Cyber Incident Victim: Prykarpattiaoblenergo
Date:
Dec 2015
Location:
Ukraine
Summary
A cyberattack targeted a Ukrainian power distribution company, Prykarpattyaoblenergo, through unauthorized remote access to its control systems. Attackers manipulated circuit breakers at multiple substations, causing widespread outages affecting over 230,000 residents while simultaneously disabling backup power supplies at distribution centers, hindering restoration efforts. The incident involved months of reconnaissance, credential theft, and malicious firmware installations to compromise operational technology, demonstrating a coordinated effort to disrupt critical infrastructure. This breach underscored systemic vulnerabilities in grid security and marked one of the first known successful cyberattacks to cause prolonged electricity disruption through direct industrial control system interference.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 23, at approximately 3:30 p.m., operators at the Prykarpattyaoblenergo control center in Ukraine’s Ivano-Frankivsk region observed unauthorized cursor movement on a workstation screen during a shift transition. The cursor autonomously navigated to controls for a regional substation’s circuit breakers, selected the option to open a breaker, and confirmed the action via a dialogue box, disconnecting the substation from the grid. An operator attempted to regain control using his mouse but found the system unresponsive. The attackers then forcibly logged the operator out of the control panel and altered his credentials, blocking re-entry. From this compromised workstation, the attackers proceeded to remotely open approximately 30 additional substation breakers under Prykarpattyaoblenergo’s management, causing cascading outages. Concurrently, two other power distribution centers in the region were targeted using identical methods, nearly doubling the total number of substations taken offline. This coordinated disruption left over 230,000 residents without electrical power during winter conditions.
The attackers further incapacitated response efforts by disabling backup power systems at two of the three affected distribution centers, depriving operators of lighting and operational equipment. Forensic analysis determined the intrusion relied on months of reconnaissance, credential theft, and malicious firmware modifications to establish persistent access. The sabotage specifically targeted supervisory control and data acquisition (SCADA) interfaces responsible for grid management, exploiting legitimate control functions to trigger physical disconnections. No utility-initiated containment or restoration timeline was detailed in available reporting. The incident highlighted systemic vulnerabilities in critical infrastructure security, marking the first publicly confirmed case of a cyberattack causing widespread power outages through direct manipulation of grid control systems.