Did Russia Kill Ukraine's Electricity? Cyberattack Linked To Power Outage Has Global Implications

It wasn’t a normal power outage when the lights abruptly went out for tens of thousands of western Ukrainians in and around the regional capital city of Ivano-Frankivsk two weeks ago. The short-lived blackout was caused by malware, making it the first known case of a power outage induced by a cyberattack, experts from several security firms who examined the code confirmed late Monday.

Ukrainian officials ultimately blamed the hack on Russia (the two have been in armed conflict since April 2014), and the Kremlin has conspicuously refused to comment on the situation. While the exact source of the Dec. 23 electricity cut – which lasted up to six hours in some areas – may be difficult to prove, the outage marked a major cybersecurity escalation global governments have long feared. Hacking credit cards and government information may be increasingly common, but the attack against a power-grid infrastructure has created a new sense of urgency for greater investment regionally and internationally to prevent cyberattacks that target essential services.

“If this is the first successful attack against electrical power, I think a lot of people will see it as the crossing of the Rubicon,” said Jason Healey, an expert on cyber conflicts and a senior research scholar at Columbia University’s School of International and Public Affairs in New York. “There’s no doubt that every year is more dangerous than the last and that such attacks will be more common.”

Ukrainian officials have launched an investigation into the outage, and recent reports suggest at least two other utilities were also affected. Software called “BlackEnergy” was used in the cyberattack to plant malware that can overwrite or delete files within a system, tech experts explained. BlackEnergy has been around for almost a decade, with previous attacks linked to the Moscow-based hacker group Sandworm, which has been associated with the Russian government.

Despite the seemingly circumstantial evidence, there is some hesitancy to directly assign blame to any party. A certified instructor of cybersecurity training argued more analysis is necessary before they can reach a conclusion in the case that involves civilian infrastructure outside of a conflict zone. But as more countries use cyber tactics to spy on one another, states could be thrust into uncomfortable future positions of admitting what espionage they've been up to.

“If something happens and your capability is there [for a cyberattack], you may be blamed regardless,” said Robert M. Lee, of the SANS Institute in Bethesda, Maryland.

In this case, the trail could lead all the way to the Kremlin, as relations between Russia and Ukraine remain at an all-time low since Russia’s annexation of the Crimea peninsula in March 2014. Russia has continued to deny playing any direct role in the ensuing war in Eastern Ukraine, which has pitted government troops against Russian-backed separatists and left over 9,000 people dead in what Western powers have described a new kind of hybrid warfare.

Ukrainian officials have blamed past cyberattacks targeting government and ministry websites as well as embassies abroad on Russia and Russian-based hackers. Ukraine's voting system was also targeted prior to the May 2014 election. With Ukrainian activists blowing up pylons — tall towers carrying power lines — and cutting off electricity supply to Crimea in both November and December, some suspect the blackout in Ivano-Frankivsk could be a direct retaliation.

“It is scary because if this is the case that a cyberattack was used to create an outage and blackout in a particular area, it means that Russia has the capabilities to use this technology to create outages in what it sees as hostile territories or countries,” said Alex Kokcharov, an analyst focused on Europe and the Commonwealth of Independent States for IHS, a global economics and risk analysis firm. “If indeed this is the Russian technical capability, it should be quite worrying to any country that has a difficult political and military relationship with Russia.”

Both Healey and Kokcharov argued the attack could present the economic incentive that credit card hacks have not for many companies and governments to step up their cybersecurity spending.

“Without a doubt, the presence that BlackEnergy has been used in a disruptive attack should start tipping the hands of regulators,” Healey said.

But not all analysts agree that an attack in Ukraine will spur other countries or businesses to increase security spending. Past cyberattacks, notably when the Stuxnet virus was used against Iran’s nuclear program, did not lead to big adjustments worldwide.

“The economic incentive still isn’t there,” said Lee, the instructor at the SANS Institute. “Most asset owners will say, ‘A power outage occurred in Ukraine, but it’s not affecting me.’”

Russia’s neighbors have taken notice, with the Baltic states planning to increase their IT security after being the targets over cyber hacks. Lithuania saw its Joint Staff of the Armed Forces website hacked last June with claims of a U.S. plan to annex the Russian area of Kaliningrad.

The cyberattack in Ukraine has also raised larger concerns about the cascading effects future attacks could have on infrastructure, with power outages affecting other areas, including hospitals and food storage facilities.

“The one takeaway would be that arguably this is the most frightening or scary type of attack that has evolved over the last few years, but I think the other types of attacks like financial-driven data breaches will continue to rule cyber activity,” said Ed Cabrera, vice president of cybersecurity strategy at Trend Micro, a global security software company based in North Texas.

Moving forward, he said, the hacking-caused blackout in Ukraine could cause a global spike in similar aggressions. “This has definitely opened the door for nation states or nonstate actors to begin to think about deploying [attacks].”