Home / Blog / A new cyber-attack on the Ukrainian electrical network?

A new cyber-attack on the Ukrainian electrical network?

Posted on 01/04/2017, by INCIBE
A new cyber-attack on the Ukrainian electrical network?

After the failure in the electric service suffered last year because of the Trojan BlackEnergy which cut the power in thousands of households in the Ukrainian region of Ivano-Frankvisk (1.5 million inhabitants approximately), other news are being released in Ukraine regarding major cybersecurity-related incidents such as the recent brute-force attack on WordPress sites, or a new industrial cybersecurity incident.

In particular, Ukraine might have suffered a new cyber-attack on its electrical network, as stated in an article published in The Register. This article stated that the suspected attack did not target the distribution system of the electrical network but affected the processing of power at the transmission level carried out in a substation, the purpose of which is to establish the appropriate voltage levels so that electric power can subsequently be transferred and distributed.

Besides, SANS experts include in another article on this subject specific information on the events, which might or might not constitute a cyber-attack. The article shows an evolution of such events from the end of the 17 December 2016, when a failure in the control system caused the deactivation of a substation, due to a suspected cyber-attack, at the transmission level, in the Novi Petrivtsi area (North to Kiev).

In this regard, the company Archer security group, just like the SANS, expressed a conservative opinion on the origin of the incident, and sticks to the information provided by the Managing Director of  Ukrenergo (Ukrainian power company) on Facebook where he published that a hardware failure might have been the cause of the problems suffered and added that an investigation is being conducted to verify that the incident was not the result of other causes.

Other sources such as Reuters question whether the attack was intentional or just a technological failure or incident. It also includes a discussion on why it should be considered an intentional attack according to the different opinions expressed in this article.

Among the population affected, there are clients of the company Kyivenergo, a local distribution company in the Northern region of Kiev. These supply issues led to cuts in different districts in this region to the North of Kiev. Such cuts lasted for an hour and 15 minutes.

According to the company, the restoration of the electric service started 30 minutes after its detection, when the technicians switched from automatic to manual mode in order to perform all necessary procedures and stabilise the system.

Número total incidencias registradas por distritos en Kiev

- Total number of incidents registered by district in Kiev, (source) kyivenergo.com/uk/press-tsentr/1430-ctan-zabezpechennya-pat-kiyivenergo-co-ta-gvp-na-ranok-16-gr  (Link currently unavailable)-

While analysing all information published regarding this suspected cyber-attack, it is important not to draw alarming conclusions or ones that may be misleading, as stated by the expert in industrial cybersecurity Robert M. Lee on his blog.

On this blog, you may read some guidelines against this kind of incident. One of the main guidelines given the characteristics of the incident suffered is the preparation of a detailed analysis of the access logs, whether VPN sessions, remote desktop, etc. Such analysis should determine the facts so as to draw conclusions with a more specific foundation of the intentionality of the failure in the electric service.

The main conclusion regarding this type of situation is the importance of the information exchange on cyber-attacks and their management, which can be used by other companies to obtain lessons learnt or implement procedures in the event of failures or when detecting problems in the network infrastructure based on the actions performed by other companies.