More than 100,000 Ukrainians in neighborhoods just north of Keiv lost power Sunday when a power substation malfunctioned, Reuters first reported. The affected company, Ukrainian energy company Ukrenergo, says the unique hardware failure is likely the result of a coordinated cyberattack.
The substation in Pivnichna was cut off from the region’s main power grid for about 75 minutes just after midnight local time.
The blackout comes just one year after a similar incident affected three different power companies based in Eastern Ukraine, which was linked by security researchers to a pro-Russian hacking group dubbed SandWorm. While details concerning the recent outage remain sparse, the two cases are different in a number of ways that may ultimately offer clues towards attribution, said FireEye intelligence analyst Sean McBride.
Whereas the 2015 attack targeted power plants, the recent incident affected the electrical grid’s transmission architecture. The difference is significant because it underlines the scale at which this type of cyberattack could knock out power in a geographic area, McBride explained.
By hitting transmission systems, the hackers are able to “impact a wider geographic area causing cascading outages with the potential to damage extremely expensive and difficult to replace electric system component,” according to Michael Assante and Tim Conway, two industrial control system cybersecurity experts with SANS research institute.
“If true, this attack not only represents further ratcheting of escalation in a very troubled part of the world but may also represent a sign of things to come as adversaries pursue ever increasing means and willingness to cause damage using cyber means,” Assante and Conway wrote in a SANS blog post.
Other notable differences between the two cases are also apparent, McBride said.
The power grid cyberattack in December 2015 included three different companies; was the obvious work of hackers; came shortly after the bombing of a Russian oil pipeline; and targeted electrical distribution systems.
The recent, alleged hack was more subtle and is not as easily tied to a geopolitical event, among other things.
Industrial control systems, or ICS, are typically bare of comprehensive network monitoring software, which helps defenders notice abnormal activity. In other words, operators rarely have good visibility into net flow — and that can make it easier for hackers to move laterally in a compromised ICS network.
The attack on Ukrenergo may be a test run, said McBridge, who did not see the evidence firsthand but spoke with people who did, because of the hacker’s unique attack behavior and the controlled targeting.
“The cyber-physical threat is no longer a theoretical one. We have seen it become a real threat to national critical infrastructures and private sector industries alike. Even organizations that aren’t the target of these attacks can suffer from collateral damage because once released in the wild, malware can’t be controlled. Since they target technology that is used across all industrial verticals, every facility can become a victim,” said Barak Perelman, a former hacker with the Israel Defense Forces’ elite 8200 intelligence unit.