Hackers caused a power outage in Ukraine during holiday season, researchers say, signalling a potentially troubling new escalation in digital attacks.
"This is the first incident we know of where an attack caused a blackout," said John Hultquist, head of iSIGHT Partner's cyberespionage intelligence practice. "It's always been the scenario we've been worried about for years because it has ramifications across broad sectors."
Half of the homes in Ukraine's Ivano-Frankivsk region were left without power for several hours on December 23rd, according to a local report that attributed the blackout to a virus that disconnected electrical substations from the grid. Researchers at iSight on Monday said their analysis of malware found on the systems of at least three regional electrical operators confirmed that a "destructive" cyberattack led to the power outage.
Electrical outages can lead to ripple effects that leave communities struggling with things like transportation and communication, according to security experts who have long warned about the potential for cyberattacks on the power grid.
In this case, the attackers used a kind of malware that wiped files off computer systems, shutting them down and resulting in the blackout, Hultquist said. At least one of the power systems was also infected with a type of malware known as BlackEnergy. A similar combination was used against some Ukrainian media organizations during local elections last year, he said.
A blog post from cybersecurity company ESET also reported that BlackEnergy malware helped deliver the destructive component "in attacks against Ukrainian news media companies and against the electrical power industry."
While ESET's analysis showed the destructive element was "theoretically capable of shutting down critical systems," it said BlackEnergy malware's ability to take control of a system would give attackers enough access to take down the computers. In that case, the destructive element may have been a way to make it harder to get the systems up and running again, according to ESET.
Hultquist believes the attacks that caused the blackout were the work of a group iSight dubs "Sandworm" that the company previously observed using BlackEnergy. In a 2014 report, iSight said the group was targeting NATO, energy sector firms and U.S. academic institutions as well as government organizations in Ukraine, Poland and Western Europe.
"Operators who have previously targeted American and European sensitive systems look to have actually carried out a successful attack that turned the lights out," Hultquist said.
He described the group as "Russian," but declined to connect it to a specific government or group. Other destructive cyberattacks in the past have been attributed to government actors -- such as attacks on Iranian nuclear facilities thought to be the result of a collaboration between the U.S. and Israel, or the Sony Pictures entertainment attack blamed on North Korea.
But experts warn that, while is easy to come to circumstantial conclusions about cyberattacks, it can be very difficult to pin down who was responsible -- or even what exactly happened. And there have been false alarms about cyberattacks on infrastructure in the past.
In 2011, experts said that a pump failure at an Illinois water plant appeared to be caused by foreign hackers. However, it was later reported that there hadn't been any malicious activity: Instead, a remote login to the plant's computers systems from a contractor traveling in Russia was mistakenly connected to the issue.
"It's easy to assume this threat actor is controlled by the Russian government and they intentionally shut down power in this region in Ukraine, but evidence to prove that conclusion is very difficult to obtain for various reasons," said Tom Cross, chief technology officer at cybersecurity firm Drawbridge Networks.
The picture can often become clearer as more information trickles out, but the public and even some of those investigating may not be operating with all the facts, according to Cross.
"When a plane crashes, the FAA publishes all of the details about the incident. That makes sense because we pilots want to know what to do to avoid the next crash," he said. "In our industry, when something like this happens, some information comes out and some doesn't."
Not everyone necessarily has an interest in fully disclosing the attacks because it might embarrass them or give new information to attackers, Cross said. But he argues that the more people know the details about the attack, the better the security industry can prepare for the next one.
"People should operate with an abundance of caution and assume the threat is real while demanding technical detail and evidence," he said.
Assuming that the hackers did take out the power in Ukraine, there was a silver lining, according to Cross: The grid seems to have rebounded quickly.