Ukraine's Electrical Grid Gets Knocked Down, But It Gets Up Again … In a Sign of Threats to Come
Wednesday, January 6, 2016 at 2:37PM
Thomas P.M. Barnett in Citation Post, Russia, critical infrastructure, cyberwarfare, resilience
RUSSIA IS OFTEN CREDITED WITH EXPLORING THE SUB-THRESHOLDS OF TRADITIONAL STATE-ON-STATE WARFARE, OR WHAT ONE DEFENSE ACADEMIC HAS DUBBED "GREY-ZONE CONFLICTS."  In some ways, Moscow's experiments in interstate aggression represent a continuing acknowledgment of the overarching strategic reality of mutually assured destruction created by the still-formidable nuclear arsenals of the world's major military powers - i.e., Russia knows not to go there.  But great powers still want to act like great powers, so they meddle, they intervene, they topple governments, they support proxies in civil wars, they build artificial islands and militarize them, they insert computer viruses into other states' networks . . . and sometimes they merely send a signal like I can turn off your lights whenever I want.


Vladimir Putin's regime has an established reputation for this sort of international cyber-bullying, launching somewhat impressive online attacks against Estonia in 2007, Georgia in 2008 (as part of its land grab there), and more recently against Ukraine in 2014.  Western security reviews of such incidents typically find little-to-no evidence of official government involvement, and this is the central characteristic of the maskirovka approach (an old Soviet-era term that equates to covert military operations - i.e., masked).  So yeah, the whole point of such shenanigans is to be hide your tracks even as you are rather overtly signaling both capability and intent.

As we used to say about the Soviets during the Cold War, they will try every door and every window until they find one that's unlocked.

Thus, the world is meant to take notice of what recently happened in Ukraine, per WAPO:

Hackers caused a power outage in Ukraine during holiday season, researchers say, signalling a potentially troubling new escalation in digital attacks.

"This is the first incident we know of where an attack caused a blackout," said John Hultquist, head of iSIGHT Partner's cyberespionage intelligence practice. "It's always been the scenario we've been worried about for years because it has ramifications across broad sectors."

Indeed, the hackers-taking-down-electrical-grids is the sine qua non of the "cyber Pearl Harbor" or cybergeddon attack scenario that worries owners and operators of critical infrastructures around the world - but particularly in the US, where 88% of them are private-sector firms.

More details ...

Half of the homes in Ukraine's Ivano-Frankivsk region were left without power for several hours on December 23rd, according to a local report that attributed the blackout to a virus that disconnected electrical substations from the grid. Researchers at iSight on Monday said their analysis of malware found on the systems of at least three regional electrical operators confirmed that a "destructive" cyberattack led to the power outage.

Impression made ...

Why it matters for critical infrastructure writ large:

Electrical outages can lead to ripple effects that leave communities struggling with things like transportation and communication, according to security experts who have long warned about the potential for cyberattacks on the power grid.

Here the attack almost veers into clandestine mode, meaning the actor in question doesn't worry all that much about its identity being revealed:

In this case, the attackers used a kind of malware that wiped files off computer systems, shutting them down and resulting in the blackout, Hultquist said. At least one of the power systems was also infected with a type of malware known as BlackEnergy. A similar combination was used against some Ukrainian media organizations during local elections last year, he said.

So just imagine who was messing with Ukrainian media during local elections last year, and then realize that that same actor didn't bother changing up his cyber pitch this time around because . . . hey, that's not the point here.

Here we get to the true signaling:

While [cybersecurity company] ESET's analysis showed the destructive element was "theoretically capable of shutting down critical systems," it said BlackEnergy malware's ability to take control of a system would give attackers enough access to take down the computers. In that case, the destructive element may have been a way to make it harder to get the systems up and running again, according to ESET. (bolding mine)

That is what should grab the attention of any nation's critical infrastructure operators - not just the takedown capability but the suggested keepdown capacity.

Yes, the fingerpointing is eastward . . .

Hultquist believes the attacks that caused the blackout were the work of a group iSight dubs "Sandworm" that the company previously observed using BlackEnergy. In a 2014 report, iSight said the group was targeting NATO, energy sector firms and U.S. academic institutions as well as government organizations in Ukraine, Poland  and Western Europe.

"Operators who have previously targeted American and European sensitive systems look to have actually carried out a successful attack that turned the lights out," Hultquist said.

He described the group as "Russian," but declined to connect it to a specific government or group . . .

Such is the nature of maskirovka, remembering, of course, that Putin began his career in the KGB.

Now the part that most clearly matters to us here at Resilient Corporation:

The picture can often become clearer as more information trickles out, but the public and even some of those investigating may not be operating with all the facts, according to Cross.

"When a plane crashes, the FAA publishes all of the details about the incident. That makes sense because we pilots want to know what to do to avoid the next crash," he said. "In our industry, when something like this  happens, some information comes out and some doesn't."

Great analogy, suggesting that the lack of industry transparency here can cost us in the long run.  One doesn't counter maskirovka with "proprietary" concealment but with information-sharing.

Not everyone necessarily has an interest in fully disclosing the attacks because it might embarrass them or give new information to attackers, Cross said. But he argues that the more people  know the details about the attack, the better the security industry can prepare for the next one.

"People should operate with an abundance of caution and assume the threat  is real while demanding technical detail and evidence," he said.


As for Ukraine, the final bit of news was heartening:

Assuming that the hackers did take out the power in Ukraine, there was a silver lining, according to Cross: The grid seems to have rebounded quickly.

"The world didn't end here - they did get power back up," Cross said.

This time, yes.  But this scenario will grow less exotic over time, and that's why our resilience still-set must keep pace .

Article originally appeared on Thomas P.M. Barnett (
See website for complete article licensing information.