use of stolen credentials to access remote management applications (e.g., SSH) over VPN, to the use of quietly commandeered SCADA hosts to issue ICS protocols in an effort to open relays and corrupt firmware on serial-to-ethernet converters to the debilitation of remote SCADA systems via the KillDisk malware, all of these cyber components were pretty much unprecedented, at least in terms of a publicly disclosed and successful attack leading to a mass outage.

Reports indicate the utility did have a firewall at the IT-OT perimeter. Questions are raised if there was any more granular segmentation beyond the edge, and whether the firewall logs were being proactively monitored and analyzed. However, an important question is: Just what kind of firewall was this? If it was only a stateful inspection firewall, then it would not be too surprising that the attackers went undetected, given the rudimentary port and IP visibility offered by such legacy technology. Next-generation firewalls, on the other hand, provide visibility (and access control) at the application, protocol, user and content levels while simultaneously applying built-in threat prevention (exploits, viruses, C2 traffic). Perhaps it might have been helpful to identify and stop the OT-specific attacks, which used stolen accounts to maliciously utilize a range of business, remote management, and ICS protocols, and to deploy malware, like KillDisk, during its attack. Maybe. Maybe not. But is this the right area of focus for the post-mortem analysis?

### Nip it in the Bud -- Stopping the IT Attack Phase

What wasn't clear in the reports was how quickly the OT portion of the operations was conducted. Given how skilled and knowledgeable these attackers were, it wouldn't be a surprise if it happened over weeks or days (hours would be really impressive) in terms of the time from the initial OT breach to the time of the outage. What's interesting is that the campaign seems to have started back in the spring of 2015 with social engineering activities to the IT infrastructure of the utility and its business partners. In other words, the attackers were running their reconnaissance operations for months before actually enacting the physical part of the attack. Rather than talking about how the OT portion of the attack could have been prevented, a more forward-thinking question is: What could have been done to prevent the attackers from breaching the IT network to begin with, and stop the theft of the credentials used to breach the OT?

What made the initial attack of this campaign very evasive was that the attackers used very effective social engineering and zero-day malware, repurposing old-school methods (trick the user to start embedded malicious macro) and pre-existing root kits (BlackEnergy) to successfully establish a beachhead into the utility organization. The simple fact that this particular malicious attachment had never been fingerprinted by host-antivirus or network-antivirus products allowed it to quietly circumvent existing security provisions. It is this zero-day element that many organizations are not capable of addressing because they don't have the tools that can address attacks never seen before in the wild.

Given the rising ICS advanced-threat landscape and severe consequences involved with a breach to ICS (as was the case here), there is a strong argument to be made that operators of critical infrastructure need to make sure they can address similar campaigns, such as this, in the future, and develop more sophisticated security capabilities.

### Accelerating Threat Intelligence in IT and OT with PAN-OS 7.1

We already covered in an earlier [blog post](https://www.paloaltonetworks.com/blog/2016/02/grid-security-is-top-of-mind-in-2016-nerc-cip-and-the-ukrainian-grid-attack/?ts=markdown) how our WildFire and AutoFocus technologies help in detecting and preventing the zero-day threats, including BlackEnergy. With our latest [PAN-OS 7.1 release](https://www.paloaltonetworks.com/blog/2016/04/ignite-announcement-pan-os-7-1/?ts=markdown), we are pleased to say that we have made these capabilities even more powerful.

WildFire, the service that allows the user to quickly identify zero-day threats and deploy protective measures has been beefed up with the ability to do these important functions 70 percent faster than before. Users can now detect and prevent zero-day attacks in as little as five minutes. In addition, its capabilities in stopping the universe of unknown threats has been improved with new machine-learning algorithms, which instantly stop variations of known malware, even if they have never been seen by WildFire. These algorithms also reduce analysis time for Personal Executable (PE) variants of known malware.

The new release of AutoFocus received an upgrade, which tightens its integration with PAN-OS 7.1 and Panorama. The new capabilities essentially bring more advanced-threat context to the entire organization, simplifying response efforts for the most critical attacks in a single, easy-to-use console. This puts the largest collection of unknown malware data at your fingertips, allowing you to automatically turn analysis efforts for unique, targeted attacks into proactive protections by blocking malicious domains, IP addresses, and URLs with AutoFocus and PAN-OS dynamic block lists. AutoFocus also adds the ability to bring threat intelligence into your existing security operations workflow with an improved API and support for the STIX information-sharing standard.

### Learn More

Advanced network security via a next-generation firewall is necessary; but to combat the more sophisticated threats that utilize zero-day attacks, one needs equally sophisticated capabilities. The threat intelligence cloud component (utilized by the WildFire and AutoFocus services) and Advanced Endpoint Protection of our Next-Generation Security Platform were designed to prevent attacks from such threats with as much automation as possible.

Learn more about our platform capabilities by reading this [whitepaper on 21^st^ Century SCADA Security](https://www.paloaltonetworks.com/resources/whitepapers/21-century-cybersecurity-protection-platform-ics.html?ts=markdown) and by visiting the resources below.

* [PAN-OS 7.1 release](https://www.paloaltonetworks.com/products/new/new-panos7-1?ts=markdown)
* [Technical Documentation: Five Minute WildFire Updates](https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/wildfire-features/five-minute-wildfire-updates.html?ts=markdown)
* [Technical Documentation: PAN-OS Log Integration with AutoFocus](https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/management-features/pan-os-log-integration-with-autofocus.html?ts=markdown)
* [Technical Documentation: AutoFocus API STIX Support](https://www.paloaltonetworks.com/documentation/autofocus/autofocus/new-feature-guide/new-features-march-2016/autofocus-api-stix-support.html?ts=markdown)

*** ** * ** ***

## Related Blogs

### [Customer Spotlight](https://www.paloaltonetworks.com/blog/category/customer-spotlight/?ts=markdown), [Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown)

[#### Customer Spotlight: Domain Group Keeps the Presses Rolling With Palo Alto Networks](https://www.paloaltonetworks.com/blog/2017/09/customer-spotlight-domain-group-keeps-presses-rolling-palo-alto-networks/)

### [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### SEGA Europe: You Cannot Protect What You Cannot See](https://www.paloaltonetworks.com/blog/2019/07/sega-europe/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### When Scripts Attack, WildFire Protects](https://www.paloaltonetworks.com/blog/2019/01/scripts-attack-wildfire-protects/)

### [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown)

[#### UPDATED: Palo Alto Networks Protections Against WanaCrypt0r Ransomware Attacks](https://www.paloaltonetworks.com/blog/2018/01/palo-alto-networks-protections-wanacrypt0r-attacks/)

### [Customer Spotlight](https://www.paloaltonetworks.com/blog/category/customer-spotlight/?ts=markdown), [Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown), [Service Providers](https://www.paloaltonetworks.com/blog/category/service-providers/?ts=markdown)

[#### Customer Spotlight: Telkom Indonesia Protects Expansion Plans With Palo Alto Networks](https://www.paloaltonetworks.com/blog/2017/11/customer-spotlight-telkom-indonesia-protects-expansion-plans-palo-alto-networks/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown), [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown)

[#### Welcoming the APAC WildFire Cloud](https://www.paloaltonetworks.com/blog/2017/09/welcoming-apac-wildfire-cloud/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language