CEA
All cases

Ukraine Power Grid Attack (2015)

December 2015

SabotagePeak: DegradationAttribution: High ConfidenceEnergyCritical Infrastructure
Year
2015
Actor country
Russia
Target regions
Ukraine
Unpeace score
8

Executive Summary

Coordinated cyber attack against three Ukrainian regional power distribution companies that caused power outages affecting approximately 230,000 customers. Attackers used spearphishing for initial access, then leveraged stolen credentials to remotely operate SCADA systems and open breakers, followed by destructive actions to delay restoration.

Why This Matters

Ukraine 2015 was the first confirmed cyber-caused power outage, turning a theoretical risk into an operational reality that reshaped how governments defend energy grids.

Escalation Profile

7-Dimension Profile

Escalation Ladder

Probing
Intrusion
Disruption
Degradation
Destruction
Strategic

Phases

2015-03
Intrusion

Spearphishing and credential theft

BlackEnergy 3 malware delivered via spearphishing enabled persistent access to corporate networks of three power distributors.

2015-12-23
Disruption

Remote SCADA manipulation

Operators used VPN access and stolen credentials to remotely open circuit breakers at ~30 substations, cutting power to ~230,000 customers.

2015-12-23
Degradation

Restoration sabotage

KillDisk wiper deployed on operator workstations; UPS firmware overwritten; call-center telephone lines flooded to hinder response.

Threshold Crossings

  • First publicly confirmed cyber attack to cause a power outage
  • Demonstrated end-to-end attack chain from IT network to physical grid impact

Restraint Factors

  • Outages lasted ~6 hours; manual restoration was possible
  • Limited to distribution-level systems, not generation or transmission

Attribution Assessment

High ConfidenceSandworm Team, attributed by multiple governments to Russia's GRU
Russia
SandwormVoodoo BearIRIDIUM
1. Technical

Threat actor mapped to Russia based on infrastructure analysis, malware attribution, and operational patterns.

Evidence: SANS ICS: Analysis of the Cyber Attack on the Ukrainian Power Grid; ESET: BlackEnergy by the SSHBearDoor

2. Political / Legal
Public Attribution
  • DHS ICS-CERT technical assistance and joint analysis with Ukrainian CERT
  • Increased NATO cyber cooperation with Ukraine

Sources: ICS-CERT Alert IR-ALERT-H-16-056-01

3. Open Source

No dedicated journalistic sources in dataset. See sources section for full references.

High Confidence” reflects available public evidence. All assessments carry inherent uncertainty and should be read alongside source material.

Unpeace Position

8

Unpeace Score

Composite severity rating on the peace–conflict spectrum

Stable
Contested
Escalatory
03060100

Contributing Dimensions

Escalation peak4/6
Threshold crossings2/4
Governance flags3/8
Sectors affected2/6
Entanglement4/10
Country scope1/6

Coercive Function

Sabotage

Physical or functional disruption of systems — coercive value through demonstrating capability to cause real-world harm.

Observed coercive effects

  • First publicly confirmed cyber attack to cause a power outage
  • Demonstrated end-to-end attack chain from IT network to physical grid impact

Entanglement Risk

Entanglement score4

Sectors affected

EnergyCritical Infrastructure

Countries / regions

Ukraine

Impact summary

Power outages for ~230,000 customers across three regions; manual restoration required ~6 hours.

Infrastructure Meaning

Malware / tooling

BlackEnergy 3KillDisk

Capability profile

Power outages for ~230,000 customers across three regions; manual restoration required ~6 hours.

4 ATT&CK techniques mapped — see ATT&CK mapping below.

Governance Analysis

Governance Flags

!Norm Violation
APublic Attribution
SSanctions Imposed
IIndictment
UUN Discussion
RRegulatory Change
CInternational Cooperation
DDeterrence Signal

Norms invoked

  • UN GGE 2015 norm against attacking critical infrastructure
  • Tallinn Manual rules on attacks against civilian objects

Policy responses

  • DHS ICS-CERT technical assistance and joint analysis with Ukrainian CERT
  • Increased NATO cyber cooperation with Ukraine

Regulatory changes

  • Spurred US grid-security reviews (NERC CIP awareness campaigns)
  • Informed EU NIS Directive discussions on energy-sector resilience

Governance impact assessment

Provided the first real-world proof that cyber operations can disrupt civilian power infrastructure, materially shaping ICS security standards and NATO cyber policy.

Sources

G

ICS-CERT Alert IR-ALERT-H-16-056-01

Government2016-02-25
A

SANS ICS: Analysis of the Cyber Attack on the Ukrainian Power Grid

Academic2016-03-18
V

ESET: BlackEnergy by the SSHBearDoor

Vendor Report2016-01

Sources listed reflect publicly available materials used to construct this case entry. Inclusion does not imply endorsement. Where no URL is provided, the source may be found via its title and date.

Related Cases

Ukraine Grid II

December 2016 · Russia

8

Industroyer represented a generational leap in ICS malware sophistication — a modular, protocol-aware weapon that signaled the industrialization of grid-targeted cyber capabilities.

SabotageDegradation

Industroyer2

April 2022 · Russia

7

Industroyer2 confirmed that grid-targeting ICS malware is now a recurring feature of armed conflict, while its successful mitigation showed that coordinated cyber defense can work under wartime conditions.

SabotageDisruption

Iran Nuclear Cyber

2020 – 2021 · Israel (attributed by Iran; not officially confirmed)

8

These incidents illustrate that cyber-enabled sabotage of nuclear facilities did not end with Stuxnet — the pattern persists, with implications for nonproliferation, deterrence, and the stability of diplomatic negotiations.

SabotageDegradation

Stuxnet

circa 2007 – 2010 · United States / Israel

9

Stuxnet proved that software alone can destroy physical infrastructure, fundamentally changing how states, lawyers, and strategists think about the threshold between cyber operations and armed conflict.

SabotageDestruction