Cyber Incident Victim: Kyivoblenergo
Date:
Dec 2015
Location:
Ukraine
Summary
A cyberattack targeted a Ukrainian power distribution company, Kyivoblenergo, causing widespread outages through coordinated actions including malware deployment, denial-of-service attacks on call centers, and direct manipulation of grid infrastructure. Attackers compromised SCADA systems, blinded dispatchers by disrupting visibility, and remotely disconnected 30 substations—leaving 80,000 customers without power. Restoration efforts required manual operations for 3-6 hours as attackers impeded recovery by wiping critical systems. Utility personnel successfully switched to manual control modes to re-energize the grid despite communication disruptions and compromised automation. The incident demonstrated multi-stage adversarial tactics combining cyber intrusion with physical grid interference to amplify impact and delay response.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 23, 2015, a coordinated cyber attack disrupted operations at multiple Ukrainian power distribution companies, including Kyivoblenergo. The attackers gained unauthorized access to production SCADA systems between 15:30 and 16:30 local time, infecting workstations and servers. This intrusion blinded system dispatchers by denying visibility into grid operations while simultaneously disabling customer call centers through denial-of-service attacks, preventing outage reports. At Kyivoblenergo, the attackers disconnected seven 110 kV substations and twenty-three 35 kV substations, cutting power to 80,000 residential customers – a significant portion of their service area. Forensic analysis indicated the adversaries manually manipulated breaker controls to cause the outage rather than relying solely on automated malware payloads.
Utility personnel responded by implementing manual operations within hours of the attack. Field crews physically visited affected substations to switch control systems from automatic to manual mode, allowing them to re-close breakers and restore power without relying on compromised SCADA infrastructure. All customers regained electricity by 18:56 local time, with full restoration across impacted utilities completed within 3-6 hours. The attackers attempted to prolong the outage by wiping critical files on SCADA servers to hinder recovery efforts, but operators mitigated this through their rapid transition to manual control procedures. Post-incident analysis confirmed the malware provided initial network access and facilitated command-and-control operations but did not directly trigger the power interruption, which required human-directed actions against physical grid components.