Ukraine power grid attack — Sandworm BlackEnergy (2015)

The Russia-linked Sandworm group used spear-phishing, BlackEnergy3, and KillDisk to remotely flip breakers at three Ukrainian regional electricity distribution companies, cutting power to approximately 230,000 customers for 1–6 hours. It is the first publicly acknowledged successful cyberattack on an electric power grid in history.

On 23 December 2015, the Sandworm group — attributed to Russia's GRU — became the first cyber operation to knock out a national electric power grid. The attack disabled three Ukrainian regional electricity distribution companies (oblenergos) and cut power to approximately 230,000 customers for between 1 and 6 hours, during one of the coldest weeks of the Ukrainian winter.

What happened

The intrusion began months before the lights went out. Sandworm operators sent spear-phishing emails carrying malicious Microsoft Office attachments laced with BlackEnergy3. From their initial IT-network foothold, they conducted reconnaissance, harvested credentials, and mapped the SCADA environment controlling the oblenergos' distribution substations.

On 23 December, they pivoted from IT to OT. With access to the operator HMIs, they began manually opening circuit breakers at substations across three regions — Ivano-Frankivsk, Chernivtsi, and Kyiv oblasts. Operators watched on their screens as breakers tripped under remote control. Roughly 225,000–230,000 customers lost power.

The attackers did not stop at darkness. They then deployed KillDisk to wipe industrial workstations, destroyed the serial-to-Ethernet converters that bridged the substations' legacy serial gear to the modern SCADA fabric, disabled UPS systems to maximise operational chaos, and ran a TDoS (telephony-DoS) flood against the oblenergo customer-service phone lines to prevent customers from reporting outages and slow the response.

Power was restored manually within 1–6 hours by sending operators physically to substations and switching breakers by hand. Full SCADA functionality took months to rebuild.

Impact

~230,000 customers lost power for 1–6 hours.
Three regional oblenergos hit simultaneously.
KillDisk destroyed operator workstations and serial-to-Ethernet bridges.
TDoS attacks against customer service phone lines.
Manual restoration; SCADA recovery took months.

Why it matters

The 2015 Ukraine attack is the founding case of public cyber-physical attacks on critical infrastructure. Every subsequent grid-defence framework — NIST SP 800-82, the IEC 62443 series, NERC CIP revisions — references it. Sandworm followed it the next year (December 2016) with Industroyer at a Kyiv transmission substation; the lineage runs forward to NotPetya (2017), Industroyer2 (2022), and the broader Russian cyber operations against Ukraine in the full-scale invasion.

Timeline

2015-pre-December

Sandworm gains initial access to the IT networks of three Ukrainian oblenergos via spear-phishing emails carrying malicious Microsoft Office attachments laced with BlackEnergy3.

December 23, 2015

Attackers seize SCADA control at three regional electricity distribution companies and remotely open breakers at substations in Ivano-Frankivsk, Chernivtsi, and Kyiv oblasts. Approximately 225,000–230,000 customers lose power for 1–6 hours.

December 23, 2015

The attackers deploy KillDisk to wipe industrial workstations, destroy serial-to-Ethernet converters at substations, disable UPSes, and flood operator phone lines with TDoS calls to delay incident response.

February 25, 2016

CISA publishes the formal alert (IR-ALERT-H-16-056-01) confirming the attack on Ukraine's grid.

March 1, 2016

SANS and the Electricity ISAC publish the detailed post-incident analysis; the operation is publicly attributed to Sandworm.

Sources

en.wikipedia.orghttps://en.wikipedia.org/wiki/2015_Ukraine_power_grid_hack

cisa.govhttps://www.cisa.gov/news-events/ics-alerts/ir-alert-h-16-056-01

attack.mitre.orghttps://attack.mitre.org/campaigns/C0028/

nsarchive.gwu.eduhttps://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf

cloud.google.comhttps://cloud.google.com/blog/topics/threat-intelligence/ukraine-and-sandworm-team

Related incidents

WiperContainedFebruary 24, 2022

Viasat KA-SAT AcidRain wiper

One hour before Russia's invasion of Ukraine, Sandworm operators deployed the AcidRain wiper against Viasat KA-SAT satellite modems, bricking ~30,000 European terminals and 5,800 German wind turbines and disabling Ukrainian military command-and-control.

Victim: Viasat KA-SAT (subscribers across Ukraine and Europe)
Loss: $100.0M

WiperResolvedJune 27, 2017

NotPetya destructive wiper

A destructive wiper disguised as ransomware, propagated via a compromised Ukrainian accounting software update. Estimated $10 billion in global damage — the most economically destructive cyberattack in history.

Victim: M.E.Doc users (Maersk, Merck, FedEx-TNT, Mondelez, Saint-Gobain et al.)
Loss: $10.00B

EspionageResolvedJune 4, 2015

U.S. Office of Personnel Management breach

Chinese state operators exfiltrated background-investigation forms (SF-86s) for 21.5 million U.S. federal employees and contractors — the most-damaging intelligence-loss cyber incident in U.S. government history.

Victim: U.S. Office of Personnel Management (OPM)
Loss: $350.0M
Records: 21.5M

EspionageResolvedMay 8, 2015

German Bundestag intrusion (APT28)

Russian GRU Unit 26165 (APT28 / Fancy Bear) compromised the Bundestag's parliamentary network, exfiltrating ~16 GB of data including emails from Chancellor Merkel's parliamentary office. Forced a full Bundestag IT estate rebuild.

Victim: Deutscher Bundestag (German federal parliament)
Loss: $22.0M