Power grid cyberattack in Ukraine (2015)

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Date 23 December 2015
Suspected actor The Sandworm Group.[1] The Ukrainian state security service (SBU) blamed Russia for the attack.[2]
Target Ukrainian Energy Company substations. In the case of the Prykarpattyaoblenergo substation, hackers successfully brought the network offline.[3]
Target systems Microsoft Windows-based systems
Method The first part of the attack is believed to harness an updated version of the BlackEnergy malware.[4] The malicious code was sent through emails with malicious attachments, targeting specific individuals within the different energy companies in order to retrieve administrator credentials and gain access to the energy substation networks.[5] During the second part of the attack, the actors activated a KillDisk destructive malware, which was able to wipe parts of computers’ hard drives and prevent the systems from rebooting, ultimately leading to the power outages. Eventually, the hackers launched a TDoS attack (telephony denial of service) directed against the customers call center, preventing the callers from reporting the outage.[6]
Purpose Unknown. Most likely, the hackers intended to test a remote cyber operation directed against Ukraine’s critical energy infrastructure.
Result The attack resulted in power outages for nearly 225,000 consumers in Western Ukraine. The malware disconnected electrical substations, causing the blackout.[7] To restore the normal activity of the substations manual intervention by on-site operators was necessary, including switching the dispatch control center from “automatic to manual mode”, as the hackers had infected the SCADA’s manufacturer firmware.[8] However, once restored, the impacted infrastructures kept on functioning under constrained operations.[9]
Aftermath The Ukrainian incident is the first publicly acknowledged attack that used a digital weapon hitting a power grid and causing power outages.[10] This is also the first time that a cyber attack causing electrical energy disruptions has been conducted totally remotely.[11]
Analysed in Scenario 03: Cyber attack against the power grid

Collected by: Samuele De Tomas Colatin

  1. Symantec Security Response Team, “Destructive Disakil malware linked to Ukraine power outages also used against media organizations”, (5 January 2016), Symantec Corporation.
  2. J Titcomb, “Ukrainian blackout blamed on cyber-attack”, (5 January 2016), The Telegraph.
  3. K Zetter, “Inside the Cunning, unprecedented hack of Ukraine's power grid”, (3 March 2016), Wired.
  4. Kaspersky Lab, “Newly discovered BlackEnergy spear-phishing campaign targets Ukrainian entities”, (28 January 2016), Kaspersky.
  5. J Cox, “The Malware That Led to the Ukrainian Blackout”, (26 January 2016), Motherboard.
  6. L Hausermann, P Bock, R Francoise, A Nervaux, “Threat Intelligence Report, Cyberattacks against Ukrainian ICS”, (18 July 2017), Sentryo.
  7. D Goodin, “First known hacker-caused power outage signals troubling escalation”, (4 January 2016), Ars Technica.
  8. R M Lee, “Confirmation of a Coordinated Attack on the Ukrainian Power Grid”, (9 January 2016), SANS Industrial Control System Security Blog.
  9. ICS-CERT, “Cyber-Attack Against Ukrainian Critical Infrastructure”, (25 February 2016), United States Department of Homeland Security.
  10. P Polityuk, “Hackers have infiltrated Ukraine’s power grid — and they could take down other infrastructure at any time”, (27 January 2016), Business Insider.
  11. C McLellan, “How hackers attacked Ukraine's power grid: Implications for Industrial IoT security”, (4 March 2016), ZDNet.