Ukraine may now have more to fear than a shooting and trade war from Russia.
A month after Ukrainian activists cut off power supplies to Russian-occupied Crimea, a cyberattack on a regional power grid in western Ukraine left about 80,000 people without power for six hours in 289 settlements on Dec. 23.
Experts say the digital stealth war could be the start of a more ominous era of cyberwarfare.
Although Russian hackers have previously been blamed for attacks on Ukrainian government websites, the cyberattack on Prykarpattyaoblenergo in Ivano-Frankivsk Oblast marks a new step.
Other energy companies were hit as well, according to the Security Service of Ukraine. After noticing the problem, utility employees were able to restore power by manually re-closing hacked circuit breakers to reintroduce the flow of electricity. A request for comment sent to Pryakarpattyaoblenergo went unanswered.
Russian hackers
Cyber security and defense experts see something much more sinister and organized than just a group of vigilante hackers.
U.S. cyber firm iSight Partners has pointed the finger at a Russian hacking collective called Sandworm – a group believed to have been involved in cyber espionage against foreign governments since 2009, according to a 2014 iSight report.
John Hultquist, iSight’s director of cyber-espionage analysis, said he could not say with absolute certainty that the hackers were working on behalf of the Kremlin, but that their interests always coincided with those of the Russian government.
An official with the U.S. Department of Homeland Security, whose cyber department has teamed up with Ukrainian authorities to get to the bottom of the attack, told the Kyiv Post that Black Energy 3 malware had been found in the grid system.
According to people familiar with the investigation, hackers were able to use the malware to enter the electric station’s internal network. While investigators have not yet established how the hackers managed to trigger the region-wide outage, experts believe that the attack was likely done remotely, and not by an insider at the plant.
Black Energy, a Trojan horse type program and Sandworm’s signature weapon, was used in targeted attacks against state organizations and private businesses in Ukraine and Poland in 2014, in the wake of Russia’s seizure of Crimea.
At that time, experts warned that Russia was perhaps the only country capable of combining cyber with traditional warfare, warning that its greatest weapon would prove to be its arsenal of hackers.
That prediction now appears to have come true.
Crimea link?
The latest attack came just weeks after Ukrainian activists cut off power supplies in November to Russia-annexed Crimea, leaving thousands without electricity for the holidays.
“If Russia cooperates in prosecuting the Sandworm group, one could legitimately argue that this is not a part of the Kremlin’s hybrid war against Ukraine,” said Andreas Umland of the Institute for Euro-Atlantic Cooperation. “Yet, I suspect that the Russian prosecutors and police will not cooperate in clarifying this cyberattack. It is more likely that Sandworm is a peculiarly post-Soviet front organization of the Kremlin, fulfilling tasks that the Russian government will not implement so that Russia can preserve ‘plausible deniability.’”
Ukraine’s Security Service, or SBU, has blamed Russia for the attack, while Moscow has remained silent.
More trouble
The attack came ahead of a new ceasefire in Ukraine’s war-torn east, as fighting between Ukrainian forces and Russian-backed separatists continued, although on a much smaller scale than previously.
According to Umland, even if fighting in the east stops completely, that doesn’t mean Russia is done with Ukraine.
“This episode illustrates that Ukraine’s troubles with Russia will not be over once the fighting in the Donbas finally stops. Rather, we should expect an increase of non-traditional Russian warfare in such fields as public security, industrial production, international trade, mass media, cyberspace, party politics, and civil society,” he said.
While hackers in Russia have long been thought to be recruited by the Federal Security Service to act as proxies against the country’s foes, Russia’s Defense Ministry is believed to have taken this cooperation a step further in the spring of 2015, when U.S. Director of National Intelligence James Clapper told the Senate that Moscow was “establishing its own cybercommand” responsible for “conducting offensive cyberactivities.”
‘Historic’ hack
ICS Security Expert and SANS Instructor Robert M. Lee stopped short of pinning the blame on Russian hackers, but told the Kyiv Post that the hackers were “likely very competent, likely well-funded and likely a state-sponsored group.”
While he said there was not sufficient evidence to say with certainty that the Sandworm group was to blame, there were “indications” to suggest this.
Describing the incident as “an extreme historical event,” he said “we’ve never seen anything like this before. This is the first time we’ve had a power outage linked to a cyberattack.”
“This has crossed a lot of lines. This is civilian infrastructure, there’s no military value whatsoever,” he said.
Lee said that the attack recalls the Stuxnet virus. Discovered in 2010, the Washington Post described Stuxnet as a U.S.-sponsored cyber weapon used to sabotage Iran’s nuclear program. That virus, Lee said, relied on “intimate” knowledge of Iranian nuclear infrastructure in order to disable the country’s nuclear program.
In the same way, Lee argued, a more destructive attack on Ukrainian infrastructure would require granular knowledge of the country’s power system.
“Being able to open and close the breakers to cause a six-hour power outage is a big difference between a week, a month-long power outage,” Lee said.
The hack on Ukraine’s electric grid follows years of escalating cyberwarfare. Last year saw hackers steal information of U.S. federal employees. an attack blamed on China,
In 2007, Estonia suffered cyberattacks that disabled government websites, banks, and media outlets. The hacks came after the Estonian government removed a Soviet monument.
Staff writer Allison Quinn contributed to this report.
