Reports have been emerging from Ukraine over the past several days of a coordinated power outage on the 23rd of December that affected approximately 230,000 customers across several oblasts in western Ukraine, primarily in Ivano-Frankivsk. The outage lasted between one and six hours depending on location. The state security service of Ukraine (SBU) yesterday confirmed that the incident is being investigated as a cyber attack (SBU statement, December 28, via Reuters). Ukrenergo, the national grid operator, has acknowledged the involvement of "interference" in the operation of the affected distribution companies. iSight Partners and ESET researchers have separately reported finding the BlackEnergy malware family on the affected utility networks.
I am writing this knowing that the public detail will firm up substantially in January as the investigation reports become available. The contemporaneous reading, with the information available today, is preliminary in important respects. With that caveat, this incident appears to be the first publicly confirmed cyber attack on a national electrical grid that produced a customer-impact outage. That is a category change in industrial-control-system security that the operational community has been preparing for, in slow-rolling thinking, for the better part of a decade.
What is being reported. The affected utilities are three distribution companies — Prykarpattyaoblenergo, Chernivtsioblenergo, and Kyivoblenergo — operating on legacy SCADA infrastructure of the kind common across the post-Soviet electrical sector. The BlackEnergy 3 malware appears to have been delivered through spear-phishing emails with malicious Microsoft Office attachments (ESET preliminary blog post — note: this ESET post will go live in early January with more detail than was public on the 23rd). The BlackEnergy family has been associated, in earlier reporting through 2014, with a threat group sometimes labelled Sandworm; the attribution has been to a Russian state actor in Western government statements but the public technical evidence has been incomplete.
The technique appears to combine two phases: a long initial-access and reconnaissance period, followed by a coordinated operational phase on the day of the outage that included remote interaction with the SCADA HMI consoles to open breakers, denial-of-service against utility telephone exchanges to prevent customer reporting, and a wiper component to render workstation systems unusable post-event. The wiper component is the part that distinguishes this from earlier ICS-malware research like Stuxnet (which was process-specific) or the BlackEnergy 2 activity from 2014 (which was access-focused without operational disruption). The combination of physical impact, operational disruption, and post-event obstruction is, on the early reporting, unprecedented at this level of confidence.
For the operational community, the immediate worth of this incident is in what it confirms about a capability that has been theorised in research papers and tabletop exercises for years. The 2007 Aurora generator demonstration at INL, the 2010 Stuxnet revelation, the 2014 NCCIC alerts on Havex/Dragonfly targeting energy-sector ICS — there is a well-documented research and threat-actor track record that has, until now, lacked a confirmed operational attack with customer-visible impact. Ukraine is, perhaps unfortunately, the place where the demonstration has happened, partly for reasons of legacy infrastructure and partly for the geopolitical reasons that have made it a target for the past two years. The implication for utilities elsewhere is not "this could happen to us tomorrow" — the path from spear-phish to breaker-control runs through specific operational architecture choices that are not universally present — but it is "this is now a confirmed-feasible attack pattern, not a theoretical one".
For the engagement and SOC work, the implications I will write up properly in January are around the following themes. ICS network segmentation against IT — the principle is well-known but the practical posture in many utility networks remains weaker than the principle suggests. Privileged-account behavioural monitoring on SCADA-engineering workstations — the same pattern that I have written about in the financial-services context (Carbanak, Anthem, OPM) applies here, with the additional note that the engineering-workstation population is small, the legitimate behaviour patterns are well-defined, and the detection signal-to-noise is potentially better than in commercial environments. Wiper preparedness — the operational assumption that incident response can begin from intact endpoint forensics needs to be replaced with the assumption that endpoints may be deliberately destroyed as part of the attack, and the IR playbook needs to assume image preservation off-host before destruction. Telephony and customer-channel resilience — the DoS against the utility call centres in Ukraine was a tactical innovation that turned a few-hour outage into a several-hour one by preventing the utility from receiving and responding to customer reports.
The specific public detail will land over the next several weeks. There will be a joint US-Ukrainian investigation; the iSight and ESET reports will be published; SANS will produce a follow-up paper. I will be reading those carefully and writing a fuller piece in January or February. The contemporaneous note for tonight is that the threshold has been crossed, the demonstration has been made, and the planning assumption for utility-sector vCISO work in 2016 must include grid-impact attack as a feasible scenario, not a hypothetical one.