On December 23, 2015, the
power grid in two western oblasts of
Ukraine was hacked, which resulted in
power outages for roughly 230,000 consumers in Ukraine for 1-6 hours. The attack took place during the ongoing
Russo-Ukrainian War (2014-present) and is attributed to a Russian
advanced persistent threat group known as "
Sandworm". It is the first publicly acknowledged successful cyberattack on a power grid.
Description
On 23 December 2015, hackers using the
BlackEnergy 3 malware remotely compromised information systems of three energy distribution companies in Ukraine and temporarily disrupted the electricity supply to consumers. Most affected were consumers of Prykarpattyaoblenergo ( uk, Прикарпаттяобленерго; servicing
Ivano-Frankivsk Oblast
Ivano-Frankivsk Oblast ( uk, Іва́но-Франкі́вська о́бласть, translit=Ivano-Frankivska oblast), also referred to as Ivano-Frankivshchyna ( uk, Іва́но-Франкі́вщина), is an administrative divisions of Ukrain ...
): 30 substations (7 110kv substations and 23 35kv substations) were switched off, and about 230,000 people were without electricity for a period from 1 to 6 hours.
At the same time, consumers of two other energy distribution companies, Chernivtsioblenergo ( uk, Чернівціобленерго; servicing
Chernivtsi Oblast) and Kyivoblenergo ( uk, Київобленерго; servicing
Kyiv Oblast) were also affected by a cyberattack, but at a smaller scale. According to representatives of one of the companies, attacks were conducted from computers with IP addresses allocated to the
Russian Federation.
Vulnerability
In 2019, it was argued that Ukraine was a special case, comprising unusually dilapidated infrastructure, a high level of corruption, the ongoing
Russo-Ukrainian War, and exceptional possibilities for Russian infiltration due to the historical links between the two countries.
[ ] The Ukrainian power grid was built when it was part of the Soviet Union, has been upgraded with Russian parts and (as of 2022), still not been fixed. Russian attackers are as familiar with the software as operators. Furthermore, the timing of the attack during the holiday season guaranteed only a skeleton crew of Ukrainian operators were working (as shown in videos).
Method
The cyberattack was complex and consisted of the following steps:
* Prior compromise of corporate networks using
spear-phishing emails with
BlackEnergy BlackEnergy Malware was first reported in 2007 as an HTTP-based toolkit that generated bots to execute distributed denial of service attacks. In 2010, BlackEnergy 2 emerged with capabilities beyond DDoS. In 2014, BlackEnergy 3 came equipped with a v ...
malware
* Seizing
SCADA
Supervisory control and data acquisition (SCADA) is a control system architecture comprising computers, networked data communications and graphical user interfaces for high-level supervision of machines and processes. It also covers sensors and ...
under control, remotely switching substations off
* Disabling/destroying
IT infrastructure components (
uninterruptible power supplies,
modems,
RTUs, commutators)
* Destruction of files stored on servers and workstations with the KillDisk malware
* Denial-of-service attack on call-center to deny consumers up-to-date information on the blackout.
* Emergency power at the utility company’s operations center was switched off.
In total, up to 73
MWh
A kilowatt-hour (unit symbol: kW⋅h or kW h; commonly written as kWh) is a unit of energy: one kilowatt of power for one hour. In terms of SI derived units with special names, it equals 3.6 megajoules (MJ). Kilowatt-hours are a common bil ...
of electricity was not supplied (or 0.015% of daily electricity consumption in
Ukraine).
See also
*
2016 Kyiv cyberattack A cyberattack happened in the Ukrainian capital Kyiv just before midnight on 17 December 2016, and lasted for just over an hour. The national electricity transmission operator Ukrenergo said that the attack had cut one fifth of the city's power con ...
, which resulted in another power outage
*
Ukrenergo, electricity transmission system operator in Ukraine
*
2017 cyberattacks on Ukraine
A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms. Similar infections were reported in France, Germa ...
*
Russian-Ukrainian cyberwarfare
*
Cyberwarfare by Russia
References
Further reading
*
*
External links
* Adi Nae Gamliel (2017-10-6
"Securing Smart Grid and Advanced Metering Infrastructure"
*
*
*
*
*
ICS-CERTICS-CERTCyber-Attack Against Ukrainian Critical Infrastructure (IR-ALERT-H-16-056-01)
{{Hacking in the 2010s
Cyberattacks on energy sector
2015 in Ukraine
Russo-Ukrainian War
Power outages
December 2015 crimes in Europe
December 2015 events in Ukraine
Hacking in the 2010s
Russian–Ukrainian cyberwarfare