Was cyber attack intended to cause physical damage?2 min read

According to a new study, hackers behind the 2016 cyber attack on Ukraine’s power grid had aimed to create conditions to inflict physical damage to the targeted transmission station.
Researchers from cyber security firm Dragos recently recreated the timeline of the attack in an attempt to shed new light on the real motives behind this attack.

In December 2016, Russian hackers planted malware called “Crash Override” or “Industroyer” in the network of Ukrenergo – the Ukraine’s national grid operator. The malicious programme was then used at around midnight, just two days before Christmas, to trip each single circuit breaker in a power transmission station located close to Kiev, Ukraine’s capital. The result was a quick blackout enveloping the most parts of Kiev.

Within an hour, Ukrenergo’s engineers were able to restore the power, but the incident left many unanswered questions. Why, for example, did Russian hackers use such sophisticated malware just to trigger a one-hour blackout? The new study titled: “CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack” – attempts to answer to such questions.

In the study, researchers re-examined the malware’s code, as well as the network logs of Ukrenergo’s systems. They concluded that the hackers had actually aimed to cause physical damage that would have prolonged the blackout to several weeks and possibly put the lives of on-site operators at risk.

According to the researchers, the hackers first deployed “Crash Override” and used it to trip every single circuit breaker in the grid station, which caused a blackout in Kiev. About an hour later, they disabled the digital systems of the station to prevent operators from monitoring those systems.

Lastly, the hackers exploited a known security bug in the station’s Siprotec protective relays to disable equipment, thereby making the station susceptible to dangerously high frequencies of electricity. Protective relays are used to monitor high currents and frequencies at the grid station.

Although Siemens had released a patch in 2015 to fix the vulnerability, many grid stations in Ukraine failed to update their systems in a timely manner. That opened opportunities for hackers to put the device to sleep simply by sending an electrical impulse.

For more information, take a look at this article in Computing.