Second Ukraine Power Outage Linked to Russian Hackers

A cyber attack in December was responsible for a power outage in Ukraine – almost a year to the day after a similar attack in 2015.

In-brief: A cyber attack in December was responsible for a power outage in Ukraine – almost a year to the day after a similar attack in 2015, new research shows.

A December power outage in the city of Kiev in December has been linked to hacking activity by groups believed to be working on behalf of the government of Russia, according to published reports.

Russian hacking crews were behind a brief power outage at the Pivnichna remote power transmission facility last month, using software based attacks to shut down the remote terminal units (RTUs) that control circuit breakers, causing a power outage for about an hour. Hacking crews appear to be using the Ukraine as a test bed to hone skills that could be used against other adversaries, according to Marina Krotofil, a security researcher for Honeywell Industrial Cyber Security Labs, the website Dark Reading reported on Tuesday.

Speaking at the S4 Conference in Miami on Tuesday, Krotofil said that the outage at Pivnichna was part of a month-long campaign by Russian hacking groups that included attacks on railways and other critical infrastructure. While not intended to cripple the country, the attacks were designed to sow confusion and chaos, she said.

Research was conducted by Information Systems Security Partners (ISSP), a Ukraine firm. Speaking to the conference via a pre-recorded video, Oleksii Yasynskyi, head of research at the company, said that the attacks were the work of more than one cyber criminal group that worked in concert with each other. Attacks against Ukraine critical infrastructure and other interests began over the summer, ISSP said, with spear phishing attacks directed at a Ukraine bank.

Eastern Ukraine is at the epicenter of Russian efforts to re-establish control over former Soviet republics. The December 2016 attack on the Ukraine grid comes almost a year to the day after a similar attack on electrical substations in the country that caused a much larger and longer lived blackout. That attack apparently shared many similarities with the attack last month, including the use of the KillDisk malware and standard network administration tools to hide the attackers malicious activity on the network.

The 2016 attacks may be seen as the result of the West’s lackluster response to the 2015 cyber attack which cut power off for around 100,000 Ukrainians, said Steve Ward of the security firm Claroty in an interview with Security Ledger. That incident was a “red line” attack that should have engendered a robust response to the Russian government. However, the country faced no reprisal.

That may presage more, similar attacks against critical infrastructure, Ward said – something that until recently was considered unthinkable. “This has opened the door for this as an element of cyber activity moving forward,” he said. “We should be very concerned.”