Ukraine power grid attack — Industroyer (2016)
Russia's Sandworm group deployed Industroyer (CrashOverride), the first malware purpose-built to attack electric grids, against a Kyiv transmission substation, cutting roughly a fifth of the capital's power for about an hour.
- Victim
- Ukrenergo (Pivnichna transmission substation, Kyiv)
Just before midnight on 17 December 2016, a single transmission substation north of Kyiv went dark, cutting power to about one-fifth of the Ukrainian capital for roughly an hour. The outage was brief, but the malware behind it — Industroyer, also called CrashOverride — proved to be the first malicious software ever designed specifically to attack electric power grids.
What happened
The target was Ukrenergo's Pivnichna ("Northern") transmission substation. Unlike the 2015 attack, where Sandworm operators manually clicked through hijacked operator consoles, the 2016 incident was driven by purpose-built, automated malware. Industroyer was engineered to speak the industrial protocols of grid equipment directly — IEC 60870-5-101 and 104, IEC 61850, and OPC Data Access — letting it issue breaker-open commands without needing to understand each utility's bespoke software.
Industroyer was a modular framework: a main backdoor, a launcher, four protocol-specific payload modules, a data-wiper component to erase configuration and render systems unbootable, and a denial-of-service module exploiting CVE-2015-5374 in Siemens SIPROTEC protective relays to keep them offline during the attack. The design suggested it could be retargeted at other grids with modest reconfiguration.
Impact
- About 20% of Kyiv lost electricity for approximately one hour.
- The outage itself was short, but analysts assessed the operation may have been a test or proof-of-concept for a reusable grid-attack weapon.
- The wiper and SIPROTEC DoS components were designed to complicate and delay recovery, foreshadowing more damaging future attacks.
Attribution
Researchers at ESET and Dragos (which tracked the actor as ELECTRUM) linked the operation to Sandworm, Russia's GRU Unit 74455 — the same group behind the 2015 grid attack and later NotPetya. The reuse of infrastructure and techniques across the 2015 and 2016 operations reinforced the attribution to Russian military intelligence.
Why it matters
Where 2015 showed that humans could hijack a grid, 2016 showed that malware could do it autonomously and at scale. Industroyer's protocol-native design made it potentially portable to grids across Europe and North America, since the targeted IEC and OPC standards are used worldwide. It reset the threat model for operational-technology defenders and became the direct ancestor of Industroyer2, which Sandworm deployed against a Ukrainian energy provider in April 2022 during the full-scale invasion — an attack Ukrainian and ESET responders narrowly thwarted.
Timeline
At around 23:53 local time, Industroyer opens breakers at Ukrenergo's Pivnichna transmission substation north of Kyiv.
Roughly one-fifth of Kyiv loses electricity; the malware's timed logic and wiper module attempt to hinder recovery.
Power is restored within about an hour as operators revert to manual control.
ESET and Dragos publish analyses naming the malware Industroyer / CrashOverride, the first malware built specifically to disrupt power grids.
Researchers reveal Industroyer's modular protocol payloads (IEC 60870-5-101/104, IEC 61850, OPC DA) and a SIPROTEC DoS module exploiting CVE-2015-5374.
Sources
- en.wikipedia.orghttps://en.wikipedia.org/wiki/Industroyer
- attack.mitre.orghttps://attack.mitre.org/campaigns/C0025/
- welivesecurity.comhttps://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/
- securityweek.comhttps://www.securityweek.com/industroyer-ics-malware-linked-ukraine-power-grid-attack/
- darkreading.comhttps://www.darkreading.com/threat-intelligence/first-malware-designed-solely-for-electric-grids-caused-2016-ukraine-outage