2015 Ukraine power grid hack

On 23 December 2015, hackers using the BlackEnergy 3 malware remotely compromised information systems of three energy distribution companies in Ukraine and temporarily disrupted the electricity supply to consumers. Most affected were consumers of Prykarpattyaoblenergo (Ukrainian: Прикарпаттяобленерго; servicing Ivano-Frankivsk Oblast): 30 substations (7 110kv substations and 23 35kv substations) were switched off, and about 230,000 people were without electricity for a period from 1 to 6 hours.^[3]

At the same time, consumers of two other energy distribution companies, Chernivtsioblenergo (Ukrainian: Чернівціобленерго; servicing Chernivtsi Oblast) and Kyivoblenergo (Ukrainian: Київобленерго; servicing Kyiv Oblast) were also affected by a cyberattack, but at a smaller scale. According to representatives of one of the companies, attacks were conducted from computers with IP addresses allocated to the Russian Federation.^[4]

In 2019, it was argued that Ukraine was a special case, comprising unusually dilapidated infrastructure, a high level of corruption, the ongoing Russo-Ukrainian War, and exceptional possibilities for Russian infiltration due to the historical links between the two countries.^[5] The Ukrainian power grid was built when it was part of the Soviet Union, has been upgraded with Russian parts and (as of 2022), still not been fixed.^{[clarification needed]} Russian attackers are as familiar with the software as operators. Furthermore, the timing of the attack during the holiday season guaranteed only a skeleton crew of Ukrainian operators were working (as shown in videos).^[6]

The cyberattack was complex and consisted of the following steps:^[4]

• Prior compromise of corporate networks using spear-phishing emails with BlackEnergy malware
• Seizing SCADA under control, remotely switching substations off
• Disabling/destroying IT infrastructure components (uninterruptible power supplies, modems, RTUs, commutators)
• Destruction of files stored on servers and workstations with the KillDisk malware
• Denial-of-service attack on call-center to deny consumers up-to-date information on the blackout.
• Emergency power at the utility company’s operations center was switched off.^[6]

In total, up to 73 MWh of electricity was not supplied (or 0.015% of daily electricity consumption in Ukraine).^[4]

• 2016 Kyiv cyberattack, which resulted in another power outage
• Ukrenergo, electricity transmission system operator in Ukraine
• 2017 cyberattacks on Ukraine
• Russo-Ukrainian cyberwarfare
• Cyberwarfare by Russia
• Vulkan files leak

• Robert M. Lee; Michael J. Assante; Tim Conway (18 March 2016). Analysis of the Cyber Attack on the Ukrainian Power Grid. Defense Use Case (PDF). E-ISAC.
• Nate Beach-Westmoreland; Jake Styczynski; Scott Stables (November 2016). When The Lights Went Out (PDF). Booz Allen Hamilton.

• Adi Nae Gamliel (2017-10-6) "Securing Smart Grid and Advanced Metering Infrastructure".
• Andy Greenberg (2017-06-20). "How An Entire Nation Became Russia's Test Lab for Cyberwar". Wired.
• Kim Zetter (2016-03-03). "Inside the Cunning, Unprecedented Hack of Ukraine's Power Grid". Wired.
• Kim Zetter (2016-01-20). "Everything We Know About Ukraine's Power Plant Hack". Wired.
• John Hulquist (2016-01-07). "Sandworm Team and the Ukrainian Power Authority Attacks". FireEye.
• ICS-CERT, [https://www.cisa.gov/uscert/ics/advisories/ICSA-16-336-02)
• ICS-CERT, Cyber-Attack Against Ukrainian Critical Infrastructure (IR-ALERT-H-16-056-01)