Security Experts:

Connect with us

Hi, what are you looking for?



Russian Hackers Behind Ukraine Power Outage May Have Sought More Damage

The Russia-linked hackers who triggered a power outage in Ukraine back in 2016 may have hoped to cause much more damage, according to a report published recently by U.S.-based industrial cybersecurity firm Dragos.

The Russia-linked hackers who triggered a power outage in Ukraine back in 2016 may have hoped to cause much more damage, according to a report published recently by U.S.-based industrial cybersecurity firm Dragos.

The threat group, which Dragos tracks as Electrum, used a piece of malware named Crashoverride and Industroyer to target industrial control systems (ICS) at a power station in Ukraine. The cyberattack resulted in power outages in the Kiev region in mid-December 2016, but power was restored after just over an hour, making the attack less severe compared to the one launched against Ukraine’s grid one year earlier, when power outages lasted for up to 6 hours.

Dragos researcher Joe Slowik has reassessed the 2016 attack involving Crashoverride and he believes that the attackers were actually hoping to cause more widespread outages and trigger a destructive event.

Russian hackers may have aimed for physical damage in Ukraine power grid attack

It has been known that the malware included a module designed to allow attackers to control circuit breakers and disrupt power by manipulating remote terminal units (RTUs), and a wiper module whose goal was to make recovery more difficult by deleting configuration and other files. During their initial analysis, researchers also uncovered a tool designed to exploit a known vulnerability in Siemens SIPROTEC protection relays (CVE-2015-5374) to cause the devices to enter a denial-of-service (DoS) condition.

Slowik believes that the goal of this tool was to cause relays to stop providing overcurrent protection once power was restored. This would expose transmission equipment to a power surge, which could cause physical damage, resulting in an even longer outage that would require fixing or replacing devices.

However, the attackers failed to disable the protective relays due to some errors in the DoS tool code. Moreover, the hackers attempted to disrupt hundreds of control systems at the targeted organization, but failed to compromise as many as they intended. This resulted in the 2016 attack actually causing less disruption than the 2015 incident.

Learn More About Threats to Industrial Systems at SecurityWeek’s 2019 ICS Cyber Security Conference

Slowik has pointed out that even if the DoS attacks on the SIPROTEC relays would have been successful, it’s unclear if Electrum would have been able to achieve its presumed goal of causing physical damage. Industrial environments can have various other protection systems and mechanisms in place that may have mitigated the attack.

“If CRASHOVERRIDE worked as ELECTRUM most likely intended, the potential outage would have been more widespread than 2015 given the number of transmission devices targeted. Additionally, the duration of the outage may have stretched to months or longer if disabling protection prior to system restoration yielded physical damage to transmission operations,” Dragos said in its report. “While the actual efficacy of CRASHOVERRIDE – even if it had worked as intended – remains unclear given a myriad of other controls and safeguards in electric transmission, the sequence of steps executed clearly demonstrates a more complex and concerning attack than past electric service disruptions.”

Related: Exaramel Malware Reinforces Link Between Industroyer and NotPetya

Related: Group That Caused Power Outage Stops Focusing Exclusively on Ukraine

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...