It seemed clear from the beginning, she said. The newest big blackout in Ukraine in December 2016 was no accident.

“That was not like a failure. Failure happens in some random way,” said Marina Krotofil, security researcher with Honeywell who is also from Ukraine. “It was manipulated.”

But Krotofil and the other researchers who investigated the sudden, suspicious power outage—the second in a year’s time—needed to confirm.

They spent hours going over logs and looking for clues. At last, they found the evidence that revealed the entirety of the attack.

Once again, hackers had shut off power to people in Ukraine in the cold of winter.

“I was very frustrated that it happened again,” Krotofil told Archer News.

Even worse, the new attack shows signs that the malicious hackers are developing new tactics and skills.

“The attackers are progressing,” Krotofil said. “It means somebody is developing these capabilities and they plan to use them in the future.”


Kiev in November 2016, three weeks before the cyber blackout. Photo credit: marketingthechange via / CC BY


New skills

The first Ukraine cyber blackout in December 2015 was dramatic, sophisticated, well-planned, with coordinated attacks coming from all sides.

Hackers went after at least three different power companies at the same time. More than 200,000 homes and business went dark, and it took five or six hours to get them back.

This time, they hit just one substation and power was back on in about an hour.

“This attack is not as complicated but still shows perfect capabilities to adapt to a new environment and a new setting,” Krotofil said.

New target

The new target, the Pivnichna or “North” substation in the Kiev area, uses slightly different software and hardware, according to Krotofil. 

“You have to perform recon and you have to have enough knowledge and power to execute such an attack,” she said.

The attack team likely includes a dedicated engineer, or someone with experience carrying out offensives on power systems, Krotofil suggested.

“It’s very concerning,” she said. “They are specifically showing they are interested in new capabilities.”


The Pivnichna substation in the Kiev area was the target of the 2016 attack. Image via Wikimapia Creative Commons license Attribution-ShareAlike (CC-BY-SA)


New techniques

The new attack used carefully-tailored techniques, according to some cybersecurity experts who saw Krotofil’s and researcher Oleksii Yasynskyi’s presentation about the blackout at the cybersecurity conference S4 in Miami last week.

“The malware contained cutting-edge technologies to avoid detection,” said Ignacio Paredes, senior lead technologist at consulting firm Booz Allen Hamilton.

“For instance, it was able to shuffle its own code in memory, creating different footprints in each execution to avoid the pattern-matching that anti-malware uses,” he added.

The researchers determined that the malware had over 500 different builds during a two-week period.

“This means that during that time, the attackers were extremely active modifying and optimizing the malware,” Paredes told Archer News. “All of these indicate that behind the attack there is a well-resourced and motivated team.”

A team that may be just beginning to flex its wings.

“The most disturbing part of the history is the suspicion that Ukraine is serving as a training ground for further attacks and we are seeing just a small part of the potential effects that these guys may have,” Parades said.


Power lines near Odessa, Ukraine. Photo credit: strogoscope via / CC BY


Falling behind?

As the attackers move forward, Ukraine itself may be progressing more slowly.

“We lack a nationwide cybersecurity governance model, standards, an effective compliance process, threats exchange, CERTs [computer emergency response teams], and ISACs [information sharing and analysis centers],” said Alexey Yankovski, president of the Kiev chapter of ISACA.

ISACA is an international non-profit association formerly known as Information Systems Audit and Control Association.

The blackout was one of many cyber attacks on Ukraine in December, including invasions of the national treasury, railway system, and ministries of finance and infrastructure computer systems.

“What I can say is that organizations that have been compromised are for the most part left on their own, without specific guidelines on eradication,” he said to Archer News. “Thus, intruders are likely to still be present in their systems.”


Train station in Lviv, Ukraine. Hackers targeted Ukraine’s national railway agency site in December, preventing some passengers from buying tickets.



He and other volunteers organize preparation, containment and eradication training for organizations hit by cyber attacks, and the government is working on new strategies.

But the country needs more, he said, like comprehensive laws and standards to help protect critical infrastructure and detailed advisories on this and other attacks.

Other countries should want to help, too, since the attacks on Ukraine will probably spread, he explained.

“Information sharing of the malware samples should be established with Ukraine in order for the rest of the world to be prepared for the attacks that international hacker groups tested on Ukrainian infrastructures,” Yankovski said. 


Power lines in the Donetsk region of Ukraine. Photo credit: spoilt.exile via / CC BY-SA


Looking forward

Ukraine’s national energy company said it is still investigating the power shutdown, and added there is an urgent need for the formation of a sectoral energy cybersecurity strategy.

“The conclusions to be made on the results of the investigation will include both organizational and technological measures to prevent cyber threats and minimizing their consequences in the future,” Ukrenergo said in a statement to Archer News and other organizations.

Electricity market participants will unite to come up with organizational and technological solutions to reduce risks, Ukrenergo said.

“For Ukrenergo increasing automatization of technological processes and equipment is a dynamic and irreversible process,” the statement said. “That’s why reliable information multilevel protection of the Company’s IT infrastructure currently has the highest priority.”


Kiev on December 26, 2016, nine days after the cyber blackout. Photo credit: spoilt.exile via / CC BY-SA



Krotofil and her colleagues want to publish an in-depth report about the Ukraine power attacks, including a full timeline of events, she said, though they’re finding obstacles in their way—like organizations concerned about sensitive data and reputation.

“You need to know everything, where the attackers are and what they do,” she said. “So many more steps before the final consequence. So many tools used by the attacker.”

The report could help others prevent potentially deadly power attacks.

“For example, if some hospital or some person at home depends on a medical device and power is not available, that person can die,” she said. “Really, by this power outage, you’re executing attacks on civilians. This is an attack on civilians. This is already war. “

She is frustrated that a cyber blackout could—and did—happen again.

“We should have and made it clear to the entire world and said, ‘This is unacceptable.’ Nobody stood up. Nobody said anything. Now this is the new normal,” said Krotofil.


Featured image: Ukraine power structure. Image credit: Photo credit: Skadge via / CC BY-SA