Cyber attack on a power plant in Ukraine: is Russia responsible?

On 23 December 2015, power cuts took place in parts of Western Ukraine following a cyber attack. Right from the day of the cuts, the company Prykarpattyaoblenergo declared that this incident was caused by outside intervention, but did not say by whom. The Ukrainian security services (SBU) accused the attackers of close involvement with Russia.

With relations between the two countries particularly tense due to the civil war raging through Eastern Ukraine, cyber attacks from both camps are common, as are hasty accusations. However, in this case the effects of the attack are real, with several hundred thousand people suffering power cuts lasting several hours.

The Trojan horse used was Blackenergy, which was the subject of discussion in 2014 when the ICS-CERT released a statement cautioning American industries against it, specifically as it targeted SCADAs. In the case in question, the Trojan horse allowed Disakil malware to be installed. Disakil is particularly destructive: it rewrites part of the Master Boot Record (part of the hard disk containing the partitions and processes that boot up the operating system), making the machine ineffective. When Disakil was activated on the company’s SCADAs exploiting power plants, the machines under attack could no longer respond, causing power cuts.

Linked to a “storm of calls” to the switchboard operator in order to paralyse the company’s services, the attack seems to have been planned by a particularly well-organised group. Additionally, the consequences of the attack are very real for the several hundred thousand people plunged into darkness in the period leading up to end of year celebrations; it is the first publicly recognised attack on a SCADA with especially serious repercussions on the operations of the targeted industry.

However, the issue of attributing these attacks – and particularly this one – is a question that is difficult to answer. Indeed, while several security researchers seem convinced that Russia is behind the attack, knowing whether it was actually supported by the State or was an act by an isolated group (or somewhere between these two extremes) is particularly complex.

Answering this question is essential to relations between these two countries. If it is not attributed to a specific party, it will be impossible to provide an adequate and measured response to the damage suffered, as it will be impossible to know who launched the attack.

Similarly, if the community of security researchers is inclined to attribute this attack to the group Sandworm, whose Black Energy malware seems to be their ‘signature’, linking this group with decision-makers high up in the Russian state is particularly delicate and cannot be done exclusively though computer-based means.

The increased level of attackers, proven here by the very real consequences their actions have, therefore raises the question of States’ responses to actions resembling those by combatants, such as a cyber attack that plunged an entire region into darkness.