Russian Hackers Behind Attack on Ukraine's Power Grid, Researchers Claim

The hacking attack left thousands of citizens in western Ukraine without power in December. Image by Juanedc on Flickr, CC BY 2.0.

The hacking attack left thousands of citizens in western Ukraine without power in December. Image by Juanedc on Flickr, CC BY 2.0.

The alleged cyber-attack that led to a temporary outage of the Ukrainian power grid was likely perpetrared by Russian hackers, according to US researchers.

The cybersecurity research team iSIGHT Partners told Infosecurity Magazine that it was the work of the Russian hacker collective known as the Sandworm Team.

Ukraine's state security service has also blamed Russia for the blackout in Ukraine's western Ivano-Frankivsk region on December 23 that affected about 80,000 citizens. At the time, a local power company, Prycarpattyaoblenergo, reported that part of its service area, including the regional capital Ivano-Frankivsk, was left without power for over six hours due to “interference” in its industrial control systems. Russian officials have so far left the accusations without comment.

The iSIGHT experts assign the blame to the Sandworm collective (whose name is a reference to the “Dune” science fiction series) based on their analysis of the malicious software known as BlackEnergy 3 and KillDisk, which were used in the attack. BlackEnergy is the malware the Russia-affiliated group commonly chooses to use, and monitoring has revealed renewed BlackEnergy activity throughout the past year in Ukraine, with government, telecommunications and energy sectors all being affected. BlackEnergy was also allegedly used in destructive attacks against Ukrainian media during the latest elections.

The Russian hacker group was previously thought to be behind non-destructive attacks in the US and Europe, mainly aimed at espionage, and no outages or physical destruction was reported as a result of those attacks.

“ISIGHT believes the activity is Russian in origin and the intrusions they carried out against US and European SCADA systems were reconnaissance for attack,” an iSIGHT representative told Infosecurity Magazine.

ISIGHT's director of espionage analysis, John Hultquist told Reuters it was not clear if the Sandworm Team was working directly for the Russian government. “It is a Russian actor operating with alignment to the interest of the state,” Hultquist said. “Whether or not it's freelance, we don't know.”


Join the conversation

Authors, please log in »


  • All comments are reviewed by a moderator. Do not submit your comment more than once or it may be identified as spam.
  • Please treat others with respect. Comments containing hate speech, obscenity, and personal attacks will not be approved.