UKRAINE CYBER ATTACK

A MINI PROJECT REPORT

Submitted by

20Y101 Aajay G V

20Y107 Aravinth M

20Y111 Azeemkhan N

20Y113 Charanjith K S

Report submitted in partial fulfillment for the award of the degree of

BACHELOR OF ENGINEERING/TECHNOLOGY

in

COMPUTER SCIENCE AND ENGINEERING (CYBER SEURITY)

APRIL 2021

KARPAGAM COLLEGE OF ENGINEERING

(AUTONOMOUS)
COIMBATORE – 641 032
 UKRAINE CYBER ATTACK
BONAFIDE RECORD OF WORK DONE BY

20Y101 Aajay G V
20Y107 Aravinth M
20Y111 Azeemkhan N
20Y113 Charanjith K S

Report submitted in partial fulfilment of the requirements for the degree of

BACHELOR OF ENGINEERING/TECHNOLOGY
in
COMPUTER SCIENCE AND ENGINEERING (CYBER SECURITY)
of Anna University, Chennai
APRIL 2021

_______________________
Faculty guide (Name)
 ACKNOWLEDGEMENT

It is the moment of immense pride for me to reveal my profound thanks to our

respected Principal, Dr. P. VIJAYAKUMAR, M.E., Ph.D. who happens to be
striving force in all our endeavors.

I express my sincere thanks to our project Guide Ms. MOHANAPRIYA S

Department of Computer Science and Engineering.

I express my sincere thanks to my tutors who provided me with the necessary

guidance and encouragement.

Without help and support of all above mentioned people, I may not be able to
fulfill my Project and learn different things. I would like to thanks all those people
for their valuable contribution and proper guidance throughout mine mini project
period.

Finally, I must acknowledge with due respect the constant support and
patients of my parents.
 TABLE OF CONTENTS

PAGE
CHAPTER TITLE
NO
NO.

1 INTRODUCTION 1

2 UKRAINE CYBER ATTACK 2

3 CONCLUSION 5
 CHAPTER 1

INTRODUCTION

The Ukraine power grid hack was cyberattack on Ukraine's power grid on December 23,
2015, resulting in power outages for roughly 230,000 consumers in Ukraine for 1-6 hours. The attack
took place during an ongoing Russian military intervention in Ukraine (2014–present) and is
attributed to a Russian advanced persistent threat group known as "Sandworm". It is the first publicly
acknowledged successful cyberattack on a power grid.

On 23 December 2015, hackers remotely compromised information systems of three energy

distribution companies in Ukraine and temporarily disrupted the electricity supply to consumers.
Most affected were consumers of "Prykarpattyaoblenergo" (Ukrainian: Прикарпаттяобленерго;
servicing Ivano-Frankivsk Oblast): 30 substations (7 110kv substations and 23 35kv substations)
were switched off, and about 230000 people were without electricity for a period from 1 to 6 hours.

At the same time consumers of two other energy distribution companies,

"Chernivtsioblenergo" (Ukrainian: Чернівціобленерго; servicing Chernivtsi Oblast) and
"Kyivoblenergo" (Ukrainian: Київобленерго; servicing Kyiv Oblast) were also affected by a
cyberattack, but at a smaller scale. According to representatives of one of the companies, attacks were
conducted from computers with IP addresses allocated to the Russian Federation

1
 CHAPTER 2

UKRAINE CYBER ATTACK

Vulnerability
In 2019, it was argued that Ukraine was a special case, comprising unusually dilapidated
infrastructure, a high level of corruption, the ongoing Russo-Ukrainian War, and exceptional
possibilities for Russian infiltration due to the historical links between the two countries. The
Ukrainian power grid was built when it was part of the Soviet Union, has been upgraded with Russian
parts and (as of 2022), still not been fixed. Russian attackers are as familiar with the software as
operators. Furthermore, the timing of the attack during the holiday season guaranteed only a skeleton
crew of Ukrainian operators were working (as shown in videos).

Method
The cyberattack was complex and consisted of the following steps:

▪ prior compromise of corporate networks using spear-phishing emails with Black

Energy malware
▪ seizing SCADA under control, remotely switching substations off
▪ disabling/destroying IT infrastructure components (uninterruptible power
supplies, modems, RTUs, commutators)
▪ destruction of files stored on servers and workstations with the KillDisk malware
▪ denial-of-service attack on call-center to deny consumers up-to-date information on the
blackout.

At last, the emergency power at the utility company’s operations center was switched off. In total,
up to 73 MWh of electricity was not supplied (or 0.015% of daily electricity consumption
in Ukraine).Regional electricity distribution company Ukrainian Kyivoblenergo has a dubious
distinction. It is the world’s first power grid provider to be taken down in a cyber-attack.

It all began when its Prykarpattyaoblenergo control center was the victim of a cyber intrusion on
December 23, 2015. The company’s computer and SCADA systems were attacked, disconnecting 30
substations for three hours.
2
 As many as 230,000 customers lost power – approximately half of the homes in the Ivano-
Frankivsk region in Ukraine (population about 1.4 million). The tool used was malware known
as BlackEnergy. Ukrainian government officials came out rather quickly to claim the outages were
caused by a cyber attack, squarely placing blame on Russian security services.
Cyber History:

The intrusion by cyber criminals was the first time the Kyivoblenergo electricity distribution
company was hacked. Description of Events:

The attack on the power station occurred in the afternoon. An employee was working at his
desk organizing papers when he noticed something very odd. As if by magic, the cursor on his
computer began to move around the screen on its own.

The worker watched – mouth likely agape – as the cursor moved towards buttons that control
a substation’s circuit breakers, clicking on a box to open them – taking the substation offline, leaving
225,000 residents in the dark. The employee made every effort to regain control of the computer. But
it was too late. The attackers had already logged him out. Wired obtained a short clip of the actual
attack, which can be viewed here. NATO also created this short video depicting the event:

You would think the attackers would be satisfied with their efforts – but no. More damage was in
store, as they hit two other power distribution centers, nearly doubling the number of substations
taken offline. The cyber criminals also disabled backup power supplies to two of the three
distribution centers. Even the power grid operators themselves had no electricity.

Systems/Parties impacted:

Anywhere from 200,000-230,000 Ukrainian citizens.

Mode of Entry:

Events leading up to the day of the actual attack began with activity in the spring of 2015, including a
spear-phishing campaign targeting IT staff and system admins working for various electricity
distribution companies throughout the Ukraine. The campaign delivered a malicious email to
employees at three companies. By clicking on the attachment, a popup displayed asking the email
user to enable macros for the document. By doing so, a program called BlackEnergy3 infected their
machines and opened a backdoor to the hackers.

3
The initial effort didn’t net the attackers very much, so they continued moving ahead. Over several
months they conducted extensive reconnaissance, ultimately gaining access to the Windows Domain
Controllers, where user accounts for networks are managed. Here they harvested worker credentials,
some of them for VPNs the grid workers used to remotely log in to the SCADA network. Once the
attackers broke into the SCADA networks, they still had work to do. Slowly the attackers were
preparing for the main event.

It all culminated at approximately 3:30 pm on December 23 when the attackers began to open
breakers, and the employees at the Prykarpattyaoblenergo control center realized someone on the
outside had gained control.

The attackers were especially clever and thought of everything, even launching a telephone
denial-of-service attack against customer call centers to prevent customers from calling in to report
the outage.

A cybersecurity expert from Dragos Security quoted in this 2016 Wired article, said the hack
“was brilliant” and that “in terms of sophistication…what makes sophistication is logistics and
planning and operations and…what’s going on during the length of it. And this was highly
sophisticated.” He added: "What sophisticated actors do is they put concerted effort into even
unlikely scenarios to make sure they’re covering all aspects of what could go wrong," he says.

Per Kaspersky, BlackEnergy – the Trojan used in the Ukraine attack – began circulating in 2014. It
was deployed specifically to conduct DDoS attacks, cyber espionage and information destruction
attacks – and especially companies in the energy industry and those that use SCADA systems.

4
 CHAPTER 3

CONCLUSION

The attack on the Ukranian power grid is still considered one of the worst intrusions ever. And the
case may not be closed just yet...

As stated upfront, almost immediately following the attack the Ukrainian government blamed
Russia. Until very recently, no one has been officially accused.

On October 15, 2020, a federal grand jury in Pittsburgh (PA) returned an indictment charging
six hackers, all of whom were residents and nationals of the Russian Federation (Russia) and officers
in Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of
the General Staff of the Armed Forces, also known as “Sandworm”.

The very same group may also be responsible for another massive attack, NotPetya, which
caused nearly $1 billion in losses.

Sandworm may also be responsible for a series of cyber-attacks intended to impact the now
delayed 2020 Summer Olympics in Tokyo. The British government is concerned next year’s Games
may have been targeted.