Advertisement

Despite years of preparation, Ukraine’s electric grid still an easy target for Russian hackers

Pavel Golovkin/AP Photo

The U.S. and its allies poured tens of millions of dollars during the past seven years into helping Ukraine shore up its electric grid against a Russian cyberattack, while Ukrainian authorities launched a massive program to harden their cyber defenses.

Nobody thinks it will be enough.

Instead, the Ukrainian power supply remains vulnerable to a major hacking assault that could inflict extended blackouts in much of the country as part of an armed invasion by Moscow, cybersecurity experts say.

Ukraine experienced smaller-scale cyberattacks linked to Russia in 2015 and 2016 including one that turned off the lights for almost a quarter-million Ukrainians — an assault that also raised alarm bells in countries like the U.S. about the security of their own electric grids.

ADVERTISEMENT

“If Russia wants to take down the Ukrainian electric system, I have full confidence that they can, and the Ukrainian playbook in many ways is in a place where prevention’s not going to happen,” Robert M. Lee, CEO and co-founder of cybersecurity group Dragos, said in an interview. He argued corruption and economic barriers in Ukraine have gotten in the way of hardening the electric grid. The Ukrainian Embassy in Washington, D.C., did not respond to a request for comment.

President Joe Biden said Friday that the U.S. has every indication that Russian leader Vladimir Putin has decided to invade “in the coming days.” His warning came after a senior U.S. official estimated that Russia had lined up 169,000 to 190,000 fighters for the invasion, in “the most significant military mobilization in Europe since the Second World War.”

Alongside a physical invasion, Putin could marshal the full array of cyber and disinformation tools that it has inflicted on targets around the world during the past decade, including the U.S. And the electric grid is a ripe target.

Ukraine has repeatedly served as a laboratory for these kinds of attacks since Russia’s invasion and seizure of its Crimea region in 2014.

The first example came almost seven years ago, when three Ukrainian power stations went dark for six hours in the middle of winter, blacking out Kyiv and a large swathe of Western Ukraine. The hackers — identified by U.S. officials as Russian — tunneled inside the plants’ controls and opened breakers to prevent power flow. On top of that, they locked out power station employees from their accounts so they couldn’t respond to the attack, and overwhelmed the power stations’ call centers with a barrage of malicious online traffic — making it difficult for customers to report outages.

One year later, in 2016, Russian hackers went one step further and tried to disable the transmission equipment by overloading controls with internet activity, which would have made it unsafe for workers to manually restore power, according to a report from Dragos. The attack left portions of Kyiv in the dark for more than an hour — and even though the attackers failed to fully incapacitate the equipment, the incident highlighted Russia’s ability to exploit Ukraine’s power system to devastating effect.

“If they had destroyed that physical equipment, whether you could have responded or not, it would have been a month of outages,” Lee said.

In the years since, the U.S. and the European Union and NATO member states have provided cybersecurity assistance to help Ukraine gird against future attacks. The U.S. Agency for International Development announced in 2020 that it was investing $38 million in Ukrainian cybersecurity resilience over four years.

But some experts are critical of whether the funds have had much impact. Lee said that not enough of the money has gone towards industrial control systems.

“It didn’t help,” Lee said of the USAID effort, noting that Dragos had been approached to participate in the program. “There was a lot of money put towards this, ‘let’s go do something,’ but when the alignment is not there, the understanding of the problem is not there, then there is an inability to use it. I think the West loves to throw money at stuff.”

Vlad Styran, CEO of the Kyiv-based Berezha Security Group, said the Ukrainian government used the USAID funds to purchase expensive software and hardware for the private sector and to strengthen the capabilities of cyber defense systems. But he said that in his view, the funds were not used efficiently, and described the international efforts as mostly “PR and communications management.”

USAID declined to comment on the program. A White House spokesperson also did not provide details.

The EU in December approved €31 million for Ukraine over the next three years to help with issues including cybersecurity, but that could come too late. EU officials are also considering providing more cybersecurity assistance to Ukraine following cyberattacks in January that defaced and disabled a number of Ukrainian government websites.

The European Commission did not respond to a request for comment.

Ukraine has worked to accelerate preparations as the threat of an invasion has grown.

Ukrainian President Volodymyr Zelenskyy earlier this month approved a measure to develop a plan to respond to large-scale cyberattacks and improve the sharing of threat information among critical sectors. That’s after Zelenskyy opened a new cybersecurity center last year for Ukraine’s Computer Emergency Response Team, which works with almost 600 response teams from almost 100 countries.

The Ukrainian government has also made an effort to work with the private companies that it will need to help coordinate response to an attack on the grid, as not all energy companies are state-owned.

“There is a noticeable difference between when I was first there in 2015 and the activities now,” said Tim Conway, the industrial control systems lead for the SANS Institute, a cybersecurity training group. Conway was part of the team that responded to the 2015 attack in Ukraine. “There is a much better level of information-sharing and communication from the government to the private sector for sure.”

Even so, Russia’s advanced cyber capabilities as compared with Ukraine’s add to the weaknesses. In the 2015 attack, Russian hackers waited inside power stations’ networks for months ahead of the strike.

At the moment, Lee said Dragos is “tracking multiple groups that are embedded in and targeting electric systems in Ukraine.” He declined to attribute the cyber activity to any country.

Another danger: Ukraine may not have enough trained cybersecurity workers to restore the electric system in the case of an attack, or other priorities could steer those employees elsewhere.

“If there are widespread cyberattacks on a range of targets, it’s going to be very difficult to find competent people that can go and recover all of this,” said Dmitri Alperovitch, co-founder and chair of Silverado Policy Accelerator, a nonprofit think tank, and co-founder and former chief technology officer of the cybersecurity firm CrowdStrike. “Many people may sign up for self-defense as volunteers for the military to defend the country, so you may not even have enough people around who are not fighting to even do the cybersecurity response.”

To be sure, much richer countries like the U.S. are also extremely vulnerable to cyberattacks on critical infrastructure. Conway argued Ukraine’s experience responding to previous attacks could help the country in the end.

“Ukraine is one of those countries that has firsthand experience and has had to endure a trial by fire,” he said. “They are probably much better positioned than a number of countries throughout Europe because they’ve had to live through it and had to operate that way.”