Experts say it is too soon to tell if cyber attackers are responsible for bringing down the power system serving an area near the country’s Western border.

Between the Carpathian Mountains and the Romanian border, a mystery is brewing in Western Ukraine. The lights shut off in the region of Ivano-Frankivsk a few days before Christmas, according to a news report. But who—or what—is responsible?

One Ukrainian news source, the Television Service of News, or TCN, said cyber invaders shut down power for at least half of the region of more than one million people.

“The reason was a hacker attack, communicated TCN,” the report said, “According to specialists, hackers broke into the system of telemechanic control.”

The article said the power was off for several hours.

“According to a representative of the regional power company, a virus was launched into the system from outside and suddenly substations began to turn off,” the article continued.

Too soon to tell

Cybersecurity experts say there is not enough information available yet, but the incident is worth monitoring.

“I believe that a lot of the reporting on the incident is single-sourced, and right now there’s not a lot of evidence of what happened,” said Robert M. Lee with the SANS Institute.

“A small number of sources in Russia and Ukraine indicate the electrical outage was caused by a cyber attack, specifically a virus from an outside source,” wrote Michael Assante, also with the SANS Institute, in a blog post. “I am skeptical as the referenced outage has been hard to substantiate and the cause surfaced relatively quickly (normally, determining root cause analysis of an incident takes time especially when it pertains to activity on the network).”

A hacker attack bringing down a power system in this way would be unusual, said Lee.

“If there was truly a malicious outsider that targeted a portion of the Ukraine power grid and successfully brought it down with malware, then this is one of the rare case-studies where this has happened,” he said.  

“We have seen intrusions by targeted adversaries, and we have seen untargeted accidental malware infections impacting operations, but we have not seen public cases of targeted adversaries taking down the power through malware,” Lee added.

Who caused the blackout?

A second TCN article several days later said the Ukrainian Security Bureau discovered Russian attacks on several regional power companies.

“The Ukrainian Security Bureau alerted about an attempt by Russian power services to hit computer networks of the energy complex of Ukraine,” the TCN article said.

“According to security services, malware was found in the networks of separate regional power companies,” it said. “The virus attack was accompanied by continuous calls (a ‘telephone flood’) to the regional energy tech support, communicated the Ukrainian Security Bureau.” 

Important to watch

Assante cautioned people not to jump to conclusions about the blackout, and not to “prematurely follow suggestions that it was definitively a Russian attack against Ukraine’s infrastructure.”

Both Ukraine and Russia have a lot to gain—and a lot to lose—in this situation, said Lee.

“It is important to watch because of the geopolitical tension though in the area,” said Lee. “A mix of pride and deterrence on both sides could give motive to either side.”

“Ukraine could be making it out to be an attack instead of a reliability issue to hide decaying infrastructure or to show that they are a victim to Russia with civilian infrastructure being targeted,” he said.

But the other side could have a motive as well, Lee said.

“Russia could have actually attacked as a show of force or testing of capabilities and people,” he explained.

Difficult to carry out

Another cybersecurity expert says the attack seems unlikely.

“Taking out multiple substations with malware isn’t as easy as it sounds and it takes a very high degree of knowledge of the target system,” said Patrick C. Miller of Archer Security Group. 

“A DDoS (distributed denial of service attack) could certainly cause network instability or failure but substations don’t go dark just because communications are lost,” Miller said. 

“Further, the region isn’t particularly known for allowing multiple points of view or unfiltered information through their media options,” he added. “Too many things about this one leave me scratching my head instead of pointing a finger.”

Looking for the truth

This mystery could be difficult to solve, according to Lee.

“Either way, single-source reporting, geopolitical tension, and counter intelligence efforts in the area will make this an extremely murky case to analyze in the near term,” he said.

“A bit of time and some more information coming forward though may make this one of the most important events of 2015 for the ICS (Industrial Control Systems) security community,” said Lee.