In the midst of the on-going conflict between Russia and Ukraine, on December 23, 2015, Western Ukraine faced a power outage that left 80,000 people without power for as long as 6 hours. In the weeks following the blackout, investigators have determined that the outage was caused by a cyberattack, with one US firm going as far as identifying a Russian hacker group as the instigator.
If investigators are correct, this is the first case of a cyberattack causing a power outage, a step beyond the usual online service nuisances into critical civilian infrastructure.
Ukraine and US cyber intelligence firms have been investigating the cyberattack, and many US firms confirmed that BlackEnergy and KillDisk, two well known malicious softwares, were used to cause the power outage (BlackEnergy is used to access utility networks, while KillDisk has the ability to overwrite files). Some experts believe that this cyberattack was a retaliation against Ukrainian activists for the destruction of power lines in Russian-annexed Crimea.
Most firms say it is too early to name the culprits, but US company iSight Partners has identified the hacking group Sandworm as the responsible party. While Sandworm is based in Russia, iSight’s director of espionage analysis John Hultquist clarified “it is not clear whether Sandworm is working directly for Moscow…it is a Russian actor operating with alignment to the interest of the state, whether or not it’s freelance, we don’t know.”
Whether Sandworm is considered a state-actor or not, hacking groups are now playing a role in a larger regional conflict, integrating cyberattacks into traditional military tactics. In 2014, Ukraine’s elections were almost interrupted by a cyberattack on the electoral computer networks; CyberBerkut, a pro-Moscow hacking group, went as far as rendering software and hard drives unusable. This aggression has also been extended to supporters of Ukraine; when NATO released a statement by Secretary-General Rasmussen regarding the illegitimacy of the Crimea referendum online, CyberBerkut interrupted access to NATO’s main website through a “distributed denial of service” attack.
While none of these groups have been tied directly to any state body, cyber intelligence firms have reasons to suspect that those hacking teams have been supported by the Russian government.
Partly in response to the growing Russian-Ukraine cyber-tensions and the severity of their consequences, surrounding states Latvia, Lithuania, and the Baltic States of Estonia have been discussing plans to strengthen their national IT security. That being said, Ukraine’s power outage should be a cause for concern to the international community as a whole.
As IHS analyst Alex Kokcharov articulated, “it is scary because if this is the case that a cyberattack was used to create an outage and blackout in a particular area, it means that Russia has the capabilities to use this technology to create outages in what it sees as hostile territories or countries.” Ukraine is just an example. Executive director of the Industrial Control System Information Sharing and Analysis Centre, Chris Blask, pointed out “it would be naive to say the same attackers couldn’t successfully execute [this kind of attack] in the United States.”
The Ukranian power outage is a reminder that we are no longer just facing issues of cyber-espionage internationally, but the possibility of real physical, civilian damage caused through digital means alone. In a cybersphere where the norms are still being developed, there are a number of things that should be taken away from the Ukraine power outage.
First, missions to maintain stability worldwide and respond to international fractions will continue, but it is important be aware of what types of threats states and regional bodies are facing; it is doubly important to protect ourselves and each other accordingly. This can be achieved in a number of ways, but the first critical step should be strengthening critical infrastructure against advanced malware.
Secondly, there must be continued discussion on state and non-state relationships in cyber-security and diplomacy. The US-China Cyber Agreement was a step towards regulating state-to-state cyber relations, but as groups like Sandworm and CyberBerkut are currently non-state actors located in Russia, there needs to be regulations formed on how to stop non-state actors and prevent activities against the infrastructure of other states.
State espionage is one thing – civilian infrastructure attacks are another. There should be more discussion about these cyberattacks to develop normative “rules of engagement.” Otherwise, these attacks can affect any state, including Canada, the EU and the US, and Ukraine’s power outage demonstrated only a small amount of the damage cyberattacks are capable of.