Ukraine's energy ministry said hackers used a Russian-based internet service provider to make calls from the country to communicate among themselves for carrying out the cyberattack on Ukraine's power utilities on 23 December 2015.
The ministry had completed an investigation into the cyberattack, although it did not hold the Russian government directly responsible for the attack. The findings goes in line with the recent testimony of US intelligence chief to the Congress which branded the cyberattacks as the biggest threat to US national security.
The ministry in a statement noted, "According to one of the power companies, the connection by the attackers to its IT network occurred from a subnetwork ... belonging to an (internet service) provider in the Russian Federation."
Hackers carried out attacks on three power firms in December, and followed that with fake calls to those companies' call centre in an attempt to prevent customers from reporting the outage. The attack, which is the first-known power outage, left homes in the Ivano-Frankivsk region of Ukraine without electricity for several hours. The malware used in the attacks is believed to be BlackEnergy Trojan.
Oleksander Svetelyk, deputy energy minister told Reuters hackers were preparing for the attack at least six months before the actual attack could be carried out. Svetelyk said, "The attack on our systems took at least six months to prepare – we have found evidence that they started collecting information (about our systems) no less than six months before the attack."
Malware attack against mining and rail companies in Ukraine
According to the latest findings by well-known cybersecurity firm Trend Micro, the attackers behind the two power companies in Ukraine apparently have attempted a similar cyberattack against a mining company and a large railway operator in the country.
The researchers further believe the malicious software BlackEnerggy and KillDisk, found in the power incident, also have been used against the mining and rail company in Ukraine. One of the theories put forth by the researchers explaining the reason behind the attack is that the attackers might wanted to destabilise Ukraine through massive disruption such power, mining and transportation facilities.
Another theory is that hackers deployed malware to different infrastructure systems to determine which is the easiest way to gain control over. The last theory is the malware attack in the mining and train companies might have been just for the preliminary tests, wherein the attackers were just trying to test the code base.