GlobalSign Blog

Cyber Autopsy Series: Ukrainian Power Grid Attack Makes History

Cyber Autopsy Series: Ukrainian Power Grid Attack Makes History

Editor's Note: October marks National Cybersecurity Month, a full month dedicated to creating a more cyber-secure world for us all. Previously, we gave you 31 tips to help you #becybersmart. This year, to bring attention to this important matter, we’re introducing you to four huge cybersecurity incidents that could have possibly been prevented, had there been better defenses in place and more awareness. Join us every Thursday in October to read about one of these notorious cyber attacks and stick around for insights and learnings that may just prevent your case from being added to the file.

Cyber Victim:

The Ukrainian Kyivoblenergo, a regional electricity distribution company.

Case Details:  

Regional electricity distribution company Ukrainian Kyivoblenergo has a dubious distinction. It is the world’s first power grid provider to be taken down in a cyber attack. 

It all began when its Prykarpattyaoblenergo control center was the victim of a cyber intrusion on December 23, 2015. The company’s computer and SCADA systems were attacked, disconnecting 30 substations for three hours. As many as 230,000 customers lost power –  approximately half of the homes in the Ivano-Frankivsk region in Ukraine (population about 1.4 million). The tool used was malware known as BlackEnergy

Ukrainian government officials came out rather quickly to claim the outages were caused by a cyber attack, squarely placing blame on Russian security services.

Cyber History: 

The intrusion by cyber criminals was the first time the Kyivoblenergo electricity distribution company was hacked.

Description of Events: 

The attack on the power station occurred in the afternoon. An employee was working at his desk organizing papers when he noticed something very odd. As if by magic, the cursor on his computer began to move around the screen on its own. 

The worker watched – mouth likely agape – as the cursor moved towards buttons that control a substation’s circuit breakers, clicking on a box to open them – taking the substation offline, leaving 225,000 residents in the dark.  

The employee made every effort to regain control of the computer. But it was too late. The attackers had already logged him out. 

Wired obtained a short clip of the actual attack, which can be viewed here. NATO also created this short video depicting the event:

You would think the attackers would be satisfied with their efforts – but no. More damage was in store, as they hit two other power distribution centers, nearly doubling the number of substations taken offline. The cyber criminals also disabled backup power supplies to two of the three distribution centers. Even the power grid operators themselves had no electricity. 

Systems/Parties impacted: 

Anywhere from 200,000-230,000 Ukrainian citizens.

Mode of Entry:

Events leading up to the day of the actual attack began with activity in the spring of 2015, including a spear-phishing campaign targeting IT staff and system admins working for various electricity distribution companies throughout the Ukraine. The campaign delivered a malicious email to employees at three companies. By clicking on the attachment, a popup displayed asking the email user to enable macros for the document. By doing so, a program called BlackEnergy3 infected their machines and opened a backdoor to the hackers.

The initial effort didn’t net the attackers very much, so they continued moving ahead. Over several months they conducted extensive reconnaissance, ultimately gaining access to the Windows Domain Controllers, where user accounts for networks are managed. Here they harvested worker credentials, some of them for VPNs the grid workers used to remotely log in to the SCADA network. Once the attackers broke into the SCADA networks, they still had work to do. Slowly the attackers were preparing for the main event.

It all culminated at approximately 3:30 pm on December 23 when the attackers began to open breakers, and the employees at the Prykarpattyaoblenergo control center realized someone on the outside had gained control.

sequence of events in Ukrainian Kyivoblenergo attack from 2015.png

The attackers were especially clever and thought of everything, even launching a telephone denial-of-service attack against customer call centers to prevent customers from calling in to report the outage.

A cybersecurity expert from Dragos Security quoted in this 2016 Wired article, said the hack “was brilliant” and that “in terms of sophistication…what makes sophistication is logistics and planning and operations and…what’s going on during the length of it. And this was highly sophisticated.” He added: "What sophisticated actors do is they put concerted effort into even unlikely scenarios to make sure they’re covering all aspects of what could go wrong," he says. 

Per Kaspersky, BlackEnergy – the Trojan used in the Ukraine attack – began circulating in 2014. It was deployed specifically to conduct DDoS attacks, cyber espionage and information destruction attacks – and especially companies in the energy industry and those that use SCADA systems. 

Final Diagnosis: 

The attack on the Ukranian power grid is still considered one of the worst intrusions ever. And the case may not be closed just yet...

As stated upfront, almost immediately following the attack the Ukrainian government blamed Russia. Until very recently, no one has been officially accused. 

On October 15, 2020, a federal grand jury in Pittsburgh (PA) returned an indictment charging six hackers, all of whom were residents and nationals of the Russian Federation (Russia) and officers in Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces, also known as “Sandworm”. 

The very same group may also be responsible for another massive attack, NotPetya, which caused nearly $1 billion in losses. 

Sandworm may also be responsible for a series of cyber attacks intended to impact the now delayed 2020 Summer Olympics in Tokyo. The British government is concerned next year’s Games may have been targeted.  

Let's hope not.

Until then, if you don't want to go down like this Ukranian power station, check out some of our free resources designed to help energy grid providers:


Share this Post

Related Blogs