The Ukraine Power Grid Cyberattacks (2015 and 2016): A Defining OT Incident

What happened

The 2015 attack hit three Ukrainian electricity distribution companies almost simultaneously. Operators watched, unable to intervene, as their own control-system cursors moved across the screen and opened circuit breakers at around 30 substations. Roughly 230,000 customers lost power for between one and six hours. The 2016 incident targeted a transmission substation north of Kyiv and briefly cut power to part of the capital. While shorter in duration, the 2016 attack was more alarming technically because it used malware designed specifically to manipulate grid protocols automatically.

• 2015: around 230,000 people lost power across western Ukraine.
• 2015: breakers opened at roughly 30 distribution substations.
• First publicly confirmed cyberattack to cause an electricity outage.
• 2016: a Kyiv transmission substation struck using Industroyer / CrashOverride.

How the attack worked

The 2015 campaign began with spear-phishing emails carrying malicious Office documents that delivered the BlackEnergy malware into the corporate networks of the distribution companies. From there the attackers harvested credentials, moved into the operational environment, and learned how the SCADA systems and human-machine interfaces worked. On the day of the attack they used legitimate remote-access tools to take control of operator workstations and open breakers by hand. They also overwrote firmware on serial-to-ethernet converters to slow recovery and launched a telephone denial-of-service against call centres to mask the outage. The 2016 attack escalated the technique: Industroyer / CrashOverride understood industrial protocols such as IEC 60870-5-101, IEC 60870-5-104 and IEC 61850, allowing it to issue breaker commands automatically rather than relying on manual operator hijacking.

• Initial access via spear-phishing delivering BlackEnergy into corporate IT.
• Credential theft and patient reconnaissance of the OT environment.
• Manual breaker operation through hijacked operator workstations (2015).
• Firmware overwrites and a telephone denial-of-service to hamper recovery.
• Industroyer / CrashOverride automated protocol-aware breaker control (2016).

The impact

These attacks proved that a determined nation-state actor could reach into a power grid and switch off the lights. Ukrainian operators restored supply within hours, partly by reverting to manual operation, but the strategic significance was enormous. The 2016 malware, Industroyer / CrashOverride, was the first known malware purpose-built to attack electricity grid equipment, and its design suggested it could be adapted to other grids and other countries. For every grid operator, the events shattered the assumption that operational technology was safe simply because it was specialised or air-gapped.

Lessons for operators

The Ukraine attacks were slow-burn intrusions that started in ordinary corporate email and ended at the breaker. The defensive lessons map directly onto the NCSC Cyber Assessment Framework and IEC 62443 expectations for UK grid operators.

• Harden against phishing, the initial foothold for both campaigns, with filtering and user training.
• Segment IT and OT so corporate compromise cannot reach SCADA and HMIs.
• Monitor OT networks for unusual control commands and unexpected remote sessions.
• Maintain manual fallback procedures so operators can restore supply without the affected systems.
• Validate firmware integrity on field devices such as serial-to-ethernet converters and RTUs.

How to defend against this

Both Ukraine attacks succeeded because intruders dwelt undetected in the network for months while they learned the environment. The decisive defence is detecting that activity early, across both IT and OT, before it reaches the breaker. Kyanite Blue helps UK grid and substation operators deploy layered monitoring and managed detection so phishing footholds, stolen credentials and abnormal control sessions are caught while they are still reconnaissance, not impact. **Sophos** managed detection and response gives operators 24/7 threat hunting and rapid containment across endpoints and the network, the kind of always-on visibility that turns a slow intrusion into an early alert. Combined with strong segmentation and tested manual fallback, that significantly reduces the chance of a Ukraine-style outage.

• Sophos MDR provides 24/7 threat hunting and rapid containment across IT and the OT boundary.
• Kyanite Blue designs IT/OT segmentation and remote-access controls for substations.
• Early detection of phishing and credential abuse stops intrusions before the breaker stage.

Frequently Asked Questions