Ukraine Power Grid Cyber Attack

By Muhammad Salmaan, Hannah Dewi Safira, Andrade Jed

Who were the victims of the attack?
- Over 230 000 Ukrainian residents who were plunged into darkness.
- Ukrainian power companies and government who were embarrassed by the
attack. (Weakened trust etc)
What technologies and tools were used in the attack?

- Workers were sent a malicious Word Doc that prompted them to enable
macros which then caused a program called BlackEnergy3 to infect their
systems. This gave hackers access to the corporate networks.
- They then explored and mapped these networks, harvesting user credentials
that could be used to remotely log in to the SCADA network which controlled
the power grid.
- They wrote malicious firmware for more than a dozen substations. They also
launched a TDoS attack against customer call centers to prevent people from
calling in to report the outages.
When did the attack happen?
- 23 December 2015, at 3.30pm. This was when the main attack was actually
carried out, taking nearly 60 substations offline and leaving more than
230,000 residents in the dark.
- However, the attacks really began in the Spring of 2015 with a spear-phishing
campaign that targeted IT staff.
What systems were targeted?

- the company’s computer and Supervisory Control and Data

Acquisition(SCADA) systems were attacked
- Resulted in three power distribution centers to be disconnected for approximately
3 hours
What was the motivation of the attackers in this case?
What did they hope to achieve?
In this incident, the hackers:
- plunged the customers into darkness and launched a telephone denial-of-
service attack against customer call centers
- phone systems were flooded with thousands of bogus calls that appeared to
come from Moscow
- used a trojan that is deployed specifically to conduct malicious attacks that
are useful especially when done to companies in the energy industry

There is reason to believe their attack is to make the customers weaken trust in
Ukraine power companies and government and possibly done as a rebuttal
What was the outcome of the attack?

● Information systems of three energy distribution companies were

compromised
● Nearly 60 substations were switched off
● 230000 people did not have electricity for a period of 1 to 6 hours
Recommendations to prevent the attack
● Using cloud based service providers would have prevented the ddos attack
on the call-center which had denied consumers up-to-date information on the
blackout because it has more more bandwidth and resources than a private
network likely does.
● Redundant network services could be created as well so that if one server is
attacked, the others can handle the extra network traffic. Spread-out
resources also make it difficult for attackers to target.