Science

Cyberattack that crippled Ukrainian power grid was highly coordinated

Security investigators say they've figured out how hackers likely caused a Dec. 23 electricity outage in Ukraine that left 80,000 people without power for six hours — the first known power outage ever caused by a cyberattack.

1st power outage caused by cyberattack suggests similar attacks possible around the globe

'If those requests aren't processed in a timely matter then people don't have access to that information and their democratic rights are not being fulfilled,' says B.C.'s Privacy Commissioner. (Getty Images)

Hackers likely caused a Dec. 23 electricity outage in Ukraine by remotely switching breakers to cut power, after installing malware to prevent technicians from detecting the attack, according to a report analyzing how the incident unfolded.

The report from Washington-based SANS ICS was released late on Saturday, providing the first detailed analysis of what caused a six-hour outage for some 80,000 customers of Western Ukraine's Prykarpattyaoblenergo utility.

SANS ICS, which advises infrastructure operators on combating cyberattacks, also said the attackers crippled the 
utility's customer-service center by flooding it with phone calls to prevent customers from alerting the utility that power was down.

This was a multi-pronged attack against multiple facilities. It was highly coordinated with very professional logistics.- Robert Lee, report contributor

"This was a multi-pronged attack against multiple facilities. It was highly coordinated with very professional 
logistics," said Robert Lee, a former U.S. Air Force cyberwarfare operations officer who helped compile the report for SANS ICS. "They sort of blinded them in every way possible."

Russian hacking group blamed

Experts widely describe the incident as the first known power outage caused by a cyberattack. Ukraine's SBU state 
security service blamed Russia, and U.S. cyber firm iSight Partners identified the perpetrator as a Russian hacking group known as "Sandworm."

A worker repairs a high voltage power line in the Ukraine in 2014. Hackers likely caused a Dec. 23 electricity outage in Ukraine by remotely switching breakers to cut power, after installing malware to prevent technicians from detecting the attack, according to a report analyzing how the incident unfolded. (Gleb Garanich/Reuters)

Ukraine's energy ministry has said it will hold off on discussing the matter until after Jan. 18, following completion 
of a formal probe into the matter.

The utility's operators were able to quickly recover by switching to manual operations, essentially disconnecting 
infected workstations and servers from the grid, according to the report.

SANS ICS said on its blog it had "high confidence" in its findings, which were based on discussions and analysis from "multiple international community members and companies."

The report's authors declined to identify those sources.

U.S. critical infrastructure security expert Joe Weiss said he believed the report's findings would be validated. "They did a phenomenal job," he said.

There is strong interest in the outage because of concerns that similar techniques could be used to launch more attacks on power operators around the globe.

"What is now true is that a coordinated cyber attack consisting of multiple elements is one of the expected hazards 
(electric utilities) may face," SANS ICS Director Michael Assante said in a blog.

"We need to learn and prepare ourselves to detect, respond, and restore from such events in the future," said Assante, former chief security officer of the quasi-governmental North American Electric Reliability Corp.