A complex hacking attack caused a six-hour power outage in Ukraine in late December

Malware used in cyber-attack on Ukraine's power grid

A six-hour power outage that hit Ukraine on 23 December was caused by a complex cyber-attack involving an injection of detection-preventing malware, a US cyber-security firm has revealed. 

According to a report released by Washington-based SANS ICS, the hackers were able to remotely control breakers to cut power after installing malware to prevent technicians from spotting the attack. They also flooded the customer-service centre of Prykarpattyaoblenergo, western Ukraine’s utility company, with phone calls to prevent customers from reporting the outage.

The case, described as the first known power outage caused by a cyber-attack, affected 80,000 people in the region.

"This was a multi-pronged attack against multiple facilities,” said Robert Lee, a former US Air Force cyber-warfare operations officer who helped compile the report for SANS ICS. “It was highly coordinated with very professional logistics. They sort of blinded them in every way possible."

The SANS ICS report is the first comprehensive analysis of the case. The firm has urged infrastructure operators to beef up their cyber-defences in light of the findings as other criminals may get inspired by the hack.

"What is now true is that a coordinated cyber-attack consisting of multiple elements is one of the expected hazards (electric utilities) may face," said SANS ICS Director Michael Assante in a blog post on the company’s website.

"We need to learn and prepare ourselves to detect, respond, and restore from such events in the future.”

Russian hackers were behind the outage according to Ukraine’s state security agency SBU and US cyber-security firm iSight Partners even identified the Russian hacking group known as Sandworm as the likeliest perpetrators.

Ukraine's energy ministry has said it will hold off on discussing the matter until after 18 January, following completion of a formal probe into the matter.

Prykarpattyaoblenergo was able to recover from the attack by switching into manual operations, essentially disconnecting infected workstations and servers from the grid.

SANS ICS said on its blog that it had ‘high confidence’ in its findings, which were based on discussions and analysis from ‘multiple international community members and companies’.

US critical infrastructure security expert Joe Weiss said he believed the report's findings would be validated. "They did a phenomenal job," he said.

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them