A worker repairs power lines in the eastern Ukrainian town of Slavyansk ANATOLII STEPANOV/AFP/Getty Images

More than 225,000 people in Ukraine were plunged into blackout after a devastating cyber attack on a power station, the US Department of Homeland Security has said.

The announcement is the first time the American government has recognised that the widespread blackout was caused by hackers. While the report does not name the perpetrators of the attack, it did conclude that "external cyber-attackers" were to blame.


The power outage, which took place on 23 December 2015, is thought to be the first successful cyber attack on public utilities. According to the report the attack was "synchronised and coordinated" and was the result of "extensive reconnaissance".

Following the blackout both Ukrainian officials and independent security experts pointed the finger of blame at cyber attackers. In early January Ukraine's energy minister said it was investigating a "suspected" hack on its power grid. At the time the country's intelligence service blamed "Russian special services", an allegation to which Moscow has not responded.

Read next A data fail left banks and councils exposed by a quick Google search A data fail left banks and councils exposed by a quick Google search

US investigators conducted a series of interviews with staff at companies targeted by the attack, drawing on first-hand evidence of what occurred. In its conclusions, however, the report adds little fresh information not already revealed by private security firms and researchers.

Among the findings, the report confirmed that the companies were each attacked within 30 minutes of each other. During the attacks a number of hackers used either existing remote administration tools at an operating system level or ran software over VPN connections. The attacks likely acquired legitimate credentials to access internal systems.

Attackers also used malware to wipe some systems after the attack, effectively shutting down critical infrastructure. The malware, known as KillDisk, was also used to wipe a Windows-based machine embedded in a company's remote terminal units.


Firmware used by Serial-to-Ethernet converters -- which connect industrial equipment to computer networks -- at substations was also corrupted, effectively shutting them down. Hackers also targeted servers to interfere with attempts to bring power back online, the report found. While the power was cut, the attackers bombarded customer service phone lines with calls to prevent people from reporting the outage.

All the companies interviewed also said they had been infected with malware known as BlackEnergy. While it isn't clear if the malware played any role in the attack, the report noted that it was delivered via a spear-phishing attack that sent emails with malicious Microsoft Office attachments.

It is possible, according to the report, that BlackEnergy was used to gain initial access to internal systems. From here, the hackers may have been able to acquire legitimate credentials.