Did Ukraine’s Cyberattacks Originate in Russia?

As Ukraine grapples with a plethora of challenges, including endemic corruption and trade disputes with Russia, cyberattacks against the country’s critical infrastructure can now be added to the list of issues.

In late December, Ukraine experienced what may have been the world’s first blackout caused by a cyberattack. While the blackout was short-lived, it affected eight provinces in western Ukraine and cut power to over eighty thousand people. Investigators now say at least eight utilities were targeted by malware, although only two experienced power outages as a result. Then, one month later, another cyberattack hit the IT network of Kyiv’s main airport.

In both cases, Ukraine’s officials lay the blame on Russia, pointing out that the malware used in the attacks was previously linked to the Sandworm team, a hacking group that security researchers suspect is backed by Moscow. Still, pinpointing the origins of a cyberattack is notoriously difficult, and many of the details surrounding the attacks remain murky. Experts are still struggling to determine how the hackers caused the blackout, and evidence linking the attacks against the utilities with those against the airport remains elusive.

“Anytime we’re talking about the geopolitical arena and cyberattacks, you always have to consider the motivations of the parties involved, beyond just the technical details,” says Tim Erlin, director of IT security at Tripwire, a US-based cybersecurity firm. “But unless a group specifically claims responsibility, we’re making guesses. They may be educated guesses and they may be accurate, but you aren’t going to achieve certainty.”

Nevertheless, there are numerous reasons to believe Russian hackers could be the culprits. According to the US Intelligence Community’s 2015 Worldwide Threat Assessment Report, Russia is one of the “most sophisticated nation-state actors” in cyberwarfare. Russian hackers are known to be some of the world’s most skilled, boasting of sophisticated programming abilities and almost unparalleled inventiveness. Russia was also the first country to combine traditional warfare with cyberattacks, hitting Georgian government websites with Distributed Denial of Service Attacks (DDOS) during the 2008 Russia-Georgia war.

Perhaps even more revealing, the cyberattack against the airport in January was launched from a server located in Russia, Ukrainian officials said.

In all of the recent attacks, the hackers used BlackEnergy 3, a malware that remotely takes over devices. Russian hackers invented the original version of BlackEnergy in 2007 and it has since been used in hundreds of low-tech cyberattacks against government websites in Ukraine, Poland, and other European countries.

But experts are quick to point out that these tools can easily be purchased on the black market or adopted by groups outside of Russia. And even if the hackers are Russian, that doesn’t necessarily mean they’re on Russian President Vladimir Putin’s payroll. The use of BlackEnergy is hardly a smoking gun in the hands of the Russian government.

What’s most noteworthy about the attacks against Ukraine’s utilities was the level of coordination, observers say.

Although the hackers didn’t use especially sophisticated or rare technology, the multi-phased attacks were clearly the work of a synchronized group that aimed to prolong the blackout for as long as possible. Data on company control screens were frozen to seem as if electricity were still reaching customers. Some computers were infected with the malware KillDisk, which causes computers to crash but doesn’t allow them to reboot. Meanwhile, a coordinated telephone campaign flooded company call centers with fake phone calls so that real customers couldn’t lodge complaints about the blackout. In all, experts agree that the attacks were incredibly well-coordinated.

Still, they did not succeed in causing any large scale or permanent damage. Many cybersecurity experts fear that hackers targeting critical infrastructure could eventually cause physical damage, or cause a catastrophic blackout lasting weeks or months. But the attacks in Ukraine were not of that magnitude.

“The Ukraine incident [in December] only seemed to last a few hours, so I don’t think it did any physical damage,” asserts John Everett, Program Manager at the Information and Innovation Office at the Defense Advanced Research Project Agency (DARPA), a research arm of the US Department of Defense. “If it did, the engineers were quite capable of working around it and restoring power.”

The fact that Ukraine’s electricity grid isn’t as modern as that of many Western countries may have helped turn the lights back on more quickly, experts say.

“They actually had the ability to flip over to a manual control method, and that got the power back on faster than you would have seen with utilities that have infrastructure that relies more on technology,” Erlin explains.

Similarly, the malware in the airport’s network was located before it caused any significant damage.

Nevertheless, researchers are working diligently to understand exactly what took place. Although BlackEnergy 3 was found on one of the company’s systems, the outages were caused when the electricity grid’s breakers opened. There is currently no known malware that can do that. Some experts claim that BlackEnergy 3 opened a pathway through which hackers could gain control of the companies’ operator stations. Others postulate that the KillDisk malware caused the outage by wiping data from control systems. Meanwhile, others doubt whether the cyberattacks caused the outages at all.

What is clear, however, is that the attacks motivated Ukraine’s government to secure its networks. Ukraine’s state-run Computer Emergency Response Team (CERT-UA) warned that more attacks could occur, and state authorities say they plan to review all of the government’s computer systems.

Cristina Maza is the Budge Sperling Reporting Fellow at The Christian Science Monitor; she covers energy and cybersecurity in The Monitor’s Washington, DC, bureau.

Image: People arrive at Kyiv's main airport, Boryspil, in Ukraine, January 18, 2015. Ukrainian authorities will review the defenses of government computer systems, including at airports and railway stations, after a cyberattack on Kyiv's main airport was launched from a server in Russia, officials told Reuters. Credit: REUTERS/Valentyn Ogirenko