2015 Ukraine power grid hack

On December 23, 2015, the power grid in two western oblasts of Ukraine was hacked, which resulted in power outages for roughly 230,000 consumers in Ukraine for 1-6 hours. The attack took place during the ongoing Russo-Ukrainian War (2014-present) and is attributed to a Russian advanced persistent threat group known as "Sandworm".^[1] It is the first publicly acknowledged successful cyberattack on a power grid.^[2]

Description

On 23 December 2015, hackers using the BlackEnergy 3 malware remotely compromised information systems of three energy distribution companies in Ukraine and temporarily disrupted the electricity supply to consumers. Most affected were consumers of Prykarpattyaoblenergo (Ukrainian: Прикарпаттяобленерго; servicing Ivano-Frankivsk Oblast): 30 substations (7 110kv substations and 23 35kv substations) were switched off, and about 230,000 people were without electricity for a period from 1 to 6 hours.^[3]

At the same time, consumers of two other energy distribution companies, Chernivtsioblenergo (Ukrainian: Чернівціобленерго; servicing Chernivtsi Oblast) and Kyivoblenergo (Ukrainian: Київобленерго; servicing Kyiv Oblast) were also affected by a cyberattack, but at a smaller scale. According to representatives of one of the companies, attacks were conducted from computers with IP addresses allocated to the Russian Federation.^[4]

Vulnerability

In 2019, it was argued that Ukraine was a special case, comprising unusually dilapidated infrastructure, a high level of corruption, the ongoing Russo-Ukrainian War, and exceptional possibilities for Russian infiltration due to the historical links between the two countries.^[5] The Ukrainian power grid was built when it was part of the Soviet Union, has been upgraded with Russian parts and (as of 2022), still not been fixed.^{[clarification needed]} Russian attackers are as familiar with the software as operators. Furthermore, the timing of the attack during the holiday season guaranteed only a skeleton crew of Ukrainian operators were working (as shown in videos).^[6]

Method

The cyberattack was complex and consisted of the following steps:^[4]

• Prior compromise of corporate networks using spear-phishing emails with BlackEnergy malware
• Seizing SCADA under control, remotely switching substations off
• Disabling/destroying IT infrastructure components (uninterruptible power supplies, modems, RTUs, commutators)
• Destruction of files stored on servers and workstations with the KillDisk malware
• Denial-of-service attack on call-center to deny consumers up-to-date information on the blackout.
• Emergency power at the utility company’s operations center was switched off.^[6]

In total, up to 73 MWh of electricity was not supplied (or 0.015% of daily electricity consumption in Ukraine).^[4]

See also

• 2016 Kyiv cyberattack, which resulted in another power outage
• Ukrenergo, electricity transmission system operator in Ukraine
• 2017 cyberattacks on Ukraine
• Russo-Ukrainian cyberwarfare
• Cyberwarfare by Russia
• Vulkan files leak

References

1. Jim Finkle (7 January 2016). "U.S. firm blames Russian 'Sandworm' hackers for Ukraine outage". Reuters. Archived from the original on 23 June 2017. Retrieved 2 July 2017.
2. Kostyuk, Nadiya; Zhukov, Yuri M. (2019-02-01). "Invisible Digital Front: Can Cyber Attacks Shape Battlefield Events?". Journal of Conflict Resolution. 63 (2): 317–347. doi:10.1177/0022002717737138. ISSN 0022-0027. S2CID 44364372. Archived from the original on 2022-02-25. Retrieved 2022-02-25.
3. Zetter, Kim (3 March 2016). "Inside the cunning, unprecedented hack of Ukraine's power grid". Wired. San Francisco, California, USA. ISSN 1059-1028. Archived from the original on 2021-02-08. Retrieved 2021-02-08.
4. "Міненерговугілля має намір утворити групу за участю представників усіх енергетичних компаній, що входять до сфери управління Міністерства, для вивчення можливостей щодо запобігання несанкціонованому втручанню в роботу енергомереж". mpe.kmu.gov.ua. Міністерство енергетики та вугільної промисловості України. 2016-02-12. Archived from the original on 2016-08-15. Retrieved 2016-10-10.
5. Overland, Indra (1 March 2019). "The geopolitics of renewable energy: debunking four emerging myths". Energy Research and Social Science. 49: 36–40. doi:10.1016/j.erss.2018.10.018. ISSN 2214-6296. Archived from the original on 2021-08-19. Retrieved 2021-02-08.  
6. Sanger, David E.; Barnes, Julian E. (2021-12-20). "U.S. and Britain Help Ukraine Prepare for Potential Russian Cyberassault". The New York Times. ISSN 0362-4331. Archived from the original on 2022-01-16. Retrieved 2022-01-17.

Further reading

• Robert M. Lee; Michael J. Assante; Tim Conway (18 March 2016). Analysis of the Cyber Attack on the Ukrainian Power Grid. Defense Use Case (PDF). E-ISAC.
• Nate Beach-Westmoreland; Jake Styczynski; Scott Stables (November 2016). When The Lights Went Out (PDF). Booz Allen Hamilton.

External links

• Adi Nae Gamliel (2017-10-6) "Securing Smart Grid and Advanced Metering Infrastructure".
• Andy Greenberg (2017-06-20). "How An Entire Nation Became Russia's Test Lab for Cyberwar". Wired.
• Kim Zetter (2016-03-03). "Inside the Cunning, Unprecedented Hack of Ukraine's Power Grid". Wired.
• Kim Zetter (2016-01-20). "Everything We Know About Ukraine's Power Plant Hack". Wired.
• John Hulquist (2016-01-07). "Sandworm Team and the Ukrainian Power Authority Attacks". FireEye.
• ICS-CERT, [https://www.cisa.gov/uscert/ics/advisories/ICSA-16-336-02)
• ICS-CERT, Cyber-Attack Against Ukrainian Critical Infrastructure (IR-ALERT-H-16-056-01)