Russian Hackers Shut Down Ukraine’s Power Grid

Ukrainian President Petro Poroshenko addresses servicemen in the western city of Ternopil, Ukraine, January 11. A blackout in western Ukraine on December 23 has been attributed to the Russian hacking group Sandworm. Ukrainian Presidential Press Service/Mikhail Palinchak/Handout via Reuters

This article first appeared on The Daily Signal.

As many as 80,000 residents in western Ukraine lost power for six hours on December 23. Cybersecurity firms SANS ICS and iSight Partners have attributed the blackout to Russian hacking group Sandworm and its malicious software, BlackEnergy 3.

Cyberattacks on power grids and other critical infrastructure are not new, but this most recent attack seems to be the first use of cyber as a weapon with kinetic effects during an ongoing conflict, highlighting the growing importance of cybersecurity.

While an analysis of the cyberattack is ongoing, BlackEnergy 3 has a history of targeting information control systems.

For the Prikarpattiaoblenergo electric company in Ukraine, the malware and its subcomponent KillDisk shut down computer operating systems, which in turn ended up shutting down the local electrical grid. Hackers also sought to make it impossible for customers to report electrical issues to the electric company by blocking out the company’s phone system.

There may be other businesses that have been affected by BlackEnergy 3, as certain malware can have cascading effects. Luckily, the reported effects of the cyberattack have so far been relatively short-term.

Cyberattacks against Ukrainian, EU and NATO officials in 2014 have been attributed to the same hacking team. Hackers in Russia have a tendency to set their sights on areas most relevant to Russian foreign policy—in Ukraine’s case, the illegal annexation of Crimea by Russia and ongoing Russian-backed rebellion in eastern Ukraine.

BlackEnergy 3 wouldn’t be the first successful cyberattack that’s had kinetic damage (outside an ongoing regional conflict)—and it may not be the last.

Recent news reports highlight the continued efforts of hackers, such as those from Iran, to gain information on critical infrastructure in order to cause damage—for example, the cybertheft of passwords and blueprints from a number of power plants or illicit access to dam control systems.

Critical infrastructure may be targeted by those such as hacktivists, nation states or state sympathizers, or domestic and international businesses.

Disrupting critical infrastructure control systems to the point of causing kinetic damage is no easy task. It takes knowledge of both the operating systems used and the spokes and cogs that run the machine. But as cyberattackers and malware grow and evolve at a very rapid pace, and malicious actors gain access to blueprints, operating manuals and resources from those interested in causing damage, the risk of a successful attack increases.

While the power outage in Ukraine was short-lived, there will be serious implications of similar successful attacks. The hackers, while said to be within Russia, also have international ties.

It’s important for the U.S. and the international cybercommunity to work together to prevent cyberattacks of this type.

Riley Walters is a research assistant in The Davis Institute for National Security and Foreign Policy at The Heritage Foundation.

Join the Discussion