Ukraine Goes Dark: Russia-Attributed Hackers Take Down Power Grid

As many as 80,000 residents in western Ukraine lost power for six hours on Dec. 23. Cybersecurity firm  iSight Partners has attributed the blackout to Russian hacking group Sandworm and its malicious software, BlackEnergy 3.

Cyberattacks on power grids and other critical infrastructure are not new, but this most recent attack seems to be the first use of cyber as a weapon with kinetic effects during an ongoing conflict, highlighting the growing importance of cybersecurity.

While an analysis of the cyberattack is ongoing, BlackEnergy has a history of targeting information control systems.

For the Prikarpattiaoblenergo electric company in Ukraine, the malware and its subcomponent KillDisk shut down computer operating systems, which in turn ended up shutting down the local electrical grid. Hackers also sought to make it impossible for customers to report electrical issues to the electric company by blocking out the company’s phone system.

There may be other businesses that have been affected by BlackEnergy 3, as certain malware can have cascading effects. Luckily, the reported effects of the cyberattack have so far been relatively short-term.

Cyberattacks against Ukrainian, EU, and NATO officials in 2014 have been attributed to the same hacking team. Hackers in Russia have a tendency to set their sights on areas most relevant to Russian foreign policy—in Ukraine’s case, the illegal annexation of Crimea by Russia and ongoing Russian-backed rebellion in eastern Ukraine.

BlackEnergy 3 wouldn’t be the first successful cyberattack that’s had kinetic damage (outside an ongoing regional conflict)—and it may not be the last.

Recent news reports highlight the continued efforts of hackers, such as those from Iran, to gain information on critical infrastructure in order to cause damage—for example, the cybertheft of passwords and blueprints from a number of power plants or illicit access to dam control systems.

Critical infrastructure may be targeted by those such as hacktivists, nation states or state sympathizers, or domestic and international businesses.

Disrupting critical infrastructure control systems to the point of causing kinetic damage is no easy task. It takes knowledge of both the operating systems used and the spokes and cogs that run the machine. But as cyberattackers and malware grow and evolve at a very rapid pace, and malicious actors gain access to blueprints, operating manuals, and resources from those interested in causing damage, the risk of a successful attack increases.

While the power outage in Ukraine was short-lived, there will be serious implications of similar successful attacks. The hackers, while attributed to within Russia, also have international ties. It’s important for the U.S. and the international cybercommunity to work together to prevent cyberattacks of this type.

This piece has been updated by the author.