In December 2016, Russian hackers planted a malware usually referred to as "Industroyer" or "Crash Override", in Ukrenergo's network, which is Ukraine's national grid operator. At midnight, two days before Christmas, the cybercriminals used the deployed malware to trip every single circuit breaker in a transmission station in the proximity of Kyiv, Ukraine's capital, resulting in an instant blackout that enveloped most areas of the capital city.
The cyberattack has since then raised a tirade of questions with no definitive answers. First, what were the true motives behind this attack? And second, an even more baffling question, why was a malware so powerful that it can instantaneously descend an entire city into darkness remedied by the plant workers simply flipping on the circuit breakers an hour after the attack?
Researchers at Dragos, the industrial-control system cybersecurity firm, have released a paper where they have reconstructed the timeline of the 2016 Ukraine blackout in the hopes that it will shine some light on the aforementioned questions. The paper, titled, "CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack", was produced after the team combed through the malware's code and revisited the network logs of Ukrenergo.
Simply speaking, Dragos concluded based on the evidence that the hackers meant to inflict physical damage of a much greater intensity that would have extended the blackout to multiple weeks, if not months, and perhaps even put the lives of the plant-workers present on-site at risk. If this was the case, the malware that hit Kyiv's power supply would have been amongst the ranks of only two other pieces of malicious code in the wild, Stuxnet and Triton, that hit Iran and Saudi Arabia, respectively.
The real meat of the argument lies in the details, however. Joe Slowik, the Dragos analyst who authored the paper said:
"While this ended up being a direct disruptive event, the tools deployed and the sequence in which they were used strongly indicate that the attacker was looking to do more than turn the lights off for a few hours. They were trying to create conditions that would cause physical damage to the transmission station that was targeted."
More specifically, the theory given by Joe and Dragos hints at the hackers' use of Crash Override's ability to send automated pulses to trip circuit-breakers to exploit a known vulnerability in a Siemens-manufactured Siprotec protective relay that was used at the grid station. The protective relays were intended to monitor dangerously high frequencies and currents at the grid station. Although a security patch fixing the said vulnerability was released in 2015, many grid stations had not updated their systems in Ukraine. This opened the door for prying eyes and hackers who could merely send an electrical impulse that would render the safety relay useless by putting the device to sleep.
To make sense of this, Dragos searched through Ukrenergo's logs and tied the raw threads of the information it had uncovered. They reconstructed the modus operandi of the hackers for the first time and it goes as follows. First, the hackers deployed Crash Override. Second, they used it to trip every single circuit breaker in a grid station north of Kyiv causing a massive blackout. Third, an hour later, they launched a wiper component that disabled the transmission station's computers thereby preventing the monitoring of the station's digital systems. Fourth, the hackers proceeded to disable four of the station's protective Siprotec relays subsequently making the plant susceptible to dangerously high frequencies of electricity.
Dragos believes that by doing so, the hackers set the stage for the event where Ukrenergo's workers would rush to restart the transmission system, which without the protective relays would have created a large overload of current in the power line causing an explosion that would have been catastrophic for the grid station as well as for the people present on-site. On this, the Director of Intelligence of Dragos, Sergio Caltagirone, remarked:
"They've pre-engineered attacks that harm the facility in a destructive and potentially life-threatening way when you respond to the incident. It’s the response that ultimately harms you."
In reality, the chain of events did not follow through to the end. While Dragos could not find out the reason for the hackers' failed plan, it suspects that some network configuration mistake on the part of the hackers or a quick response by the workers on-site in finding the 'sleeping' Siprotec relays might have saved the day.