Ukrainian power grid — BlackEnergy + Industroyer

What happened

On 23 December 2015, attackers compromised three Ukrainian regional electricity distribution companies — Prykarpattyaoblenergo, Kyivoblenergo, and Chernivtsioblenergo — and used that access to coordinate a simultaneous outage affecting approximately 230,000 customers across western Ukraine. The outage lasted between one and six hours. During the attack, the companies’ phone systems were flooded with calls to prevent customer reports from getting through, and the control software on the SCADA workstations was overwritten with KillDisk malware to slow recovery.

Exactly a year later, on 17 December 2016, a second and technically more sophisticated attack struck the Pivnichna (Northern) transmission substation north of Kyiv, briefly cutting roughly 20% of Kyiv’s total electricity supply for approximately one hour. This attack was caused by a purpose-built piece of malware named Industroyer, also called CRASHOVERRIDE, which ESET and Dragos researchers analysed and published the following year. Both attacks were attributed by the Ukrainian government, US officials, and independent researchers to Sandworm, a Russian military intelligence (GRU) unit subsequently identified as Unit 74455.

The two attacks are jointly significant as the first publicly confirmed instances of cyberattacks causing deliberate electricity outages. They demonstrated that sophisticated adversaries had both the intent and the technical capability to attack power grids in ways that caused real-world effects on civilian populations, and they established a threat model that security professionals across the energy sector have worked from ever since.

How it worked

The 2015 attack relied primarily on spear-phishing to gain initial access. Targeted emails containing BlackEnergy malware were sent to employees at the three distribution companies. Once implanted, BlackEnergy provided remote access that the attackers used over an extended dwell period — months, in at least one case — to map the internal networks, understand the operational processes, and position themselves for a coordinated strike. When the attack was executed on 23 December, operators at Sandworm’s direction (or via automated scripts) used legitimate remote access tools to authenticate to the control systems and manually commanded circuit breakers open at dozens of substations simultaneously. The simultaneous flooding of the phone systems with a telephony denial-of-service tool (TDoS) was a parallel operation designed to maximise confusion and delay response.

The 2016 Industroyer attack represented a significant technical advance. Rather than relying on human operators to manipulate SCADA systems through legitimate tools, Industroyer was a modular malware framework that contained protocol implementations for four industrial communication standards used in electricity substation automation: IEC 60870-5-101 (serial communication), IEC 60870-5-104 (TCP/IP variant), IEC 61850 (substation automation), and OPC Data Access. These are the actual protocols that substation protection relays, remote terminal units, and switchgear communicate over. Industroyer could identify the hardware connected via these protocols and issue commands directly, without any human operator in the loop.

Industroyer also included a destructive component — a wiper targeting serial port devices used in industrial communications — and a backdoor for persistent access. A module designed to trigger safety system failures, reminiscent of the Triton/TRISIS attack against Saudi petrochemical safety systems, was identified in the code but not activated in the 2016 deployment.

The relative brevity of both outages (the 2016 attack lasted approximately one hour before engineers restored power manually) was a consequence of grid resilience, physical manual override capability, and the relatively contained scope of the attack, not a limitation of the attacker’s capability. Sandworm appears to have chosen targets and timing (both attacks occurred in December, in winter, after dark) to maximise impact on civilians.

Timeline

• Spring — Summer 2015 — Spear-phishing campaign targeting Ukrainian electricity distribution companies; BlackEnergy malware implanted at multiple utilities. Dwell period of months follows.
• 23 December 2015 — Coordinated attack executes: circuit breakers opened at substations across three distribution companies; TDoS floods customer service lines; KillDisk wipes control workstations. 230,000 customers lose power.
• Late December 2015 — Ukrainian utilities restore power manually; SCADA systems require weeks of remediation.
• February 2016 — SANS and E-ISAC publish detailed technical analysis of the 2015 attack; ICS-CERT issues alert.
• Late 2016 — Industroyer implanted at Ukrenergo, the national transmission operator, ahead of the December attack.
• 17 December 2016 — Industroyer executes at Pivnichna substation; approximately 20% of Kyiv power supply cut for roughly one hour. Wiper component deployed to cover tracks.
• June 2017 — ESET and Dragos publish concurrent analyses of Industroyer/CRASHOVERRIDE, detailing its ICS protocol modules and destructive components.
• 2019 — US Department of Justice indicts six GRU officers, including members of Unit 74455 (Sandworm), for the Ukraine grid attacks and other operations.
• April 2022 — ESET and CERT-UA disclose Industroyer2, a successor to Industroyer, deployed against Ukrainian high-voltage infrastructure; the attack is disrupted before causing an outage.

What defenders should learn

The 2015 and 2016 attacks together constitute the definitive case study in how a sophisticated adversary approaches an attack on energy infrastructure, and they contain lessons at every level of defence.

The initial access in 2015 was achieved through spear-phishing — the same vector that underpins the majority of sophisticated intrusions across all sectors. The dwell period that followed was months long. Defenders in critical infrastructure who assume that a lack of detected intrusions means a lack of intrusions are likely wrong. Continuous monitoring for anomalous behaviour on both IT and OT networks, including unusual authentication to SCADA systems and unexpected outbound communications from engineering workstations, is necessary to detect an operation during its preparation phase rather than after execution.

Industroyer makes a specific and important argument about the threat to ICS environments that speak standard protocols: those protocols were designed for reliability and interoperability, not for authentication or command validation. A device that speaks IEC 104 or IEC 61850 will respond to correctly formed commands from any source that can reach it on the network. The appropriate controls are network-level — restricting which systems can communicate with which devices, using firewalls and diodes to limit the attack surface of the substation automation network — not application-level, because the protocols themselves provide no authentication mechanism to harden.

The coordinated TDoS against the phone systems in 2015 is often overlooked in the focus on the SCADA compromise, but it carries a distinct lesson: incident response in a critical infrastructure event depends on communications infrastructure that is itself a potential target. Incident response plans should include out-of-band communication channels that do not depend on the same network or telephone infrastructure that may be under attack.

Finally, the manual override capability that allowed Ukrainian engineers to restore power relatively quickly is a physical resilience feature that is easy to undervalue during periods when digital control works seamlessly. The ability to operate substations and other critical infrastructure through direct physical local control, without depending on the SCADA network, is a genuine resilience feature that should be preserved as infrastructure is modernised. Sandworm’s attacks would have caused far longer outages if every circuit breaker in the affected substations could only be commanded over the compromised network.