Ever since the Ukrainian "Maidan" revolution, the country has been subjected to waves of punishing cyberwar attacks, targeting its power grids, finance ministry, TV networks, election officials, and other critical systems.
These attacks are believed to originate with "Sandworm," a skilled hacker group associated with the Russian government. As bad as the attacks have been, they could have been far worse: the captured malware shows that the attackers only deployed some of their capabilities.
This has led the people defending Ukrainian systems to hypothesize that the attacks are a combination of live fire exercise — to evaluate the weapons' efficacy — and public warning to the US and NATO about Russia's capabilities, should either power attempt to curb Russian ambitions in Eastern Europe and the Middle East.
The capabilities on display are impressive and could be deployed against the highly automated US power grid and other systems, where security is more advanced, but where there is much more to secure. Doing so would likely provoke an intense response from the US government and military — the much-vaunted "cyber-deterrence" that is meant to be keeping the fragile peace in nation-states' networks and systems.
The attack they described was almost identical to the one that hit Kyivoblenergo: BlackEnergy, corrupted firmware, disrupted backup power systems, KillDisk. But in this operation, the attackers had taken another step, bombarding the company's call centers with fake phone calls—possibly to delay any warnings of the power outage from customers or simply to add another layer of chaos and humiliation.
There was another difference too. When the Americans asked whether, as in Kiev, cloned control software had sent the commands that shut off the power, the Prykarpattyaoblenergo engineers said no, that their circuit breakers had been opened by another method. That's when the company's technical director, a tall, serious man with black hair and ice-blue eyes, cut in. Rather than try to explain the hackers' methods to the Americans through a translator, he offered to show them, clicking Play on a video he'd recorded himself on his battered iPhone 5s.
The 56-second clip showed a cursor moving around the screen of one of the computers in the company's control room. The pointer glides to the icon for one of the breakers and clicks a command to open it. The video pans from the computer's Samsung monitor to its mouse, which hasn't budged. Then it shows the cursor moving again, seemingly of its own accord, hovering over a breaker and attempting again to cut its flow of power as the engineers in the room ask one another who's controlling it.
HOW AN ENTIRE NATION BECAME RUSSIA'S TEST LAB FOR CYBERWAR [Andy Greenberg/Wired]