In 2017, ESET had noted the disturbing implications of that malware component; it hinted that Industroyer’s creators might be bent on physical damage. But it was far from clear how the Siprotec-hacking feature could have actually caused more lasting damage. After all, the hackers had merely turned off the power at Ukrenergo, not caused the sort of dangerous power surge that disabling a protective relay might exacerbate.
The Dragos analysis may provide that missing piece of the Ukrenergo puzzle. The company obtained the Ukrainian utility’s network logs—it declined to say from where—and for the first time was able to reconstruct the order of the hackers’ operations. First, the attackers opened every circuit breaker in the transmission station, triggering the power outage. An hour later, they launched a wiper component that disabled the transmission station’s computers, preventing the utility’s staff from monitoring any of the station’s digital systems. Only then did the attackers use the malware’s Siprotec hacking feature against four of the station’s protective relays, intending to silently disable those fail-safe devices with almost no way for the utility’s operators to detect the missing safeguards.
The intention, Dragos analysts now believe, was for the Ukrenergo engineers to respond to the blackout by hurriedly re-energizing the station’s equipment. By doing so manually, without the protective relay fail-safes, they could have triggered a dangerous overload of current in a transformer or power line. The potentially catastrophic damage would have caused far longer disruptions to the plant’s energy transmission than mere hours. It could also have harmed utility workers.
That plan ultimately failed. For reasons Dragos can’t quite explain—likely a networking configuration mistake the hackers made—the malicious data packets intended for Ukrenergo’s protective relays were sent to the wrong IP addresses. The Ukrenergo operators may have turned the power back on faster than the hackers expected, outracing the protective relay sabotage. And even if the Siprotec attacks had hit their marks, backup protective relays in the station might have prevented a disaster—though Dragos’s analysts say that without a full picture of Ukrenergo’s safety systems, they can’t entirely game out the potential consequences.
But Dragos director of threat intelligence Sergio Caltagirone argues that regardless, the sequence of events represents a disturbing tactic that wasn’t recognized at the time. The hackers predicted the power utility operator’s reaction and tried to use it to amplify the cyberattack’s damage. “Their fingers are not over the button,” Caltagirone says of the blackout hackers. “They’ve pre-engineered attacks that harm the facility in a destructive and potentially life-threatening way when you respond to the incident. It’s the response that ultimately harms you.”
Appetite for Destruction
The specter of physical destruction attacks on electric utilities has haunted grid cybersecurity engineers for more than a decade, since Idaho National Labs demonstrated in 2007 that it was possible to destroy a massive, 27-ton diesel generator simply by sending digital commands to the protective relay connected to it. The engineer who led those tests, Mike Assante, told WIRED in 2017 that the presence of a protective relay attack in the Ukrenergo malware, though not yet fully understood at the time, hinted that those destructive attacks might finally be becoming a reality. “This is definitely a big deal,” warned Assante, who passed away earlier this year. “If you ever see a transformer fire, they’re massive. Big black smoke that all of a sudden turns into a fireball.”
If the new Dragos theory of the 2016 blackout holds true, it would make the incident only one of three times when in-the-wild malware has been designed to trigger destructive physical sabotage. The first was Stuxnet, the US and Israeli malware that destroyed a thousand Iranian nuclear enrichment centrifuges roughly a decade ago. And then a year after the Ukrainian blackout, in late 2017, another piece of malware known as Triton or Trisis, discovered in the network of Saudi oil refinery Petro Rabigh, was revealed to have sabotaged so-called safety-instrumented systems, the devices that monitor for dangerous conditions in industrial facilities. That last cyberattack, since linked to Moscow’s Central Scientific Research Institute of Chemistry and Mechanics, merely shut down the Saudi plant. But it could have led to far worse outcomes, including deadly accidents like an explosion or gas leak.