Cyber Incident Victim: Kyivenergo
Date:
Dec 2015
Location:
Ukraine
Summary
A coordinated cyberattack targeted multiple Ukrainian power distribution companies, including Kyivenergo, causing widespread outages through a multi-faceted approach. Attackers compromised SCADA systems to blind dispatchers, disconnected critical substations affecting tens of thousands of customers, and simultaneously flooded call centers to impede outage reporting. Utility personnel restored power within hours by manually operating substations after switching to offline control modes. While malware facilitated network access and hindered recovery through file-wiping activities, the direct cause of outages stemmed from adversary-triggered operational disruptions rather than autonomous malicious code. The incident demonstrated sophisticated coordination combining cyber intrusions with physical grid manipulation and communication denial tactics.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 6, 2016, a coordinated cyber attack caused power outages affecting multiple Ukrainian regional distribution companies, including Kyivoblenergo. Attackers gained unauthorized access to production SCADA systems, infected workstations and servers, and deliberately blinded system dispatchers by disrupting visibility into grid operations. Between 15:30 and 16:30 local time, the intrusion at Kyivoblenergo disconnected seven 110 kV substations and twenty-three 35 kV substations, cutting power to 80,000 residential customers. Concurrently, call centers were flooded with denial-of-service attacks, preventing customers from reporting outages. Technical analysis indicated adversaries manually interacted with systems to force undesirable state changes, opening circuit breakers to de-energize infrastructure. The attackers amplified disruption by wiping SCADA servers post-outage, intending to delay restoration efforts and complicate forensic investigations. While malware linked to the BlackEnergy campaign provided initial network access, the outage itself required direct adversary manipulation of operational controls rather than automated malware payloads.
Utility personnel restored power within 3–6 hours by switching distribution systems to manual operation. Field crews physically manned substations, manually closing breakers to re-energize circuits without relying on compromised SCADA systems. Kyivoblenergo fully restored customer power by 18:56 local time despite ongoing SCADA infections. Restoration efforts faced elevated risks due to operating without automated dispatch controls, particularly for utilities heavily dependent on automation. Forensic evidence confirmed the attack combined three synchronized components: malware-enabled network access, physical grid manipulation, and coordinated denial-of-service against communication systems. The incident demonstrated deliberate planning to maximize impact through simultaneous technical and psychological effects, though initial intrusion vectors and full attacker reconnaissance methods remained unconfirmed at the time of reporting.