The hackers who struck the power centers in Ukraine—the first confirmed hack to take down a power grid—weren’t opportunists who just happened upon the networks and launched an attack to test their abilities; according to new details from an extensive investigation into the hack, they were skilled and stealthy strategists who carefully planned their assault over many months, first doing reconnaissance to study the networks and siphon operator credentials, then launching a synchronized assault in a well-choreographed dance.
“It was brilliant,” says Robert M. Lee, who assisted in the investigation. Lee is a former cyber warfare operations officer for the US Air Force and is co-founder of Dragos Security, a critical infrastructure security company. “In terms of sophistication, most people always [focus on the] malware [that’s used in an attack],” he says. “To me what makes sophistication is logistics and planning and operations and … what’s going on during the length of it. And this was highly sophisticated.”
Ukraine was quick to point the finger at Russia for the assault. Lee shies away from attributing it to any actor but says there are clear delineations between the various phases of the operation that suggest different levels of actors worked on different parts of the assault. This raises the possibility that the attack might have involved collaboration between completely different parties—possibly cybercriminals and nation-state actors.
“This had to be a well-funded, well-trained team. … [B]ut it didn’t have to be a nation-state,” he says. It could have started out with cybercriminals getting initial access to the network, then handing it off to nation-state attackers who did the rest.