Lights Out: An Examination of Cyber Attacks in Ukraine and the Baltic States

Posted By October 23, 2017 No Comments


In traditional understandings of war, critical infrastructure has been a sound target of opportunity: hamper the ability of the opponent to utilize it, thus rendering it useless. Public Safety Canada defines critical infrastructure as: “Processes, systems, facilities, technologies, networks, assets and services essential to the health, safety or economic well-being of Canadians [or any other state] and the effective functioning of government.” The disruption of any of this potentially resulting in: “Catastrophic loss of life, adverse economic effects and significant harm to public confidence.”[1] In other words, critical infrastructure is an ideal and easy target.

Previously, critical infrastructure was easier to defend, as it was available via air, land or sea-based assets of an opponent. The deployment of such capabilities can result in the potential transmitting of movement, and even if the exact target is unknown, can be limited given conventional defensive capabilities. This was particularly relevant in the era of state versus state war, such as the bombing campaigns of the Second World War.

In the modern era, there is another dimension of assets now available with near global reach with little to no movement of efforts, operating in the cyber realm. These cyber assets are deployable quickly and are never physically exposed to the opponent. They are able to target critical infrastructure from within the borders of their state, utilizing techniques, tactics and procedures (TTPs) to carry out effective assaults on their targets. These same TTPs separate the average cyber-criminal from the more sophisticated actors targeting critical infrastructure or state-based assets.

This work will discuss the attacks that occurred over the last several years on the power grid of Ukraine in 2015 and 2016 as well as in the Baltics in 2015. First, it will look at the malware used to provide an understanding of the tools utilized in the attacks. Second, the timeline will be explored, outlining how the attacks were carried out. Finally, this work will look forward, offering a viewpoint of the future of cyber defence of critical infrastructure.

Malware Used in the Attacks

Typically when a prominent cyber-attack is discussed, there is usually cursory description of the malware accompanied by a picture of a ‘Matrix-esque’ screen of green code on a black background, or a sinister-looking individual with their face covered. Such reports remove the technical descriptions and present a catchy story to keep reader interested, though do not necessarily provide a full understanding of how the attack occurred. Conversely, taking a technical approach to understanding these attacks—while providing a robust understanding of the attack—often limits the audience. This in turn, however, often limits the ability of the work to explore the attacks in the larger picture. As such, this section aims to take a middle ground, explaining the malware’s functionality without becoming overly technical.

The malware dubbed BlackEnergy is a Trojan (a program hiding its malicious intent), which enters the system as a file distributed through a spearphishing campaign. This type of campaign is targeted, appearing as normal correspondence the victim would experience in their day-to-day job rather than the more generic ones typical of a phishing campaign, which is treated like a numbers game.  Once the malware has been downloaded, it enables the attacker to launch distributed-denial-of-service (DDoS) attacks, as well as download custom spam and information theft plugins. In other words, once BlackEnergy has infected the system, it is able to act as the gateway for the next stage of the attack, bringing in additional malware to allow for intelligence gathering and facilitate a future attack.[2] There are multiple variants, including BlackEnergy 2, which is a more precise tool to go through specific systems, and BlackEnergy 3, which is focused on searching a network for specific or enticing systems, providing network reconnaissance.[3]

BlackEnergy then delivered KillDisk into the systems following the initial infection. This component of the attack made the systems within the infrastructure inoperable and gives the potential to remove essential components to the infected system.[4] When KillDisk is run, it wipes or overwrites essential system files, including the master boot record, which brings down the system, preventing a system reboot.[5] This is a means to further hide the activity of the attacker within the system.

BlackEnergy and KillDisk have been seen to operate in conjunction with each other, most notably in the Ukraine power grid attack in 2015.

Industroyer has been alleged as the malware behind the 2016 Ukrainian power grid attack. It is a highly customizable malware that researchers believe to be targeting industrial control systems. When infecting a system, the malware creates two backdoors into the system, the primary one as a Windows service program with the backup being an infected Notepad application, providing the attacker with two means of entry. It also has a data wiper included that deletes registry keys that prevent the system from being rebooted. Additionally, there is a port scanner, which functions as a means of mapping out the network to determine the next system to expand control to.[6]

BlackEnergy and Industroyer, while sharing similar functions, have been determined to share no coding similarities. This means they are two unique pieces of malware that have attacked the same target using different attack methodologies. What this suggests is that a single threat actor is continuing to attack the same target with an expanding arsenal of malware, or that there could be multiple actors interested in hitting the same target.

Timeline and Context for Attacks

This section will examine how the power grid attacks unfolded and the context of each attack. There will be three attacks examined, highlighted by the country name and year: Ukraine 2015, Baltics 2015 and Ukraine 2016.

Before going into the individual attacks, it is important to make a note on attribution for these attacks. First, available information only attributes the Ukraine 2015 attack to the advanced persistent threat (APT) Sandworm, which is believed to be a hacker group connected to the Russian government. In the 2015 Baltic attack, researchers have claimed they have seen evidence that Sandworm was involved, though were unwilling (or unable) to provide such evidence for operational reasons. Finally, the Ukraine 2016 attack and the use of Industroyer has not yet been officially attributed to any country or actor.

Therefore, for the purposes of this section, Ukraine 2015 has largely been accepted by experts in the private sector as being launched by the Russians. However, it must be noted that the connection between Sandworm and the Kremlin is not verifiable with open source data, and state officials have not officially attributed it to the Russians.[7] The Baltics 2015 and Ukraine 2016 attacks will be viewed simply as un-attributable attacks in order to avoid false accusations based on current evidence. It is better to err on the side of caution when attributing attacks of this magnitude, particularly with the level of operational security exhibited by attackers of this scale, despite the victims fitting within geopolitical interests of select states.

Ukraine 2015 Attack

Taking place on December 23, 2015, the three power distribution companies in Ukraine servicing Ivano-Frankivsk Oblast, Chernivtsi Oblast and Kiev Oblast were attacked, causing widespread power disruption to their regions. Once injected into the system via spearphishing, BlackEnergy began mapping out the network, a process that took quite some time so as to hide the actor’s presence within the system. Each company was hit within 30 minutes of each other, which suggests the attacker had familiarity of the victims networks.[8] During the system exploration, it had brought the Supervisory Control and Data Acquisition (SCADA) systems under its control, which allowed the attackers to switch off substations through attacking the serial to ethernet convertors (STECs). The attackers were able to prevent the companies from seeing any change in conditions as the attack was carried out. Additionally, the company call centres were rendered inoperable through a telephone denial of service attack, similar to that of a DDoS attack, which floods the line with false calls, preventing legitimate traffic. Once the operators realized what was happening, the attackers, having spread the malware throughout the network, began taking down systems with KillDisk.[9]

It is unknown when the actual breach occurred, but a spearphishing campaign was detected attempting to target another Ukrainian power company in March 2015. This was stopped in July of the same year, though BlackEnergy was found in the systems.[10] It is likely connected to this attack given they both involve the same malware, indicating that more Ukrainian power companies were targeted in the spearphishing campaign, though not included in the 2015 attack. Following the timeline of these potentially connected events, it would put the initial infection six to nine months in advance of the grid disruption.

It was clearly a sophisticated attack on Ukrainian power distribution, requiring a sufficiently thorough spearphishing campaign to ensure the attackers had access to the necessary systems. Along with the technique demonstrated in the attack, the timing is also indicative of targeting these particular systems to prove a point. The attack occurring in December fits a long pattern of Russian action taken in the constant energy disputes between Moscow and Kiev, as energy disruption or the threat of it has been used previously as a means to leverage Ukrainian negotiators to acquiesce to Russian demands.[11] Instead of gas this time, the attackers struck the power grid, which was able to achieve a similar effect as gas, impacting the ability of citizens to heat their homes during the winter months until control over the systems could be restored.

As stated before, this attack has been attributed to the APT Sandworm, allegedly connected by cyber security researchers to the Russian government. The connection came after researchers found command and control servers that have Russian IP addresses. However, it again must be noted that there is still no consensus on who is behind this attack, with only some within the private sector willing to claim it was Russia. This is by no means conclusive, as variants of BlackEnergy have been used by to target a variety of targets in other countries.[12]

Baltics 2015 Attack

Around the same time as the Ukraine 2015 attack, one of the three Baltic states of Estonia, Latvia and Lithuania also saw their power grid attacked, though it was not taken down. The exact country that was attacked has not been announced publicly. The attack in the Baltics followed a similar methodology as in Ukraine, though rather than knocking out power, was only able to disrupt some operations. Overall, the attack was largely unsuccessful, though it did expose the actor’s presence in the Baltic power grid. This attack has not yet been officially attributed to any actor or state. While some private sector researchers have attributed it to Sandworm originating in Russia, the few researchers that claim they have seen evidence of Sandworm were unwilling (or unable) to publish their findings, likely to not give away how they found the APT.[13]

The timing of the Baltic power grid attack initially seems to indicate a similar path taken as the one in Ukraine; however, the Baltics are in a markedly different situation than that of Ukraine. First, there is the 2001 BRELL agreement, which has Belarus, Russia, Estonia, Latvia and Lithuania sharing a larger power grid infrastructure. Additionally, the Baltic States joined both NATO and the EU in 2004, making an attack, whether conventional or cyber, a risky proposition for Russia. However, there is something of a timeline on this shared power grid, as the three Baltic countries are working on transitioning from the BRELL grid to that of the EU in a bid to improve infrastructure security. Given prevailing attitudes towards Russia in the Baltics, this is understandable as the BRELL grid is largely managed by Moscow. However, the 2001 agreement states that while signatories can leave the system, their leaving cannot leave the others worse-off, including the Russian exclave of Kaliningrad.[14]

When it comes to their infrastructure security however, each of the Baltic States has provided different reports regarding cyber-attacks against their power grids. Lithuania has experienced constant but unsuccessful attacks against its grid, though has not specified how the attacks have occurred. This suggests that if reports are true, they may simply be probes, testing the defence mechanisms of the targeted systems. Latvia’s report published in 2016 claimed they were not attacked. Meanwhile Estonia claimed they did not see any attack against their grid at the same time as the Ukraine 2015 attack. This provides an interesting point of contention when looking at power grid attacks. Only one of the three Baltic States, the one that borders Kaliningrad, claims they have been attacked.[15]

Kaliningrad, as a net energy exporter, particularly to Lithuania, cannot afford to lose access to that market, particularly given the poor state of the oblast’s economy and the heavy investment into a nuclear power plant that would provide more power than its 500,000 residents could consume.[16] While all the Baltic States have been vocal in their opinions on Russian aggression, only Lithuania claims it has had its grid attacked.

The Baltics have essentially reversed the dynamic on Russia and now hold the Russian exclave of Kaliningrad over Moscow, as once the transition has been complete, Kaliningrad may be cut off. As such, it is in Russia’s interest that they be included in the energy deal, otherwise Kaliningrad and the mainland become further separated, in turn potentially causing fears that regional protests, similar to EuroMaidan, may occur in the exclave.

The transition from the BRELL grid to the European network is already underway, but is not expected to be complete until sometime between 2020 and 2025.[17] However, with the uncertainty behind attribution, and the inability to clearly determine the presence of hostile actors within the grid, the transition should not be completed without accounting for Russian interests. Since the attack has yet to be verifiably attributed, it is better to not antagonize Russia, given their cyber capabilities, whether real or presumed.

Ukraine 2016 Attack

Striking the Pivnichna substation, located outside Kiev on December 17, 2016, this breach of the Ukrainian power grid came almost exactly a year after the 2015 attack. Unlike the 2015 attack, however, this outage only lasted about an hour, causing less damage to the system than the 2015 attack.[18] Thus, the attacks used to gain entry are not yet clear.

Prior to the system being taken down, Industroyer created backdoors the systems. From this, the launcher component was put in place as a means to enable the other components at specific times. The launcher also created the conditions for payload deployment to receive a larger share of resources from the system to be run quicker. The various executable files that make up Industroyer were then run, taking control of the system, mapping the network, conducting denial of service attacks and wiping data to hide tracks.[19]

This attack has also not yet been attributed to any actor or state. As the attack was limited in scope, it has been viewed as a test of Industroyer, which was the first time this malware had been seen. As a whole, this attack was minimal, the most important element of it being the sophistication of the malware used in the attack. Given the malware’s configurable nature, it can be deployed to other environments at the attacker’s discretion.


What this suggests, as many researchers have noted, is that Ukraine is becoming something of a testing ground for malware. Given the difficulty of attribution, speculation of Russian involvement in attacks is likely to lead to unintended consequences.

For example, Russia has cited the western intervention and subsequent referendum in Kosovo as a pretext for the Crimean referendum. The western world has routinely failed to see things from the Russian perspective, and the constant accusations of cyber-attacks may serve as a means to embolden them. If every cyber-attack in Ukraine or the western world is blamed on Russia, Moscow can potentially take up the mindset, If we will get blamed for it anyways, why not just actually do it? This type of mentality does not facilitate a safer cyber realm, much as it has already been partially adapted in the real world.

The scale and scope of critical infrastructure attacks that have been speculated as being  Russians would suggest, that despite the breadth of American capabilities as seen through the Vault 7 leaks, Russia is one of the global leaders in cyber-space. The Vault 7 leaks are a series of US government exploits utilizing undisclosed exploits within existing systems that are being brought to forward by WikiLeaks. In other words, despite the scope of capabilities the United States has been seen to possess through the Vault 7 leaks, Russia has been given the status of a cyber power.

Given that new malware is consistently being developed to target critical infrastructure, it would behoove those most fearful of these threats to do two things. First, improve their domestic cyber capabilities. Given the repeated exploitation of vulnerabilities in industrial controls like SCADA, industry and government need to find better means of defending them. While training exercises such as NATO’s Locked Shield are an excellent means of reducing the impact, it does not address latent vulnerabilities found within these industrial systems. For example, as part of the exercise, NATO members defended a power grid in Estonia from an on-going cyber-attack. Such defence, while essential, needs to be accompanied by proactive methods of updating and improving industrial system security, otherwise workarounds for the active defensive measures will be found.

Second, despite its provocativeness, hoarding unreported exploits, as demonstrated by the WikiLeaks publication of new Vault 7 exploits used by the United States, is dangerous. While likely not unique to the United States, Russia has, especially under Putin, taken an approach of, If America can do it, we can do it too. Goading that mindset in Russia is not helpful if the west is looking to advance peace and reconciliation in Ukraine or protect critical infrastructure from cyber-attacks. Now that Article 5, as per NATO Secretary General Jens Stoltenberg’s statement on June 28. 2017, could be applied to cyber-attacks, the example of Vault 7 becomes even more poignant.[20] Should critical infrastructure in Russia be attacked, what would prevent Russia from undertaking its own cyber-based or conventional attack? If some states, especially within NATO, are quick to blame Moscow, the Kremlin may take the same approach. Conventional attacks are far easier to attribute given the need for physical assets to be in place. Cyber does not, and attribution without a full investigation can fuel antagonism.