Investigation shows cyber attackers shut down power for second time, according to cybersecurity researchers.

When the power went out in part of Kiev on December 17, 2016, energy officials there called it “external influence.”

Now researchers have confirmed that the “external influence” was indeed a cyber attack—the second time in a year that malicious hackers have used computers to remotely shut off power in Ukraine.

One Ukraine resident called it a “boomerang”—the return of the cyber-caused blackout to her country.

A Ukraine resident described the second blackout as a ‘boomerang,’ on Facebook.

In December 2015, computer attackers knocked out the lights for more than 200,000 homes and businesses in several parts of the country.

Almost exactly one year later, it happened again—in the Ukrainian winter, when electricity is all the more crucial for survival.

“The 2016 Ukraine attack represents the second ever known intentional cyber attack that has caused a power outage in a power grid,” said Robert M. Lee, CEO of cybersecurity company Dragos, Inc. “This is concerning for numerous reasons.” 

Image of the “North” substation in the Kiev area affected by the December 2016 outage, according to Wikimapia. Photo credit: Kukurbito. Creative Commons license Attribution-ShareAlike (CC-BY-SA) 

New findings

Researchers presented their findings about the December 2016 attacks at the S4 cybersecurity conference in Miami today. 

Marina Krotofil and Oleksii Yasynskyi also outlined their research in a Motherboard article.

“The attackers had all the possibilities to do more damage,” Krotofil told Archer News. “It seems at this point of time it wasn’t intended.”

The 2016 outage was not as severe as the 2015 attack, according to Ukrainian energy officials.

“Our experts quickly moved equipment in manual control mode and started in 30 minutes to restore power,” said a statement posted on Ukrenergo Acting Director Vsevolod Kovalchuk’s Facebook page.

In about an hour, it was over, the statement said. Last year, it took as long as six hours to bring the power back.

“Max damage attacks are too damaging and cause true political conflict,” Krotofil said. “In contrast, medium impact, low damage won’t.”

Ukrenergo’s acting director, Vsevolod Kovalchuk, posted a statement about the outage on his Facebook page.

Concerns

Still, the new cyber blackout renews concerns about similar attacks in other countries.

“In 2015, the attack went largely undiscussed in the national policy scene in the U.S.,” Lee told Archer News. “The biggest concern though is that we still do not have senior level government officials coming out to publicly address or condemn the attack.”

Lee said he and other analysts warned at the time that not addressing the issue would only embolden attackers.

“As we continue to ignore such attacks in other parts of the world we will one day find the repercussions of that at our doorstep,” he said.

The “North” substation in the Kiev area affected by the December 2016 outage, according to Wikimapia. Creative Commons license Attribution-ShareAlike (CC-BY-SA)

Positive impact

All is not lost, however.

The 2015 did impact the North American private sector in a positive way, Lee said

“Because of Ukraine’s choice to make so much of the information about the attack public we saw many utilities and asset owners take serious notice, prioritize defenses to help against this type of attack scenario, and use it as a learning opportunity,” he said.

Sharing these kinds of cases internationally will help the American infrastructure community, according to Lee.

“It is my hope that the government catches up to the private industry and starts to publicly take this threats as seriously as we do,” he said.

Ukrenergo’s acting director posted a message on his Facebook page saying that experts were analyzing cyber threats. 

Not the only attack

The hour-long blackout was not the only cyber attack on Ukraine last month.

Malicious hackers shut down the country’s ministry of infrastructure website on the morning of December 16, reported Radio Svoboda.

They also hit the Ukrainian national railway site on December 15, preventing passengers from buying train tickets through the site, Radio Svoboda said in another report.

The National Security and Defense Council of Ukraine said someone was carrying out large-scale cyber attacks on state agencies, critical infrastructure and private sector organizations, according to Radio Svoboda.

The 2016 blackout and the December state agency attacks appear to be tied together, said Krotofil.

“That is how it looks to us,” Krotofil said. “The main reason for the hack this year was sabotage, political and financial destabilization. Not max damage attacks.”

Featured image: The Maidan square in Kiev, Ukraine. Photo credit: Alexxx1979 via Foter.com / CC BY-SA