Techie on the ground disputes BlackEnergy Ukraine power outage story

Updated A Ukrainian telecoms engineer has raised doubts about the widely reported link between BlackEnergy attacks and power outages in his country.

Illia Ilin said that reports suggesting Russian state sponsored hackers used the BlackEnergy malware to infect the control systems of energy distribution utilities and cause blackouts last month are at odds with what he’s seeing on the ground. He suggested Ukrainian government officials might be whipping up stories about outages for propaganda reasons amidst the backdrop of ongoing conflict with the Russians, particularly in eastern Ukraine.

“First of all, there [weren't] any blackouts in Boryspil (KBP),” Illia, who works as a network engineer in a provincial telecommunications firm in Ukraine, told El Reg. “I have not found any news about it on official KBP site or CERT-UA (Computer Emergency Response Team of Ukraine) site.

“Our Ukrainian mass media informed [us] that only one workstation had been infected. Of course, in common Ukrainian news practice, mass media point [at] Russian aggression (when any strange situation happens - blame the Russians); they even informed [us that it had come from a] 'Russian server', but on CERT-UA news about this situation there are no Russian IP addresses.”

Illia asked: “If they have proof – why don't they make them public?”

The role of BlackEnergy in the reported power outages in the Ukraine has garnered worldwide attention because, if confirmed, it would be the first incident of hackers taking down a power grid. It’s worth remembering that squirrels routinely cause power outages but the Ukraine case is nonetheless interesting because it underlines concerns about the robustness of industrial control systems responsible for delivering electricity into homes across the world.

El Reg put Illia’s comments to ESET, the security software firm that has been at the lead of the investigation into the reported Ukranian power outages.

ESET’s Robert Lipovsky directed our query to a recent blog he wrote around the attacks, particularly the last couple of paragraphs which talk about attribution.

The incident in Ukraine is “probably the first case where a mass-scale electrical power outage has been caused by a malware cyberattack”. Although Russian groups have been previously known to use the BlackEnergy malware linked to the attacks, Lipovsky urges against rash attribution, especially based on the largely circumstantial evidence we have so far.

“Mainstream media have popularly attributed the attacks to Russia, based on claims of several security companies that the organisation using BlackEnergy, a.k.a. Sandworm, a.k.a. Quedagh, is Russian state-sponsored,” he writes.

There’s still debate among security experts over whether the malware actually caused the power outage in Ukraine or whether it served as a malicious backdoor component of a wider hack involving social engineering and other tactics, as Lipovsky notes.

Attribution for the attack at this point is in any case speculative, according to Lipovsky.

“We currently have no evidence that would indicate who is behind these cyberattacks and to attempt attribution by simple deduction based on the current political situation might bring us to the correct answer, or it might not,” Lipovsky writes. “In any case, it is speculation at best. The current discovery suggests that the possibility of false flag operations should also be considered,” he added.