CEA
All cases

Ukraine Power Grid Attack (2016 / Industroyer)

December 2016

SabotagePeak: DegradationAttribution: High ConfidenceEnergyCritical Infrastructure
Year
2016
Actor country
Russia
Target regions
Ukraine
Unpeace score
8

Executive Summary

A more sophisticated follow-up to the 2015 grid attack, this operation used purpose-built ICS malware (Industroyer/CrashOverride) capable of directly speaking industrial protocols to open circuit breakers. It caused a localized outage in Kyiv lasting approximately one hour.

Why This Matters

Industroyer represented a generational leap in ICS malware sophistication — a modular, protocol-aware weapon that signaled the industrialization of grid-targeted cyber capabilities.

Escalation Profile

7-Dimension Profile

Escalation Ladder

Probing
Intrusion
Disruption
Degradation
Destruction
Strategic

Phases

2016-01
Intrusion

Network pre-positioning

Attackers established persistent access to Ukrenergo's network months before the attack.

2016-12-17
Disruption

Automated protocol-level attack

Industroyer malware issued commands via IEC 101, IEC 104, OPC DA, and IEC 61850 protocols to trip breakers at a Kyiv-area transmission substation.

2016-12-17
Degradation

Attempted recovery sabotage

Wiper component targeted Windows workstations; a denial-of-service module aimed at Siemens SIPROTEC relays to hinder manual restoration.

Threshold Crossings

  • First known malware purpose-built to attack electric grid protocols
  • Demonstrated automated ICS attack capability without operator interaction

Restraint Factors

  • Outage lasted ~1 hour; scope limited to one transmission substation
  • Relay DoS module did not achieve widespread effect

Attribution Assessment

High ConfidenceSandworm Team, attributed by multiple governments to Russia's GRU
Russia
SandwormVoodoo BearIRIDIUM
1. Technical

Threat actor mapped to Russia based on infrastructure analysis, malware attribution, and operational patterns.

Evidence: ESET: Industroyer — A New Threat for Industrial Control Systems; Dragos: CrashOverride Report

2. Political / Legal
Public Attribution
  • Joint ESET/Dragos technical disclosure to support global ICS defense
  • US DHS and CISA advisories on Industroyer threat
  • Deepened NATO–Ukraine cyber defense cooperation

Sources: US-CERT Alert TA17-163A

3. Open Source

No dedicated journalistic sources in dataset. See sources section for full references.

High Confidence” reflects available public evidence. All assessments carry inherent uncertainty and should be read alongside source material.

Unpeace Position

8

Unpeace Score

Composite severity rating on the peace–conflict spectrum

Stable
Contested
Escalatory
03060100

Contributing Dimensions

Escalation peak4/6
Threshold crossings2/4
Governance flags3/8
Sectors affected2/6
Entanglement4/10
Country scope1/6

Coercive Function

Sabotage

Physical or functional disruption of systems — coercive value through demonstrating capability to cause real-world harm.

Observed coercive effects

  • First known malware purpose-built to attack electric grid protocols
  • Demonstrated automated ICS attack capability without operator interaction

Entanglement Risk

Entanglement score4

Sectors affected

EnergyCritical Infrastructure

Countries / regions

Ukraine

Impact summary

~1-hour power outage in part of Kyiv via automated ICS malware; limited physical damage.

Infrastructure Meaning

Malware / tooling

IndustroyerCrashOverride

Capability profile

~1-hour power outage in part of Kyiv via automated ICS malware; limited physical damage.

4 ATT&CK techniques mapped — see ATT&CK mapping below.

Governance Analysis

Governance Flags

!Norm Violation
APublic Attribution
SSanctions Imposed
IIndictment
UUN Discussion
RRegulatory Change
CInternational Cooperation
DDeterrence Signal

Norms invoked

  • UN GGE 2015 norm against attacking critical infrastructure
  • Tallinn Manual rules on proportionality and civilian objects

Policy responses

  • Joint ESET/Dragos technical disclosure to support global ICS defense
  • US DHS and CISA advisories on Industroyer threat
  • Deepened NATO–Ukraine cyber defense cooperation

Regulatory changes

  • Accelerated ICS protocol security research globally
  • Informed IEC 62351 security standard adoption discussions

Governance impact assessment

Industroyer proved that adversaries are investing in reusable, modular ICS attack frameworks — raising the bar for grid defense and influencing ICS security standards worldwide.

Sources

V

ESET: Industroyer — A New Threat for Industrial Control Systems

Vendor Report2017-06-12
V

Dragos: CrashOverride Report

Vendor Report2017-06-12
G

US-CERT Alert TA17-163A

Government2017-06-12

Sources listed reflect publicly available materials used to construct this case entry. Inclusion does not imply endorsement. Where no URL is provided, the source may be found via its title and date.

Related Cases

Ukraine Grid I

December 2015 · Russia

8

Ukraine 2015 was the first confirmed cyber-caused power outage, turning a theoretical risk into an operational reality that reshaped how governments defend energy grids.

SabotageDegradation

Industroyer2

April 2022 · Russia

7

Industroyer2 confirmed that grid-targeting ICS malware is now a recurring feature of armed conflict, while its successful mitigation showed that coordinated cyber defense can work under wartime conditions.

SabotageDisruption

Iran Nuclear Cyber

2020 – 2021 · Israel (attributed by Iran; not officially confirmed)

8

These incidents illustrate that cyber-enabled sabotage of nuclear facilities did not end with Stuxnet — the pattern persists, with implications for nonproliferation, deterrence, and the stability of diplomatic negotiations.

SabotageDegradation

Stuxnet

circa 2007 – 2010 · United States / Israel

9

Stuxnet proved that software alone can destroy physical infrastructure, fundamentally changing how states, lawyers, and strategists think about the threshold between cyber operations and armed conflict.

SabotageDestruction