Does Russia’s constant shelling of energy infrastructure highlight Ukraine’s cybersecurity success?

With Russian missiles targeting Ukraine’s energy infrastructure since late March, last week’s attacks have attracted limited attention. A 5 hour barrage of missiles and drones on Poltava, Kirovohrad, Zaporizhzhia, Lviv, Ivano-Frankivsk and Vinnytsia resulted in severe damage on generation and transmission reported by both NPC UKRENERGO and DTEK . As Russia had previously managed to disrupt the Ukrainian electricity system remotely, is the increasing reliance on missiles and drones a sign that cyberattacks are becoming less effective?

BlackEnergy

On December 23, 2015, a significant cyberattack targeted the power grid in western Ukraine, switching off substations operated by Kyivoblenergo, Chernivtsioblenergo and Prykarpattyaoblenergo. This event, using the BlackEnergy 3 malware to gain access to information systems, marked the first publicly acknowledged successful cyberattack on a power grid. The access enabled the hackers to harvest credentials to log into the SCADA systems, ultimately opening breakers to shutdown substations, while overwriting firmware and wiping data to disable the response.

Industroyer

Just under a year later, another cyberattack disrupted electricity substations in Kyiv. The attack lasted about an hour and was carried out using a new threat - the Industroyer malware. Attracting less international attention than the previous attack, Industroyer was nonetheless described as the biggest threat to industrial control systems since the Stuxnet virus destroyed centrifuges at Iran’s Natanz nuclear facility.

Sandworm

Andy Greenberg’s book Sandworm tells the story of how these attacks on Ukraine’s energy system were attributed to a group linked to Russian military intelligence. The same group also unleashed NotPetya in 2017, causing unprecedented damage worldwide as it infiltrated and disrupted major businesses, froze ATMs, shut down railways and plunged hospitals into darkness. That ransomware attack predominantly affected Ukrainian organisations, but the estimated global cost exceeded $10 billion, making it the largest and most devastating cyber assault in history.

Hybrid Attacks

Shortly after the invasion in February 2022, multiple new data wiping malware was discovered in use against organisations in Ukraine. One of these, Caddywiper, was seen to disrupt a utility’s IT environment immediately following an intrusion of the OT system to trip circuit breakers that coincided with a missile attack. This coordination of? cyber and kinetic attacks is an evolution that has long been anticipated, but not previously confirmed to have succeeded.

Global Vulnerabilities

DTEK’s CIO highlighted the strengthening of cyberdefense in response to the blackouts of 2015 and 2016 as the main reason Russian hackers have failed to shut down Ukrainian energy infrastructure.?

These incidents were seen at the time as a test run for unleashing malware globally. The US government has reported that BlackEnergy had been found in US utilities, with the Wolf Creek Nuclear plant in Kansas among those compromised. More recently hacktivists linked to Sandworm posted videos showing intrusion of utilities in Poland, US and France.?

Although Western utilities may not face the same physical threat, and the persistent cyberattacks in Ukraine are not achieving their objectives, the line between digital and physical threats is blurring.?

Coverage of the persistent bombardment of Ukraine’s energy infrastructure may be diminishing, but utilities around the world should be paying attention to their cyber defences.????