Ukraine power cut was caused by cyber attack

Ray Walsh

Ray Walsh

January 14, 2016

Analysis of digital evidence obtained from the Prykarpattyaoblenergo power station in Ukraine, where a severe power outage occurred in December, has brought cybersecurity researchers to the conclusion that the blackout was caused by a cyber attack. A report produced by Washington-based SANS ICS and the US Department of Homeland Security confirmed on Saturday.


The attack, which caused a power outage that lasted for six hours, affected 80,000 people in the Ivano-Frankivsk region of Ukraine. Meticulous forensic analysis of all recovered data has led the research team to conclude that the hackers used a spear-phishing attack to deliver a trojan called ‘BlackEnergy’ to the power grid’s systems. The multi-faceted attack also involved flooding the Ukrainian power station’s customer service center with a denial of service attack, rendering them unable to communicate with customers during the outage.

Robert Lee, a former U.S. Air Force cybersecurity analyst that was part of the team that carried out the investigation, made the following statement,

‘This was a multi-pronged attack against multiple facilities. It was highly coordinated with very professional logistics. They sort of blinded them in every way possible.’

The malware is thought to have been delivered to Ukraine’s vital systems via a purposefully infected Microsoft Word attachment, which was then implemented to take out the regional control center. BlackEnergy has been known about in the security industry for some time, first appearing in 2007 as a tool for delivering DDoS attacks, but upgraded since into a more sinister form of malware.

Although unconfirmed by SANS (which claims that the perpetrators remain unconfirmed), the Ukrainian SBU security services lay the blame squarely on the Russians, who they feel have engaged in cyber warfare. Adding some credence to those claims is US cybersecurity firm iSight, which claims to have witnessed some code from the attack that it believes does bare the digital footprint of a Russian hacking collective known as ‘Sandworm.’ For now, that point remains unconfirmed.

Whoever they were, the cyber criminals successfully managed to use their access to open circuit breakers that successfully disconnected seven 110kv substations, and twenty-three 35kv substations – cutting the power grid entirely for a significant portion of the region. According to the report, after achieving their aims, the hackers ran a utility called KillDisk (now part of the sophisticated BlackEnergy malware package) further delaying the power company’s ability to regain control of the system. Michael J. Assante, director of SANS, wrote in the firm’s report,

‘The attackers demonstrated planning, coordination, and the ability to use malware and possible direct remote access to blind system dispatchers, cause undesirable state changes to the distribution electricity infrastructure, and attempt to delay the restoration by wiping SCADA servers after they caused the outage. This attack consisted of at least three components: the malware, a denial of service to the phone systems, and the missing piece of evidence of the final cause of the impact. Current evidence and analysis indicates that the missing component was direct interaction from the adversary and not the work of malware. Or in other words, the attack was enabled via malware but consisted of at least three distinct efforts.’


While it is true that this is the first time that a cyber attack has successfully been used to carry out crippling power outages, worryingly the code from BlackEnergy was detected within the systems of US power facilities back in 2014 – though no disruption was established that could be linked to the dangerous malware.

There is no doubt that the quality of the attack was very serious in nature, and it is clear that there is a general paranoia amongst the West’s political elite that this could become much more common. Last November, the UK’s Chancellor George Osborne allocated an extra £2 billion pounds to be used to protect the UK from this kind of cyber attack. ‘If the lights go out, the banks stop working, the hospitals stop functioning, or government itself can no longer operate, the impact on society could be catastrophic,’ said Osborne during a speech to GCHQ.

For the ruling class, there is a fear that this kind of cyber warfare could severely tarnish political careers. Western nations, long accustomed to existing comfortably out of harm’s way, are becoming increasingly frightened that they could (at some point soon) be put in the same embarrassing situation: to the horror of the electorate. When people sit in the pub on a Friday night, rightly bemoaning that the government plans to snoopers charter its way into everyone’s life, the politicians sit around talking about how they can hope to avoid future power-hacks. No doubt concluding that spying more might help – catch 22.

This is the inevitable new world that we live in, where having the firepower to bomb abroad doesn’t stop you from being vulnerable at home, and where years of using firepower have created some very serious enemies. The West knows it is susceptible to attackers that may well be apt enough to hide their tracks, leaving them hurt and with no way of retaliating. Perhaps having to blindly accuse (as Ukraine has), despite a lack of evidence to convincingly do so.

Herein lies the problem with this new world: It has crept up on us quickly and involves a dramatic and sudden shift in the balance of power. In this digital world, non-politically affiliated actors often have extremely political aims, but, at the same time, exist outside of the control of the usual political systems. They are an invisible force. A hidden hand that can not be negotiated with, and are a frightening piece of the puzzle as to why governments keep seeking to take more and more control over cyberspace.


Exclusive Offer
Get NordVPN for only