Ukraine power grid hack

The Ukraine power grid hack was cyberattack on Ukraine's power grid on December 23, 2015, resulting in power outages for roughly 230,000 consumers in Ukraine for 1-6 hours. The attack took place during an ongoing Russian military intervention in Ukraine (2014–present) and is attributed to a Russian advanced persistent threat group known as "Sandworm". It is the first publicly acknowledged successful cyberattack on a power grid.

Description

On 23 December 2015, hackers remotely compromised information systems of three energy distribution companies in Ukraine and temporarily disrupted the electricity supply to consumers. Most affected were consumers of "Prykarpattyaoblenergo" (Ukrainian: Прикарпаттяобленерго; servicing Ivano-Frankivsk Oblast): 30 substations (7 110kv substations and 23 35kv substations) were switched off, and about 230000 people were without electricity for a period from 1 to 6 hours.

At the same time consumers of two other energy distribution companies, "Chernivtsioblenergo" (Ukrainian: Чернівціобленерго; servicing Chernivtsi Oblast) and "Kyivoblenergo" (Ukrainian: Київобленерго; servicing Kyiv Oblast) were also affected by a cyberattack, but at a smaller scale. According to representatives of one of the companies, attacks were conducted from computers with IP addresses allocated to the Russian Federation.

Vulnerabillity

In 2019, it was argued that Ukraine was a special case, comprising unusually dilapidated infrastructure, a high level of corruption, the ongoing Russo-Ukrainian War, and exceptional possibilities for Russian infiltration due to the historical links between the two countries. The Ukrainian power grid was built when it was part of the Soviet Union, has been upgraded with Russian parts and (as of 2022), still not been fixed. Russian attackers are as familiar with the software as operators. Furthermore, the timing of the attack during the holiday season guaranteed only a skeleton crew of Ukrainian operators were working (as shown in videos).

Method

The cyberattack was complex and consisted of the following steps:

  • prior compromise of corporate networks using spear-phishing emails with BlackEnergy malware
  • seizing SCADA under control, remotely switching substations off
  • disabling/destroying IT infrastructure components (uninterruptible power supplies, modems, RTUs, commutators)
  • destruction of files stored on servers and workstations with the KillDisk malware
  • denial-of-service attack on call-center to deny consumers up-to-date information on the blackout.

At last the emergency power at the utility company’s operations center was switched off. In total, up to 73 MWh of electricity was not supplied (or 0.015% of daily electricity consumption in Ukraine).


See also


This page was last updated at 2022-02-03 20:08 UTC. Update now. View original page.

All our content comes from Wikipedia and under the Creative Commons Attribution-ShareAlike License.


Top

If mathematical, chemical, physical and other formulas are not displayed correctly on this page, please useFirefox or Safari