2016 Kyiv cyberattack
{{Short description|Cyberattack on a power grid in Kyiv, Ukraine}}
{{More citations needed|date=November 2023}}
A cyberattack happened in the Ukrainian capital Kyiv just before midnight on 17 December 2016, and lasted for just over an hour.{{Cite news |title=Ukraine power cut 'was cyber-attack' |url=https://www.bbc.com/news/technology-38573074 |date=2017-01-11 |access-date=2022-07-07 |publisher=BBC News}}{{Cite news |last=Polityuk |first=Pavel |last2=Vukmanovic |first2=Oleg |last3=Jewkes |first3=Stephen |date=18 January 2017 |title=Ukraine's power outage was a cyber attack - Ukrenergo |url=https://www.reuters.com/article/idUSKBN1521BB/ |access-date=23 May 2024 |work=Reuters}} The national electricity transmission operator Ukrenergo said that the attack had cut one fifth of the city's power consumption at that time of night.
Attack
The attack affected the 330 kilowatt electrical substation "North" at Pivnichna, outside the capital. It happened a year after a previous attack on Ukraine's power grid.
Dragos Security concluded that the attack was not merely to cause short-term disruption but to cause long-lasting damage that could last weeks or months.{{Cite news |title=New Clues Show How Russia’s Grid Hackers Aimed for Physical Destruction |url=https://www.wired.com/story/russia-ukraine-cyberattack-power-grid-blackout-destruction/ |last=Greenberg |first=Andy |author-link=Andy Greenberg |date=2019-09-12 |access-date=2022-07-07 |work=Wired |archive-url=https://web.archive.org/web/20190913040042/https://www.wired.com/story/russia-ukraine-cyberattack-power-grid-blackout-destruction/|url-status=live|archive-date=2019-09-13}} The attackers had tried to cause physical damage to the station when the operators turned the grid back on. The attack used Industroyer malware and has the ability to attack hardware including SIPROTEC protective relays. These protective relays open circuit breakers if they detect dangerous conditions. A security flaw meant that a single packet could put the relays in a state where it would be useless unless manually rebooted. Siemens released a software patch in 2015 to fix the issue, but many relays weren't updated with it. Evidence from logs obtained by Dragos Security showed the attackers initially opened every circuit breaker in the transmission station, causing a power cut. Then an hour later they ran wiper malware to disable the station's computer, making it impossible to monitor the station. Finally, the attackers tried to disable four of the stations SIPROTEC protective relays, which could not be detected by operators. Dragos concluded that the attackers intended the operators to re-engergise the station equipment, which could have injured engineers and damaged equipment. The data packets intended for the protective relays were sent to the wrong IP address. The operators may also have brought the station back online faster than attackers expected.
= Follow-on attack =
In April 2022, Ukrainian authorities announced that they had prevented a cyberattack that used malware similar to Industroyer.{{Cite news |last=Rundle |first=James |last2=Stupp |first2=Catherine |date=12 April 2022 |title=Ukraine Thwarts Cyberattack on Electric Grid, Officials Say |url=https://www.wsj.com/articles/ukraine-thwarts-cyberattack-on-electric-grid-officials-say-11649794612 |access-date=23 May 2024 |work=The Wall Street Journal}}