The power outage in Ukraine on 23 December 2015 was the brainchild of Russian hacking collective Sandworm, says cyber intelligence firm iSight Partners. The firm claims to have tracked the hacker group for some time
"Since last week, iSight Partners has worked to provide details on the power outage in Ukraine to our global customers. We have analysed the forensic evidence we have been able to obtain from the region, contextualising it within our knowledge of cyber espionage actors," notes John Hultquist, director, cyber espionage analysis at iSight Partners.
"However, we have linked Sandworm Team to the incident, principally based on BlackEnergy 3, the malware that has become their calling card."
In a separate interview with Reuters Hultquist said, "We believe that Sandworm was responsible." There is no word from iSight whether Sandworm is working for Moscow.
"It is a Russian actor operating with alignment to the interest of the state. Whether or not it's freelance, we don't know," added Hultquist. It was being named Sandworm because of references to the Dune science-fiction series embedded in its malware.
iSight claims to have obtained access to the KillDisk malware aka Disakil – a new variety of BlackEnergy Trojan malware used in the cyberattack carried out on the Ukraine power station. This is the same malware that was used against media companies in Ukraine.
iSight also believes this KillDisk malware is related to the malware attack during the Ukraine elections in October. At the time, the Computer Emergency Response Team of Ukraine (CERT-UA), had related this incident to BlackEnergy 3. Meanwhile, iSight sources assert that the BlackEnergy 3 malware was deployed against at least one of the Ukraine power systems.
"iSight Partners is still collecting information on the mechanics of the power outage and what role the KillDisk malware played in the greater event. We cannot confirm that the KillDisk malware caused the outage. It may have been used following steps to manipulate power in order to impede restoration efforts or operator visibility. It is noteworthy that technical support numbers associated with the power authorities were allegedly flooded with calls, which may have been an effort to further overwhelm responders," added iSight, saying this was being highlighted by Ukrainian security service, SBU on its official website.