SAN FRANCISCO — On Dec. 23, over 600,000 homes in the Ivano-Frankivsk region of Ukraine lost all power for several hours. Now cybersecurity experts are claiming that the power outage was caused by a cyberattack, likely originating in Russia.
"It's a milestone because we've definitely seen targeted destructive events against energy before—oil firms, for instance—but never the event which causes the blackout," John Hultquist, head of the cybersecurity firm iSight's cyber espionage intelligence practice, told ArsTechnica. "It's the major scenario we've all been concerned about for so long."
Ukraine's security service has blamed the incident on Russia for weeks, though definitively establishing the source of cyberattacks is always difficult.
iSight’s researchers attributed the blackouts to a virus that disconnected electrical stations from the power grid. They named the group behind the attacks “Sandworm.” They've previously said the same team was behind a Russian cyberespionage campaign iSight observed in 2014 using the same virus to target NATO, energy sector firms, and government organizations in Ukraine, Poland, and western Europe.
“The team prefers the use of spear-phishing [aka targeting individuals to unwittingly provide them with access] with malicious document attachments to target victims,” wrote iSight. "Many of the lures observed have been specific to the Ukrainian conflict with Russia and to broader geopolitical issues related to Russia."
Sandworm, iSight added, was also known for its use of a virus named “Black Energy.” On Tuesday, the antivirus firm ESET separately reported that multiple electrical stations in Ukraine were infected by a virus they named as “BlackEnergy,” which first surfaced two years ago but has since been updated. In its current form the virus allows an attacker ongoing access to a system, as well as the ability to destroy part of the computer hard drive and sabotage industrial control systems.
“We have discovered that the reported case was not an isolated incident and that other energy companies in Ukraine were targeted by cybercriminals at the same time,” wrote ESET researchers in a blog post.
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Contact Sheera Frenkel at firstname.lastname@example.org.
Got a confidential tip? Submit it here.