KIEV (Reuters) - Hackers were able to attack four sections of Ukraine's power grid with malware late last year because of basic security lapses and they could take down other industrial facilities at any time, a consultant to government investigators said.
Three power cuts reported in separate areas of western and central Ukraine in late December were the first known electrical outages caused by cyber attacks, causing consternation among businesses and officials around the world.
The consultant, Oleh Sych, told Reuters a fourth Ukrainian energy company had been affected by a lesser attack in October, but declined to name it.
He also said a similar type of malware had been identified by the Ukrainian anti-virus software company Zillya! where he works as far back as July, making it impossible to know how many other systems were at risk.
"This is the scariest thing - we're living on a powder keg. We don't know where else has been compromised. We can protect everything, we can teach administrators never to open emails, but the system is already infected," he said.
Sych, whose firm is advising the State Security Service SBU and a commission set up by the energy ministry, said power distributors had ignored their own security rules by allowing critical computers to be hooked up to the Internet when they should have been kept within an internal network.
This so-called "air gap" separates computer systems from any outside Internet connections accessible to hackers.
"A possible objective was to bring down some branches (of the Ukrainian energy system) and create a 'domino effect' to collapse the entire system of Ukraine or a significant part," Sych said.
Ukraine has also been targeted in other cyber attacks, which included hacking into the system of Ukraine's biggest airport and TV news channels.
Security services and the military blamed the attacks on Russia, an allegation dismissed by the Kremlin as evidence of Ukraine's tendency to accuse Russia of "all mortal sins".
Russia annexed Crimea from Ukraine in 2014 and has supported separatist rebels in east of the former Soviet republic, arguing that Kiev's Western-backed government, elected after the Moscow-backed president fled widespread protests, was illegitimate.
Sych, who said he could not reveal all the details of the probe, said there was no conclusive evidence that the attacks originated in Russia. One of the emails was sent from the server of a German university, another from the United States, he said.
International cyber-security researchers who have studied the attacks believe the attackers broke into networks by sending targeted emails designed to trick utility insiders to click on Excel documents that were poisoned with malware used to gain control inside the networks.
Sych agreed, saying:
"We understand that this couldn't have happened without an insider. To carry out this kind of attack you need to know what kind of operating system and SCADA (supervisory control and data acquisition) are used and what software controls the industrial facility," he said.
SCADA software is widely used to control industrial systems worldwide.
"The attackers must have known what software was installed ... to test (the malware) on it. Clearly preliminary investigations were carried out and this was easy to do with this kind of insider information."
He said the hackers had sent the e-mails in question to workers at the affected power distribution companies with infected Word or Excel files that were meant to look like official correspondence from the energy ministry.
They contained topics that would have been recognizable to the workers and were not sent out en masse but targeted certain individuals instead. One of the emails was about regional electricity production levels, he said.
"It was all very simple and stupid," Sych said, adding that the hackers totally wiped the data of some of the computers in one of the firms.
Details of the impact of the attacks have been sketchy, but one is reported to have affected 80,000 customers for two hours. The three named companies declined to comment on Sych's remarks.
"All experts agree this sort of attack on electric utilities or other critical infrastructure was bound to happen because engineering-wise, physics-wise it is technically possible to do," said Kenneth Geers, a Kiev-based national security analyst who worked for U.S. intelligence agencies for 20 years until 2013.
All it takes is political will or opportunism to try something like this, he said.
Ukrainian Deputy Energy Minister Oleksander Svetelyk has also accused the companies of lapses, saying on Tuesday there had been a "a lot of errors". He added that U.S. cyber experts would come to Kiev later this week to help with the investigation.
Additional reporting by Maria Tsvetkova in MOSCOW and Eric Auchard in BRUSSELS; Writing by Matthias Williams; Editing by Philippa Fletcher