2016 Kyiv cyberattack
A cyberattack happened in the Ukrainian capital Kiev just before midnight on 17 December 2016, and lasted for just over an hour. The national electricity transmission operator Ukrenergo said that the attack had cut one fifth of the city's power consumption at that time of night.
Attack
The attack affected the 330 kilowatt electrical substation "North" at Pivnichna, outside the capital. It happened a year after a previous attack on Ukraine's power grid.Dragos Security concluded that the attack was not merely to cause short-term disruption but to cause long-lasting damage that could last weeks or months. The attackers had tried to cause physical damage to the station when the operators turned the grid back on. The attack used Industroyer malware and has the ability to attack hardware including SIPROTEC protective relays. These protective relays open circuit breakers if they detect dangerous conditions. A security flaw meant that a single packet could put the relays in a state where it would be useless unless manually rebooted. Siemens released a software patch in 2015 to fix the issue, but many relays weren't updated with it. Evidence from logs obtained by Dragos Security showed the attackers initially opened every circuit breaker in the transmission station, causing a power cut. Then an hour later they ran wiper malware to disable the station's computer, making it impossible to monitor the station. Finally, the attackers tried to disable four of the stations SIPROTEC protective relays, which could not be detected by operators. Dragos concluded that the attackers intended the operators to re-engergise the station equipment, which could have injured engineers and damaged equipment. The data packets intended for the protective relays were sent to the wrong IP address. The operators may also have brought the station back online faster than attackers expected.