Some 700,000 Ukrainians lost electricity as Christmas approached. Signs point to Russian hackers — and it could be a harbinger of cyberstrikes to come.
American officials have long warned that hackers could use digital tools to knock out a power grid. A Russian-linked group may have done exactly that in Ukraine, killing power for 700,000 people on Dec. 23 — and offering a warning of how cyberweapons have become a tool of modern warfare.
Details on the attack, which affected one Ukrainian energy firm and may have targeted two more, remain scant. Ukrainian authorities, however, have accused Moscow of causing the late December outage, and now a leading American cybersecurity firm says that its own analysis suggests that Russian-linked hackers — who often appear to be carrying out the Kremlin’s bidding — were responsible.
The company, iSight Partners, analyzed some of the code found on infected computer systems in Ukraine and concluded that a hacking group it calls Sandworm — and which is thought to have links to Moscow — was almost certainly responsible for the attack. The hack knocked out power for several hours in the Ivano-Frankivsk region of western Ukraine.
U.S. officials have long warned that attacks of the kind possibly observed in western Ukraine could affect the United States. By knocking out a section of the power grid, hackers working on behalf of a foreign power could cripple entire sections of the country and cause enormous economic damage. These warnings have been alternately cited as the inevitable outcome of how digital tools will revolutionize warfare or as hopelessly outlandish fearmongering to help boost defense spending on cybertools. If confirmed, the attack in western Ukraine would likely be the first time a digital weapon has been used to cut power in a large area.
The National Security Agency referred questions on the iSight report to the Department of Homeland Security, which declined to comment. The White House did not return questions about the report. The CIA declined to comment.
If events in Ukraine turn out to be the work of a hacker group, the power outage provides a taste of how digital tools can be put to work as offensive weapons in the 21st century. While cyberweapons have been touted as the next frontier of warfare, achieving physical effects through the use of digital weaponry — hacking a system to, say, blow something up — remains confoundedly complex. Stuxnet, a U.S.-Israeli bug that attacked centrifuges used in Iran’s nuclear program — has until now been one of the few examples of code being successfully used for sabotage.
John Hultquist, iSight’s director of cyber-espionage analysis, acknowledged that his analysts couldn’t definitively confirm that Sandworm is working on behalf of the Russian government. But for several years, Hultquist has watched as Sandworm — so named because the group riddled its code with references to the science fiction classic Dune — has carried out operations clearly in line with Russian national interests.
“They go after targets that provide no immediate monetary value, operations that have no street value outside of government work,” Hultquist told Foreign Policy.
Last year, iSight observed the group deleting videos and other content from the servers of Ukrainian media organizations during the country’s October elections. At other times, iSight has documented the group attempting to hack European Union institutions, NATO targets, and American government entities. The group has repeatedly carried out what Hultquist describes as reconnaissance operations against European energy firms, possibly with a view toward carrying out cyberattacks against them.
As early as 2013, Sandworm attacked NATO computers, and researchers have observed the group targeting industrial control systems operating GE software. The group has also repeatedly targeted European telecommunications firms.
Sandworm uses a distinctive hacking tool known as BlackEnergy, and the presence of that program on one of the affected Ukrainian computer systems is a key piece of evidence that has led iSight to finger the group. In 2014, American authorities alerted industrial control systems operators about the possibility that BlackEnergy could be used to infect their systems.
Moreover, iSight has found that the infected Ukrainian systems also contain a wiping tool — a program that deletes computer data and can be used to cover up the evidence of a cyberattack — known as KillDisk that was also observed in the cyberattacks in Ukraine around the time of last year’s elections.
But the cybersecurity community remains intensely divided about what exactly the presence of BlackEnergy and KillDisk goes to show. KillDisk is merely a wiping program, and industrial security experts say the deletion of data is not enough to trigger a power outage. BlackEnergy can be used to give hackers remote access to a system, but it can’t, on its own, bring down an electricity grid.
But Ralph Langner, an industrial security expert perhaps best known for authoring the definitive analyses of Stuxnet, the U.S.-Israeli bug that attempted to cripple the Iranian nuclear program, said the mere presence of BlackEnergy and KillDisk doesn’t prove that power was knocked out with a cyberweapon nor that Sandworm was involved.
As a result of Sandworm’s reconnaissance activities, BlackEnergy is present on hundreds of computers used in managing power grids. Langner says its presence in Ukraine is perhaps not surprising, and, as of now, analysts poring over the available code have been unable to determine how the hackers turned off the lights in western Ukraine.
Researchers analyzing the attack have not identified any code that could have been used to target an industrial control system, and without that code, Langner says there is little basis to call the power outage the work of a cyberattack. “Once we see that, then we would have the evidence on the table,” Langner said. “With Stuxnet, it was clear from the code: OK, this is a cyber-physical attack against an enrichment facility in Iran.”
Robert M. Lee, an instructor at the SANS Institute and a former Air Force cyberwarfare operations officer who has examined code found on affected Ukrainian machines, said the analysis of the attack remains in its early stages. While BlackEnergy and KillDisk have been used to identify the likely perpetrators, they provide little indication on the mechanics of the attack. “The overall narrative of an attack on the Ukrainian power grid will likely be true, but the exact methods may change,” Lee said.
If the power outage in western Ukraine is confirmed to have been caused by a cyberattack, it would mark a major escalation in the use and proliferation of cyberweapons. But if a Russian-linked group was responsible for the attack, its motive would be a bit difficult to discern. In recent months, Russia has sought to tamp down fighting in eastern Ukraine and has militarily intervened in Syria at least in part to undermine the isolation imposed on Moscow in the aftermath of its annexation of Crimea. Knocking out power in western Ukraine would seem to escalate conflict in that country at a time when Russia would like things to stay quiet there.
Still, there is a plausible rationale for Russia carrying out such an operation. In recent weeks, pro-Ukrainian activists have reportedly cut power lines to Crimea, causing widespread power outages in the Russian-claimed enclave. Knocking out power for thousands in western Ukraine may be an attempt to retaliate for that sabotage, said Steven Pifer, a former U.S. ambassador to Ukraine and the director of the Arms Control and Non-Proliferation Initiative at the Brookings Institution.
Photo credit: ANATOLII STEPANOV/AFP/Getty Images