First registered successful hacking attack on power grid
On December 23, 2015, the
power grid in two western oblasts of
Ukraine was hacked, which resulted in
power outages for roughly 230,000 consumers in Ukraine for 1-6 hours. The attack took place during the ongoing
Russo-Ukrainian War (2014-present) and is attributed to a Russian
advanced persistent threat group known as "
Sandworm".[1] It is the first publicly acknowledged successful cyberattack on a power grid.[2]
Description
On 23 December 2015, hackers using the
BlackEnergy 3 malware remotely compromised information systems of three energy distribution companies in Ukraine and temporarily disrupted the electricity supply to consumers. Most affected were consumers of Prykarpattyaoblenergo (
Ukrainian: Прикарпаттяобленерго; servicing
Ivano-Frankivsk Oblast): 30 substations (7 110kv substations and 23 35kv substations) were switched off, and about 230,000 people were without electricity for a period from 1 to 6 hours.[3]
At the same time, consumers of two other energy distribution companies, Chernivtsioblenergo (
Ukrainian: Чернівціобленерго; servicing
Chernivtsi Oblast) and Kyivoblenergo (
Ukrainian: Київобленерго; servicing
Kyiv Oblast) were also affected by a cyberattack, but at a smaller scale. According to representatives of one of the companies, attacks were conducted from computers with IP addresses allocated to the
Russian Federation.[4]
Vulnerability
In 2019, it was argued that Ukraine was a special case, comprising unusually dilapidated infrastructure, a high level of corruption, the ongoing
Russo-Ukrainian War, and exceptional possibilities for Russian infiltration due to the historical links between the two countries.[5] The Ukrainian power grid was built when it was part of the Soviet Union, has been upgraded with Russian parts and (as of 2022), still not been fixed.[clarification needed] Russian attackers are as familiar with the software as operators. Furthermore, the timing of the attack during the holiday season guaranteed only a skeleton crew of Ukrainian operators were working (as shown in videos).[6]
Method
The cyberattack was complex and consisted of the following steps:[4]