A power outage in western Ukraine on 23 December 2015 was the result of a cyberattack, the country's energy ministry has confirmed. Cybersecurity researchers at ESET believe it to be the first-known instance of power stations being disabled by hackers.
The incident left homes in the Ivano-Frankivsk region of Ukraine without electricity for several hours in December 2015. The malware used to carry out the attacks is believed to be the BlackEnergy Trojan, first developed in 2007 to carry out distributed denial of service (DDoS) attacks. It has since been upgraded to carry out more sophisticated tasks, such as cyber-espionage.
"We found out that the attackers have been using a malware family on which we have had our eye for quite some time now: BlackEnergy," researchers from antivirus firm ESET wrote in a blogpost.
"Destructive malware is not a new phenomenon. While even some of the earliest viruses used to have destructive functionality intended mostly as a prank, today's cyber-criminals use such components for a number of reasons, ranging from sabotage, or hacktivism, to covering their tracks after a successful cyber-espionage attack."
It is not yet clear where the attacks originated from, though Ukraine's SBU state security service blamed "Russian security services". The Kremlin could not be reached immediately for comment.
ESET revealed that the power station's servers were infected through Microsoft Office files attached to spear-phishing emails purporting to be from the Ukranian parliament Rada. Security company CyS Centrum published screenshots of the documents used in the BlackEnergy campaign, which contained malicious macros the recipients were encouraged to run.
"It's a milestone because we've definitely seen targeted destructive events against energy before – oil firms, for instance – but never the event which causes the blackout," John Hultquist, head of iSight's cyber espionage intelligence practice, told Ars Technica. "It's the major scenario we've all been concerned about for so long."