Russia suspected in first-ever cyberattack on Ukraine’s power grid

In the last months of 2015, the conflict between Russia and Ukraine over Crimea’s annexation and continuing strife in Ukraine’s east appeared largely to be in stalemate. But now, with the new year, it appears the conflict is heating up again, and playing out on the region’s electric grids.

On Dec. 23, a massive power outage in western Ukraine left approximately 700,000 homes in the dark. That outage was quickly followed by two smaller outages in Ukraine’s Ivano-Frankivsk region. The outages were short-lived, and at the time, believed to be benign in nature.

Now, both the Ukrainian government and the private cybersecurity firm ESET say they have discoveredmalware inside the command and control systems at the affected power generators, raising the specter that unknown hackers intentionally targeted Ukraine’s power grid.

“If confirmed this would be the first time that malware, as an external threat, targeted another nation-state’s power grid ever,” says Barak Perelman, CEO and co-founder of the Israel-based cybersecurity firm Indegy. “Any type of network interference that might shut down a grid should be considered a cyberattack, whether it originated inside the company or as an external threat.”

More bugs possible

It’s been rumored for years, but never proved, that various power failures around the world might have been the result of hackers. The malware inside Ukraine’s power grid might offer proof of that. The Daily Beast reports that copies of the malware have been sent to U.S. cyber-analysts at the CIA, the NSA and the Department of Homeland Security.

Perelman notes that while malware forensics may reveal clues about how the generators’ operational networks, or OTs, were infected, discovering who authored and deployed the bugs will prove difficult.

“Even if you find forensic information about the author, you can never really know whether that was planted there deliberately or not,” he said. “But more interesting is specifically what the malware did to interfere with the industrial controllers. By learning how it worked, either at the generation plants or the substations that deliver power, you can protect from future incidents.”

Perelman adds that it’s also “very reasonable to believe” that similar bugs remain in Ukraine’s grid and, in fact, may have also infected the power systems of other nations – including the U.S.

Principal suspect

Not surprisingly, Russia has figured as the principal suspect in planting the Ukrainian malware. Neither Russian or Ukrainian officials have spoken about the incident publicly, but in the past, government-linked Russian hackers have been tied to cyber-attacks in Estonia, Georgia and elsewhere.

Ukraine’s power grid may also have been targeted by pro-Russian hackers for another reason. In November of last year, much of Crimea’s electric power was cut after lines and a substation of the Ukrainian-based electric supplier were damaged in what many believe to be an attack by Ukrainian nationalists. The malware infection may have been prompted by that outage.

If the Ukraine outages are ultimately proven to be the work of hackers targeting another nation’s electric grid, it would represent a significant escalation, and might even eventually be identified as an act of war.

“There’s really no internationally agreed upon rule book of what constitutes cyber-war,” Bob Twitchell, CEO of the cybersecurity firm Dispersive Technologies, told VOA.

“Technology can do many different things, but it always comes back to policy: what’s the technology, what do you want to do with it, what’s fair and not fair, and what’s completely unacceptable,” Twitchell said.


Governments have generally been vague about defining what is and isn’t an act of cyberwar. Last year U.S. Secretary of Defense Ashton Carter warned potential adversaries that the U.S. is ready to respond to any act of cyberwar.

But the DoD strategy document does not discuss what specifically constitutes cyberwar. And that, says former Assistant Secretary of Homeland Security Stewart Baker, is because war – cyber or otherwise – is a messy business.

“It is the things that both sides decide they are not prepared to do. And usually that’s a mix of humanity, basic morality and hard-headed assessment that it won’t do much good but will cause massive pain if the enemy does it to you,” he said.

That said, Twitchell, Baker and other analysts VOA has spoken with agree that the intentional targeting and destruction of one nation’s power grid by another would clearly represent an act of war.


(Photo: John Mason/