Professional Documents
Culture Documents
Ukraine Cyber Attack: A Mini Project Report
Ukraine Cyber Attack: A Mini Project Report
Submitted by
20Y101 Aajay G V
20Y107 Aravinth M
20Y111 Azeemkhan N
20Y113 Charanjith K S
BACHELOR OF ENGINEERING/TECHNOLOGY
in
APRIL 2021
20Y101 Aajay G V
20Y107 Aravinth M
20Y111 Azeemkhan N
20Y113 Charanjith K S
_______________________
Faculty guide (Name)
ACKNOWLEDGEMENT
Without help and support of all above mentioned people, I may not be able to
fulfill my Project and learn different things. I would like to thanks all those people
for their valuable contribution and proper guidance throughout mine mini project
period.
Finally, I must acknowledge with due respect the constant support and
patients of my parents.
TABLE OF CONTENTS
PAGE
CHAPTER TITLE
NO
NO.
1 INTRODUCTION 1
3 CONCLUSION 5
CHAPTER 1
INTRODUCTION
The Ukraine power grid hack was cyberattack on Ukraine's power grid on December 23,
2015, resulting in power outages for roughly 230,000 consumers in Ukraine for 1-6 hours. The attack
took place during an ongoing Russian military intervention in Ukraine (2014–present) and is
attributed to a Russian advanced persistent threat group known as "Sandworm". It is the first publicly
acknowledged successful cyberattack on a power grid.
1
CHAPTER 2
Vulnerability
In 2019, it was argued that Ukraine was a special case, comprising unusually dilapidated
infrastructure, a high level of corruption, the ongoing Russo-Ukrainian War, and exceptional
possibilities for Russian infiltration due to the historical links between the two countries. The
Ukrainian power grid was built when it was part of the Soviet Union, has been upgraded with Russian
parts and (as of 2022), still not been fixed. Russian attackers are as familiar with the software as
operators. Furthermore, the timing of the attack during the holiday season guaranteed only a skeleton
crew of Ukrainian operators were working (as shown in videos).
Method
The cyberattack was complex and consisted of the following steps:
At last, the emergency power at the utility company’s operations center was switched off. In total,
up to 73 MWh of electricity was not supplied (or 0.015% of daily electricity consumption
in Ukraine).Regional electricity distribution company Ukrainian Kyivoblenergo has a dubious
distinction. It is the world’s first power grid provider to be taken down in a cyber-attack.
It all began when its Prykarpattyaoblenergo control center was the victim of a cyber intrusion on
December 23, 2015. The company’s computer and SCADA systems were attacked, disconnecting 30
substations for three hours.
2
As many as 230,000 customers lost power – approximately half of the homes in the Ivano-
Frankivsk region in Ukraine (population about 1.4 million). The tool used was malware known
as BlackEnergy. Ukrainian government officials came out rather quickly to claim the outages were
caused by a cyber attack, squarely placing blame on Russian security services.
Cyber History:
The intrusion by cyber criminals was the first time the Kyivoblenergo electricity distribution
company was hacked. Description of Events:
The attack on the power station occurred in the afternoon. An employee was working at his
desk organizing papers when he noticed something very odd. As if by magic, the cursor on his
computer began to move around the screen on its own.
The worker watched – mouth likely agape – as the cursor moved towards buttons that control
a substation’s circuit breakers, clicking on a box to open them – taking the substation offline, leaving
225,000 residents in the dark. The employee made every effort to regain control of the computer. But
it was too late. The attackers had already logged him out. Wired obtained a short clip of the actual
attack, which can be viewed here. NATO also created this short video depicting the event:
You would think the attackers would be satisfied with their efforts – but no. More damage was in
store, as they hit two other power distribution centers, nearly doubling the number of substations
taken offline. The cyber criminals also disabled backup power supplies to two of the three
distribution centers. Even the power grid operators themselves had no electricity.
Systems/Parties impacted:
Mode of Entry:
Events leading up to the day of the actual attack began with activity in the spring of 2015, including a
spear-phishing campaign targeting IT staff and system admins working for various electricity
distribution companies throughout the Ukraine. The campaign delivered a malicious email to
employees at three companies. By clicking on the attachment, a popup displayed asking the email
user to enable macros for the document. By doing so, a program called BlackEnergy3 infected their
machines and opened a backdoor to the hackers.
3
The initial effort didn’t net the attackers very much, so they continued moving ahead. Over several
months they conducted extensive reconnaissance, ultimately gaining access to the Windows Domain
Controllers, where user accounts for networks are managed. Here they harvested worker credentials,
some of them for VPNs the grid workers used to remotely log in to the SCADA network. Once the
attackers broke into the SCADA networks, they still had work to do. Slowly the attackers were
preparing for the main event.
It all culminated at approximately 3:30 pm on December 23 when the attackers began to open
breakers, and the employees at the Prykarpattyaoblenergo control center realized someone on the
outside had gained control.
The attackers were especially clever and thought of everything, even launching a telephone
denial-of-service attack against customer call centers to prevent customers from calling in to report
the outage.
A cybersecurity expert from Dragos Security quoted in this 2016 Wired article, said the hack
“was brilliant” and that “in terms of sophistication…what makes sophistication is logistics and
planning and operations and…what’s going on during the length of it. And this was highly
sophisticated.” He added: "What sophisticated actors do is they put concerted effort into even
unlikely scenarios to make sure they’re covering all aspects of what could go wrong," he says.
Per Kaspersky, BlackEnergy – the Trojan used in the Ukraine attack – began circulating in 2014. It
was deployed specifically to conduct DDoS attacks, cyber espionage and information destruction
attacks – and especially companies in the energy industry and those that use SCADA systems.
4
CHAPTER 3
CONCLUSION
The attack on the Ukranian power grid is still considered one of the worst intrusions ever. And the
case may not be closed just yet...
As stated upfront, almost immediately following the attack the Ukrainian government blamed
Russia. Until very recently, no one has been officially accused.
On October 15, 2020, a federal grand jury in Pittsburgh (PA) returned an indictment charging
six hackers, all of whom were residents and nationals of the Russian Federation (Russia) and officers
in Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of
the General Staff of the Armed Forces, also known as “Sandworm”.
The very same group may also be responsible for another massive attack, NotPetya, which
caused nearly $1 billion in losses.
Sandworm may also be responsible for a series of cyber-attacks intended to impact the now
delayed 2020 Summer Olympics in Tokyo. The British government is concerned next year’s Games
may have been targeted.