{
	"id": "192edeef-77bd-4bb3-970b-2627a8d8c244",
	"created_at": "2026-04-06T00:15:37.166542Z",
	"updated_at": "2026-04-10T13:11:31.54982Z",
	"deleted_at": null,
	"sha1_hash": "905bfce260f8c834f76e6bc41433c5886a4ca6c1",
	"title": "How hackers attacked Ukraine's power grid: Implications for Industrial IoT security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 441117,
	"plain_text": "How hackers attacked Ukraine's power grid: Implications for\r\nIndustrial IoT security\r\nBy Charles McLellan\r\nPublished: 2016-03-04 · Archived: 2026-04-05 22:01:21 UTC\r\nPower plant Burshtyn TES, Ukraine.\r\nImage: Raimond Spekking / CC BY-SA 4.0 (via Wikimedia Commons)\r\nThe former Soviet republic of Ukraine has been a trouble-spot since early 2014, which saw the 'Euromaidan'\r\nrevolution in support of closer EU integration, the Russian annexation of Crimea and the start of the ongoing pro-Russian separatist insurgency.\r\nTo add to their woes, large sections of the Ukrainian population suffered power cuts over Christmas 2015\r\nfollowing a series of cyberattacks on three local energy companies. Although widely suspected to be from Russia,\r\nthe identity of the hackers remains unclear as attribution in these matters is complex. However, the primary attack\r\nvector -- a well-known trojan called BlackEnergy -- has been definitively established.\r\nThe details of how the Ukranian utility companies' operational systems were compromised makes for an\r\ninstructive case study illustrating the multifaceted nature of today's cyberattacks, and the vulnerability of\r\nhttps://www.zdnet.com/article/how-hackers-attacked-ukraines-power-grid-implications-for-industrial-iot-security/\r\nPage 1 of 5\n\norganisations in the Industrial Internet of Things (IIoT).\r\nHow the Ukraine attacks played out\r\nThe initial breach of the Ukraine power grid was -- as so often in cyberattacks -- down to the human factor: spear-phishing and social engineering were used to gain entry to the network. Once inside, the attackers exploited the\r\nfact that operational systems -- the ones that controlled the power grid -- were connected to regular IT systems.\r\nEhud Shamir, CISO at security company SentinelOne (which has analysed Black Energy 3), takes up the story.\r\n\"It's important to understand that, when you're talking about the Internet of Things, SCADA and Industrial Control\r\nSystems [ICS], these systems are usually controlled by regular Windows PCs,\" Shamir noted. This makes them\r\nvulnerable to mainstream malware such as Black Energy.\r\n\"The uniqueness of Black Energy is, it's very modular -- the attacker can change the malware's behaviour pretty\r\nfast,\" said Shamir. \"In the latest attack, it was delivered, probably via an infected Excel file, by someone who got\r\nan email.\"\r\nThen there's the fact that ICS controllers are often connected to regular IT systems.\r\n\"When the attackers gained access to the network, they found that the operator of the power grid had been a bit\r\nsloppy and connected some of the interfaces of the power grid's industrial control system to the local LAN,\" said\r\nShamir. \"Part of the modular Black Energy malware acts as a network sniffer, and this discovered data such as\r\nuser credentials that allowed the attacker to access the industrial control system and jeopardise the electricity\r\nsupply.\"\r\nSuch attacks take a lot of planning, which is one reason why nation states rather than cybercriminals are usually in\r\nthe frame (another is that no customer records were stolen, or extortion demands made).\r\n\"This group probably had very good intelligence, and knew how to engineer the highest probability that someone\r\nwill click a malicious link and activate the Black Energy malware -- in most attacks, it's the human factor that\r\nleads to the infiltration,\" said Shamir. Further evidence of advanced planning was a simultaneous denial-of-service\r\nattack on the power utilities' call centres, in order to thwart customers trying to report the outages.\r\nSome aspects of the Ukraine cyber-attack remain opaque -- specifically, whether a modular component called\r\nKillDisk (a hard disk wiper) actually caused the power outage, or whether it simply made it impossible to restore\r\nthe compromised systems using SCADA protocols.\r\nAs if further evidence of a political motive was required, researchers at security company Trend Micro recently\r\nreported that the same combination of BlackEnergy and KillDisk \"may have been used against a large Ukrainian\r\nmining company and a large Ukrainian rail company\" around the same time as the attacks on the power utilities.\r\nWhether the perpetrators' ultimate goal was to destabilise Ukraine via coordinated cyberattacks on its critical\r\ninfrastructure, or to determine the weakest sector prior to further attacks, or simply to test out the Black Energy\r\n3/KillDisk malware, Trend Micro's conclusion is unarguable: \"Whichever is the case, attacks against Industrial\r\nControl Systems (ICS) should be treated with extreme seriousness because of the dire real-world repercussions.\"\r\nhttps://www.zdnet.com/article/how-hackers-attacked-ukraines-power-grid-implications-for-industrial-iot-security/\r\nPage 2 of 5\n\nHow big is the problem?\r\nThe Ukraine attacks show how vulnerable the industrial control systems in the IIoT can be -- but how widespread\r\nis the problem? The annual reports from ICS-CERT (Industrial Control Systems Cyber Emergency Response\r\nTeam) give a good indication of recent trends in the US. In the 2015 financial year (October 2014-September\r\n2015), ICS-CERT responded to 295 reported incidents, up from 245 the previous year and more than six times as\r\nmany as were reported back in 2010:\r\niot-security-ics-cert-incidents.jpg\r\nData source: ICS-CERT (US)\r\nCritical Manufacturing was the most attacked sector in 2015, ahead of Energy, which was the number-one target\r\nthe previous year:\r\niot-security-ics-cert-sectors.jpg\r\nData source: ICS-CERT (US)\r\nICS-CERT said that \"there were insufficient forensic artifacts to definitively identify an initial infection vector\" in\r\n38 percent of last year's incidents, with spear-phishing the most prevalent identifiable initial infection vector:\r\niot-security-ics-cert-vectors.jpg\r\nData source: ICS-CERT (US)\r\nEchoing the Ukraine power grid attack, ICS-CERT noted that in 2015 it \"responded to a significant number of\r\nincidents enabled by insufficiently architected networks, such as ICS networks being directly connected to the\r\nInternet or to corporate networks, where spear phishing can enable access.\"\r\nAlthough the majority (69%) of attempted breaches investigated by ICS-CERT in 2015 were either unsuccessful\r\nor successfully defended, or failed to get beyond the organisation's business network (12%), 12 percent of\r\ncyberattacks did manage to penetrate the industrial control systems. That's a worrying 35 incidents -- up from 22\r\n(9% of 245) in 2014.\r\niot-security-ics-cert-intrusion.jpg\r\nData source: ICS-CERT (US)\r\nA 2015 survey by the SANS Institute, entitled The State of Security in Control Systems Today, exposed a worrying\r\nlack of visibility into the nature of cyberattacks on industrial control systems. The survey canvassed 314\r\norganisations worldwide, 78 percent of which were in the US. Headline findings were:\r\n32 percent indicated that their control system assets or networks had been infiltrated at some point\r\n34 percent of those infiltrated believed their systems had been breached more than twice in the previous 12\r\nmonths\r\n15 percent reported requiring more than a month to detect a breach\r\n44 percent were unable to identify the source of the infiltration\r\n42 percent saw external actors as the number-one threat vector\r\nhttps://www.zdnet.com/article/how-hackers-attacked-ukraines-power-grid-implications-for-industrial-iot-security/\r\nPage 3 of 5\n\nAnother key finding was that, although 19 percent of respondents identified the integration of IT into control\r\nsystem networks as the top threat vector (and 46% put it in the top three), less than half (47%) actually have a\r\nstrategy to address this convergence:\r\nsans-airgap-strategy.jpg\r\nData source: SANS Institute\r\nAs the Ukraine power grid example clearly shows, it's this convergence of IT and industrial control systems --\r\nsometimes referred to as a lack of 'air gapping' -- that can provide cyberattackers with a route into critical\r\ninfrastructure via conventional malware.\r\nFurther evidence of widespread infiltration into organisations involved with critical infrastructure was recently\r\nprovided by the research arm of security company Cylance, SPEAR, in a report entitled Operation Dust Storm.\r\nThe report details cyberattacks, starting in 2010 and spanning multiple years and vectors, against major industries\r\nspread across Japan, South Korea, the United States, Europe, and several other Southeast Asian countries.\r\nSPEAR's most recent research suggests that the attackers have shifted their focus to \"specifically and exclusively\r\ntarget Japanese companies or Japanese subdivisions of larger foreign organisations\".\r\noperation-dust-storminfographic-2014-2016.jpg\r\nThe most recent portion of the 2010-2016 Operation Dust Storm timeline.\r\nImage: Cylance\r\n\"The attack that is happening is a current attack, in progress, that has sustained compromise of a variety of\r\nJapanese organisations -- in particular they include electric utility companies, oil companies, natural gas\r\ncompanies, transportation organisations, construction, and even some finance organisations,\" Cylance's chief\r\nmarketing officer Greg Fitzgerald told ZDNet.\r\n\"From what we can tell, the compromise has only indicated the ability to be present long-term and undetected --\r\nwe cannot tell if they have done any damage to the organisations today,\" said Fitzgerald. \"What we do know is\r\nthat the attack methods used, which gain access to computers and their networks, would enable them to cause\r\ndamage or steal data should they desire.\"\r\nKnow your enemy: The Cyber Kill Chain\r\nFaced with the weight of evidence about the prevalence of cyberattacks, CxOs could be forgiven for throwing in\r\nthe towel and accepting that the 'bad guys' will always have the capability to infiltrate their organisations.\r\nHowever, cybersecurity is an arms race and, as Sentinel One's Shamir points out, \"the 'good guys' have the\r\ncapabilities as well\".\r\nMost cyber-attacks follow a similar path from reconnaissance to objective completion, and this has been codified -\r\n- initially by Lockheed Martin -- as the Cyber Kill Chain:\r\nlockheed-martin-cyber-kill-chain.jpg\r\nhttps://www.zdnet.com/article/how-hackers-attacked-ukraines-power-grid-implications-for-industrial-iot-security/\r\nPage 4 of 5\n\nThe Cyber Kill Chain.\r\nImage: Lockheed Martin\r\nThis provides a useful framework for intelligence-driven defence, as Richard Cassidy, technical director EMEA at\r\nsecurity-as-a-service provider Alert Logic, told ZDNet.\r\n\"If you think about the Ukranian power grid, for instance, the attack itself was well prepared -- some analysts are\r\nsaying it was at least a six-month preparation phase. These are the first two steps in the cyber kill chain --\r\nreconnaissance and weaponisation -- and we see that at Alert Logic in our customer base: most of the activity\r\nwe're picking up is in these first steps. The longer we see a source enumerate a target, the more severe we expect\r\nthe threat to be. The cyber kill chain gives us real indicators, and steps to understand and follow, to help prevent us\r\ngetting to the end of the chain, which is the worst-case scenario.\"\r\nOutlook\r\nTo date, cyberattacks on critical infrastructure have largely been restricted to nation states, although the\r\nAnonymous hacktivist group has attacked oil, gas and energy companies -- specifically, Middle Eastern\r\ncompanies in the petroleum industry. The amount of resources required in terms of preparation time, finance and\r\nskills seem, so far, to have kept 'common' cybercriminals otherwise occupied with softer targets.\r\nCritical infrastructure attacks that follow through to actual damage are, thankfully, few and far between: incidents\r\nlike the infamous 2010 Stuxnet sabotage of Iran's nuclear program and the 2015 Ukranian power grid outage are\r\nthe exception rather than the rule. However, as the recent Operation Dust Storm revelations show, widespread\r\ninfiltration leaves plenty of potential for serious trouble.\r\nThere's certainly no place for a head-in-the-sand attitude, as Alert Logic's Cassidy points out: \"Unfortunately,\r\nmanufacturing environments, because of the nature of their business, do tend to be an easier target because they're\r\nnot normally the types of organisations that have seen threat activity. For that reason, you can get too complacent\r\nin an organisation like that and think, 'it won't happen to me'.\"\r\nLet's hope that the cybersecurity industry -- companies such as Sentinel One, Trend Micro, Cylance and Alert\r\nLogic, and organisations like CERT and SANS -- can persuade companies running industrial control systems that\r\ncomplacency is no longer an option.\r\nSource: https://www.zdnet.com/article/how-hackers-attacked-ukraines-power-grid-implications-for-industrial-iot-security/\r\nhttps://www.zdnet.com/article/how-hackers-attacked-ukraines-power-grid-implications-for-industrial-iot-security/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zdnet.com/article/how-hackers-attacked-ukraines-power-grid-implications-for-industrial-iot-security/"
	],
	"report_names": [
		"how-hackers-attacked-ukraines-power-grid-implications-for-industrial-iot-security"
	],
	"threat_actors": [
		{
			"id": "08472d2c-8fbc-4705-ad7a-eb618557cbd2",
			"created_at": "2023-01-06T13:46:38.23674Z",
			"updated_at": "2026-04-10T02:00:02.889753Z",
			"deleted_at": null,
			"main_name": "Dust Storm",
			"aliases": [
				"G0031"
			],
			"source_name": "MISPGALAXY:Dust Storm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a0f6bde9-34cb-46bf-88b7-b4e54c96beaa",
			"created_at": "2022-10-25T15:50:23.646492Z",
			"updated_at": "2026-04-10T02:00:05.37108Z",
			"deleted_at": null,
			"main_name": "Dust Storm",
			"aliases": [
				"Dust Storm"
			],
			"source_name": "MITRE:Dust Storm",
			"tools": [
				"S-Type",
				"Mis-Type",
				"ZLib",
				"Misdat"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "87a842ac-ca8b-41a6-9137-d2cd286e1f51",
			"created_at": "2022-10-25T16:07:23.559995Z",
			"updated_at": "2026-04-10T02:00:04.656872Z",
			"deleted_at": null,
			"main_name": "Dust Storm",
			"aliases": [
				"G0031"
			],
			"source_name": "ETDA:Dust Storm",
			"tools": [
				"AngryRebel",
				"Chymine",
				"Darkmoon",
				"Farfli",
				"Gen:Trojan.Heur.PT",
				"Gh0st RAT",
				"Ghost RAT",
				"MiS-Type",
				"Misdat",
				"Moudour",
				"Mydoor",
				"PCRat",
				"Poison Ivy",
				"S-Type",
				"SPIVY",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434537,
	"ts_updated_at": 1775826691,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/905bfce260f8c834f76e6bc41433c5886a4ca6c1.pdf",
		"text": "https://archive.orkl.eu/905bfce260f8c834f76e6bc41433c5886a4ca6c1.txt",
		"img": "https://archive.orkl.eu/905bfce260f8c834f76e6bc41433c5886a4ca6c1.jpg"
	}
}