Ukraine’s second major power outage in 12 months was the work of cyberattackers, two groups of researchers who investigated the incident have said.
In the most recent incident which struck inconveniently at 23:55 on December 17, remote terminal units (RTUs) controlling circuit breakers at Ukrenergo‘s Pivnichna power substation near Kiev suddenly shut down. The resulting power cut lasted an hour, leaving the capital short of a fifth of its power requirements.
Not so long ago, a hardware failure would have been the first suspect but times have changed: cyberattacks are now a default for this kind of incident in Ukraine, which explains why the country’s security service was rapidly dispatched to investigate.
Priming suspicion was the striking resemblance of the Pivnichna outage to the now world-infamous cyberattack on three Ukrainian power companies on December 23 2015, which affected 30 sub-stations.
Two separate attacks, two disruptive electricity outages and, researchers now think, too many similarities, including traces of the same BlackEnergy 3 malware, initiated by malicious spear-phishing attachments that have reportedly bounced around inside state organisations for months.
Oleksii Yasnskiy of ISSP labs, who investigated the recent attack, told the BBC: “The attacks in 2016 and 2015 were not much different. The only distinction was that the attacks of 2016 became more complex and were much better organised.”
Marina Krotofil , a researcher from Honeywell Industrial Cyber Security Lab who worked on the investigation, also commented at this week’s S4x17 Conference in Florida: “They could do many more things, but obviously they didn’t have this as an intent. It was more like a demonstration of capabilities.”
The word “demonstration” will leave the energy industry feeling queasy. If the December 2015 incident was seen as a learning experience it appears the lessons haven’t yet been absorbed.
Looming over all of this are larger and darker questions of motivation, attribution and whether the attacks could be replicated elsewhere.
From the incomplete technical details that have emerged, that the attackers went to unusual lengths to hide the malware used, which suggests expertise and funding that points to possible nation-state involvement.
The Ukrainians have blamed Russia in no uncertain terms while at least one security company, iSight Partners, went on the record about the country’s alleged involvement in the first attack. Almost everyone else, by contrast, has backed away from blaming Russia in an attempt to de-sensationalise the whole issue of hacking.
Although Russia’s involvement is plausible – it has an obvious motivation for attacking Ukraine – the evidence remains circumstantial and relates mainly to the origins and use of BlackEnergy and the Sandworm hacking group.
The worrying issue is the possibility that the attackers might be using Ukraine as a “playground” as a much as a battlefield.
Said Honeywell’s Krotofil: “Ukraine uses equipment and security protections of the same vendors as everybody else around the world. If the attackers learn how to go around those tools and appliances in Ukrainian infrastructures, they can then directly go to the west.”