Digging deep into a double cyberattack on the Ukraine electricity network and asking whether it’s a sign of things to come in the era of smart grids.
Security threats in our 21st century, internet-connected society are evolving. Compared to the cost of conventional warfare – both financial and human – sophisticated cyberattacks offer nation-states and their supporters a relatively inexpensive and covert method to advance their geopolitical goals.
The laws relating to state-sponsored hacking are in their infancy and still relatively untested. Rarely can investigators trace attacks to individuals or find conclusive evidence linking hackers to governments.
Critical infrastructure such as power stations and transport networks are natural targets for such subterfuge. As far back as 2009, malware understood to be built by the United States and Israel known as Stuxnet accelerated hundreds of centrifuges in Iran until they destroyed themselves, causing significant damage to the regime’s nuclear programme.
However, the prime example of this new era of realpolitik involves a pair of attacks on the Ukraine power grid attributed by governments and cybersecurity experts to groups linked to the Russian administration.
Tensions between the two countries had been high for several years. Russia had used its monopoly on gas supply to the Ukraine as a policy tool, cutting supplies in 2006 and 2009.
Ukraine looked for ways to secure its energy independence from Moscow, in the process discovering vast deposits of shale oil and gas in the Black Sea off Crimea.
These reserves, said to be the third largest deposits of shale gas in Europe, formed one of the reasons for Russia’s annexation of the Crimean Peninsula in 2014 and ongoing military intervention in Eastern Ukraine.
The First Blackout – Retaliation Or Months In The Making?
The first Ukraine power grid cyberattack struck on 23 December 2015. It is believed to be the first known successful hack of a country’s electricity network.
Hackers remotely took control of three energy distribution companies and opened circuit-breakers at 30 substations in the capital city Kiev and the western parts of the Ivano-Frankivsk region.
Around 230,000 people lost power, with the blackout lasting for as long as six hours. In total, around 73 MWh of electricity wasn’t supplied during the incident, the equivalent of 0.015% of Ukraine’s average daily energy consumption.
A few weeks prior to the outage, pro-Ukraine activists attacked substations feeding power to the Crimea region that had been annexed by Russia. This strike left two million residents in the dark and also affected a Russian naval base.
Unsurprisingly, speculation suggested the cyberattack on Kiev was retaliation for the incident in Crimea.
But investigations into the Ukraine blackout suggest they’d been months, if not years, in the planning.
Spear-phishing emails were sent to staff at the three power companies with a malicious Word document containing an updated version of BlackEnergy malware giving the hackers an entry point to the network.
However, this only gave them access at a corporate level, not the SCADA (Supervisory control and data acquisition) systems that controlled the grid.
Across several months the cybercriminals searched for further vulnerabilities, accessing the domain controllers where user accounts were managed from, gaining log-in credentials operators used to remotely access the SCADA network.
Once they’d got inside, the hackers reconfigured the uninterruptible power supplies at two of the facilities. This wasn’t to cause the wider blackout, but to disable them when the outage happened, causing chaos for the operators trying to fix the system.
Then they remotely took over workstations at the Prykarpattyaoblenergo control centre and started opening the circuit-breakers as operators sat on watching helplessly on their screens as the proceedings unfurled.
As well as opening circuit-breakers at the substations, the hackers carried out a denial of service (DoS) attack against one of the electricity company’s call centre. It flooded the phoneline with fake calls to slow staff from identifying the areas affected by the blackout.
It also overwrote the firmware on many of the network’s critical devices with malicious software rendering them unresponsive to any remote commands from operators. Finally, hackers used malware called KillDisk to wipe crucial system files and overwrite the master boot record. Not only did this cause grid computers to crash, but they couldn’t reboot.
This meant that while the blackout lasted for only six hours, its impact stretched to many months, with workers forced to control the systems manually.
History Repeating
Nearly a year to the day of the 2015 attack, the power went down again after another cyberattack.
The attack on the energy grid followed several other similar hacks against state institutions during the preceding weeks. Targets included the national railway network, a pension fund and numerous government ministries.
Just before midnight on 17 December 2016, all the circuit-breakers at the Pivnicha substation just outside Ukraine were opened, taking the station offline and causing a blackout that lasted for just over an hour.
National energy provider Ukrenergo revealed the incident amounted to the loss of approximately a fifth of Kiev’s electricity consumption at that time of night.
Exploring The Aftermath
Some experts have argued that the pair of Ukraine power grid cyber events have limited relevance to wider concerns about the vulnerability to cyberattacks of more distributed, renewables-reliant modern electricity networks.
They point to Ukraine as a special case due to the ongoing conflict with Russia.
Interesting questions followed the 2016 attack in particular, however. The blackout only lasted for an hour before energy company Ukrenergo could switch the power back on. Why go to such trouble for such limited results?
Was it a case of the hackers flexing their muscle, causing the outage just because they could? Or was it part of something wider?
A reconstruction of the 2016 blackout by cybersecurity company Dragos based on the actual network logs and malware code suggests the attack could have been intended to destroy the equipment, not just disrupting it – a similar methodology to the Stuxnet-Iran incident years previously.
As well as opening circuit-breakers again, the 2016 malware would also disable the station’s protective relays in a way that the network operators couldn’t detect.
Dragos believes that the hackers’ real intention was for the network engineers to quickly re-start power station equipment manually.
With the protective relays disabled, transformers and power lines would overload and cause long-lasting damage to the transmission network.
Thankfully, the plan failed – a network configuration mistake the likely culprit – and the blackout lasted for only an hour.