2016 Kyiv cyberattack

A cyberattack happened in the Ukrainian capital Kiev just before midnight on 17 December 2016, and lasted for just over an hour.^[1]^[2] The national electricity transmission operator Ukrenergo said that the attack had cut one fifth of the city's power consumption at that time of night.^[1]

Attack

The attack affected the 330 kilowatt electrical substation "North" at Pivnichna, outside the capital.^[1] It happened a year after a previous attack on Ukraine's power grid.^[1]

Dragos Security concluded that the attack was not merely to cause short-term disruption but to cause long-lasting damage that could last weeks or months.^[3] The attackers had tried to cause physical damage to the station when the operators turned the grid back on.^[3] The attack used Industroyer malware and has the ability to attack hardware including SIPROTEC protective relays.^[3] These protective relays open circuit breakers if they detect dangerous conditions.^[3] A security flaw meant that a single packet could put the relays in a state where it would be useless unless manually rebooted.^[3] Siemens released a software patch in 2015 to fix the issue, but many relays weren't updated with it.^[3] Evidence from logs obtained by Dragos Security showed the attackers initially opened every circuit breaker in the transmission station, causing a power cut.^[3] Then an hour later they ran wiper malware to disable the station's computer, making it impossible to monitor the station.^[3] Finally, the attackers tried to disable four of the stations SIPROTEC protective relays, which could not be detected by operators.^[3] Dragos concluded that the attackers intended the operators to re-engergise the station equipment, which could have injured engineers and damaged equipment.^[3] The data packets intended for the protective relays were sent to the wrong IP address.^[3] The operators may also have brought the station back online faster than attackers expected.^[3]

Follow-on attack

In April 2022, Ukrainian authorities announced that they had prevented a cyberattack that used malware similar to Industroyer.^[4]

References

^ ^a ^b ^c ^d Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
^ Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j ^k ^l Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
^ Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).

[bbc-ukraine-power-cut-was-cyberattack-1] Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).

[2] Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).

[wired-new-clues-3] ^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j ^k ^l Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).

[4] Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).

[1]

[2]

[3]

[4]

2016 Kyiv cyberattack

Contents

Attack

Follow-on attack

See also

References

Navigation menu

2016 Kyiv cyberattack

Attack

Follow-on attack

See also

References

Navigation menu

Search