2015 cyber attack against power distribution in Ukraine

Incident Impacts	Disruption to energy supply
Affected Sector	Energy
Associated Intrusion Sets	Sandworm

On December 23rd 2015, over 230,000 residents were left without power after multiple power distribution companies in western Ukraine were victims of a targeted cyber attack. After gaining access to company environments, reporting suggests that the attackers were then able to remotely control the SCADA distribution management system. According to reports, a total of seven 110kV and twenty three 35kV substations were disconnected for three hours with additional parts of the distribution grid forced to switch to manual operations.

Subsequent investigations identified BlackEnergy3 malware in victim environments and linked the attack to the Russia attributed intrusion set Sandworm, or Sandworm Team.

Cyber Threat Graph Context

Explore how this cyber incident relates to the wider threat graph

References

www.wired.com

https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/

www.cfr.org

https://www.cfr.org/cyber-operations/compromise-power-grid-eastern-ukraine

www.wired.com

https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/

www.cisa.gov

https://www.cisa.gov/news-events/ics-alerts/ir-alert-h-16-056-01

www.mandiant.com

https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team

www.sans.org

https://www.sans.org/blog/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid/

www.reuters.com

https://www.reuters.com/article/us-ukraine-crisis-cyber-attacks-idUSKBN1491ZF/

blog.isa.org

https://blog.isa.org/lessons-learned-forensic-analysis-ukrainian-power-grid-cyberattack-malware

icscsi.org

https://icscsi.org/library/Documents/Cyber_Events/E-ISAC%20-%20Analysis%20of%20the%20Cyber%20Attack%20on%20the%20Ukrainian%20Power%20Grid.pdf

web.archive.org

https://web.archive.org/web/20180223204737/http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf

assets.contentstack.io

https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5[73].pdf

web.archive.org

https://web.archive.org/web/20180609123258/https://blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-the-scada-connection/

www.virusbulletin.com

https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Cherepanov-Lipovsky.pdf

cams.mit.edu

https://cams.mit.edu/wp-content/uploads/2016-22.pdf

web.archive.org

https://web.archive.org/web/20150206041826/http://www.isightpartners.com/2014/10/cve-2014-4114/

www.welivesecurity.com

https://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-industry/

www.welivesecurity.com

https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/

www.welivesecurity.com

https://www.welivesecurity.com/2016/01/04/blackenergy-trojan-strikes-again-attacks-ukrainian-electric-power-industry/

attack.mitre.org

https://attack.mitre.org/campaigns/C0028/

www.boozallen.com

https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf