Security researcher: Ukraine power grid facing new wave of cyberattacks

Ukrainian power plants are still facing an onslaught of cyberattacks in the wake of a malware-caused blackout in December, according to a U.S. security firm.

“[On January 19th], we discovered a new wave of these attacks, where a number of electricity distribution companies in Ukraine were targeted again following the power outages in December,” malware researcher Robert Lipovsky wrote in a post on the blog We Live Security.

{mosads}But the kind of malware used in this latest wave of attacks is not the same code that left 80,000 people in the western regions of Ukraine without power last month, Lipovsky notes.

“What’s particularly interesting is that the malware that was used this time is not BlackEnergy, which poses further questions about the perpetrators behind the ongoing operation,” he wrote.

“The malware is based on a freely-available open-source backdoor — something no one would expect from an alleged state-sponsored malware operator.”

The incident in December, believed to be the first time a blackout was caused by a cyberattack, has been widely attributed to Russia.

The Ukrainian security service, SBU, was swift to blame Russia for planting malware to cause the blackout. Relations between the two nations have been in a steep decline since Russia annexed Crimea last year and began supporting pro-Russian separatists in Ukraine.

“We found that the [malware] came from Russia,” SBU said. “It was an attempt to interfere in the system. But it was discovered and prevented.”

The U.S.’s Industrial Control Systems Cyber Emergency Response Team is assisting Ukraine in investigating the blackout, but it has neither confirmed that the malware was the principle culprit behind the blackout nor attributed the attack to Russia.

The team “can confirm that a BlackEnergy 3 variant was present in the system,” but “based on the technical artifacts, we cannot confirm a causal link between the power outage with the presence of the malware,” the agency said earlier this month.

Lipovsky warns that the latest wave of attacks, far from confirming Russia as the culprit, “suggests that the possibility of false flag operations should also be considered.

“We currently have no evidence that would indicate who is behind these cyberattacks and to attempt attribution by simple deduction based on the current political situation might bring us to the correct answer, or it might not,” Lipovsky wrote.