For nearly three years, the December 2016 cyberattack on the Ukrainian power grid has presented a menacing puzzle. Two days before Christmas that year, Russian hackers planted a unique specimen of malware in the network of Ukraine's national grid operator, Ukrenergo. Just before midnight, they used it to open every circuit breaker in a transmission station north of Kyiv. The result was one of the most dramatic attacks in Russia's years-long cyberwar against its western neighbor, an unprecedented, automated blackout across a broad swath of Ukraine's capital.

But an hour later, Ukrenergo's operators were able to simply switch the power back on again. Which raised the question: Why would Russia's hackers build a sophisticated cyberweapon and plant it in the heart of a nation's power grid only to trigger a one-hour blackout?

A new theory offers a potential answer. Researchers at the industrial-control system cybersecurity firm Dragos have reconstructed a timeline of the 2016 blackout attack based on a reexamination of the malware’s code and network logs pulled from Ukrenergo’s systems. They say that hackers intended not merely to cause a short-lived disruption of the Ukrainian grid but to inflict lasting damage that could have led to power outages for weeks or even months. That distinction would make the blackout malware one of only three pieces of code ever spotted in the wild aimed at not just disrupting physical equipment but destroying it, as Stuxnet did in Iran in 2009 and 2010 and the malware Triton was designed to do in a Saudi Arabian oil refinery in 2017.

In an insidious twist in the Ukrenergo case, Russia's hackers apparently intended to trigger that destruction not at the time of the blackout itself but when grid operators turned the power back on, using the utility's own recovery efforts against them.

"While this ended up being a direct disruptive event, the tools deployed and the sequence in which they were used strongly indicate that the attacker was looking to do more than turn the lights off for a few hours," says Joe Slowik, a Dragos analyst who formerly led the Computer Security and Incident Response Team at the Department of Energy's Los Alamos National Laboratory. "They were trying to create conditions that would cause physical damage to the transmission station that was targeted."

Setting a Trap

The Ukraine-targeted blackout malware, known alternately as Industroyer or Crash Override, grabbed the attention of the cybersecurity community when the Slovakian cybersecurity firm ESET first revealed it in June 2017. It featured a unique ability to directly interact with an electric utility's equipment, including features that could send automated, rapid-fire commands in four different protocols used in various power utilities to open their circuit breakers and trigger mass power outages.

"It’s the response that ultimately harms you." Sergio Caltagirone, Dragos

But the new Dragos findings relate instead to an often-forgotten component of the 2016 malware, described in ESET's original analysis but not fully understood at the time. That obscure component of the malware, ESET pointed out, looked like it was designed to take advantage of a known vulnerability in a piece of Siemens equipment known as a Siprotec protective relay. Protective relays act as electric grid fail-safes, monitoring for dangerous power frequencies or levels of current in electric equipment, relaying that information to operators and automatically opening circuit breakers if they detect dangerous conditions that could damage transformers, melt power lines, or in rare cases even electrocute workers. A security flaw in Siemens protective relays—for which the company had released a software fix in 2015 but which remained unpatched in many utilities—meant that any hackers who could send a single data packet to that device could essentially put it in a sleep state intended for firmware updates, rendering it useless until manually rebooted.