Life during wartime: Ukraine ‘has to be ready for new more powerful and complex’ cyberattacks

Blackouts in Kyiv can be sudden. Some are scheduled as part of the government’s attempts to manage energy usage, although even the scheduled cuts can begin early and end late. And then there are the emergency blackouts, which can last several days and usually follow Russian attacks on Ukraine’s power grid. These unexpected blackouts have left people stuck in elevators, which is why people in Kyiv now leave boxes of food and water and books inside them in case any of their neighbors end up stranded for several hours.

The daily mean temperature in Kyiv is below freezing throughout December, January and February, and the daylight is gone by the end of the working day. Every evening when Denys, a 27-year-old Ukrainian tech specialist, walks home from work, he turns on his phone’s flashlight to navigate a dark street in the center of the capital. Normally the neighborhood of glass high-rises and offices is brightly lit but now, in the dark, it is like a foreign country.

A similar darkness fell here seven years ago on December 23, 2015. A number of sophisticated and coordinated cyberattacks disrupted energy supplies in several provinces in western Ukraine for a few hours, impacting at least 200,000 people. It was the first publicly acknowledged incident in the world that had such an effect on a power grid. Six members of a cyber unit of the Russian military intelligence service were later charged by the United States with conducting these attacks, along with several others principally targeting Ukraine.

Seven years on, millions of Ukrainians experience power outages on a daily basis, sometimes several times a day for between 3 and 10 hours. Even when the power comes back, homes can lack heating and running water. However, most of the damage that has been done to Ukraine’s utilities since February 24 — when Russia launched its full-scale invasion — has not been caused by cyberattacks but by cruise missiles and explosive drones.

Despite their apparent lack of impact, the attempted cyberattacks have continued. Viktor Zhora, the head of the State Service for Special Communications and Information Protection (SSSCIP), told The Record that the country’s Computer Emergency Response Team had, as of December 13, processed 84 incidents related to the energy sector since the full-scale invasion began. “CERT-UA does not deal with all the threats faced by the companies in the power sector,” Zhora explained. “It considers only the most critical ones that have to be brought to the team’s attention by the operators of the critical information infrastructure facilities.” The number of critical incidents has not previously been reported.

Dmytro Osyka, the chief information officer at DTEK, Ukraine’s largest private sector energy business, told The Record that attacks on his company’s systems had increased by between 20-25% since February, and that they were seeing a correlation between the onset of winter and an increase in attempts to compromise its networks. 

“The most common attacks were DDoS [Distributed Denial of Service], phishing, and attempted malicious code execution,” he said, also noting that his staff had addressed cross-site scripting and password spraying incidents, where a common password is used to try to access multiple accounts.

“We were attacked by professionals,” said Osyka. “We believe that cyber forces are behind these attacks. They even made attempts to exploit zero-day vulnerabilities.”

But none of those operations were successful, according to DTEK’s CIO. “Ukraine has done a lot in the field of cybersecurity in order not to repeat the scenario of 2015-2016, when Russia attacked Ukraine's power grid. Strengthening cyber defense is the main reason why Russian hackers failed to shut down Ukrainian energy infrastructure. If we were not prepared for these attacks, they would have been more successful,” he added.

Billions of dollars in support have been provided to bolster Ukraine’s cyber defenses, courtesy of international partners and the private sector. Western security and intelligence experts have also credited Ukraine’s own response to years of digital hostilities sponsored by the Russian state, which have helped make the country “match fit” to defend itself. 

As stated by Lindy Cameron, the chief executive of the United Kingdom's National Cyber Security Centre: “If the Ukrainian cyber defense teaches us a wider lesson – for military theory and beyond – it is that in cybersecurity, the defender has significant agency.”

Perhaps no sector has been more on the defensive than energy, which Zhora says has been “one of the principal targets of Russian hackers from the very beginning of the full-scale invasion.” According to Ukrenergo, the state-owned company which operates Ukraine’s electricity transmission system, the attacks were at their most intense back in March, during the first weeks of the full-scale invasion, “when Ukraine was getting connected to the EU power system,” as Zhora explained.

"Without gas or without you? Without you. Without light or without you? Without you. Without water or without you? Without you. Without food or without you? Without you. Cold, hunger, darkness and thirst are not as scary and deadly for us as your ‘friendship and brotherhood'."

— Ukrainian president Volodymyr Zelensky via telegram

Ukrenergo told The Record that it regularly exchanged information with national and foreign cybersecurity specialists, and that its cyber defense systems “played a significant role” when Ukraine’s energy system was being synchronized with the European energy grid. Although the company declined on security grounds to answer whether there was a correlation between the cyber and kinetic attacks on its infrastructure, Zhora told The Record that cyberattacks often accompany military operations. “Russian hackers have not only been sharpening their skills, but also performing major intelligence work all these years,” he said.

"When it comes to cybersecurity, both the government and businesses in the energy market are doing their best so that attacks by Russian hackers on the energy system will fail or have minimum effects. It is permanent work that never stops," Zhora said. "The point is that the hackers’ abilities and tools keep developing. We have to be always ready for new more powerful and complex attacks."


Thwarting Industroyer

In 2016, a year to the month after the first ever successful attack on a power grid, another attack shut off power in Kyiv for an hour. Researchers at ESET named the malware responsible ‘Industroyer’ and, according to the U.S. Department of Justice, the same military hackers responsible for the previous attack were behind this one too.

Shortly after the invasion last February, CERT-UA’s incident response team was scrambled to an energy provider that had been attacked with a new variation of the malware, this one named Industroyer2. The malicious code was designed to detonate and damage high-voltage electrical substations. But unlike the first version of the malware, which its designers had likely spent months working on so it could be effective against any of four industrial protocols potentially used on their targets’ systems, Industroyer2 supported just one, something which Zhora said “shows the offenders’ better awareness of the structure of the target system.”

“The purpose of the cyberspace attacks, obviously, has not been achieved,” said Zhora. “That is probably the reason why the enemy is now placing its stake on destruction of the power system with missile strikes and drone attacks although cyberattacks are still continued,” he added.

A significant amount of the damage Russian forces are doing to Ukraine’s energy infrastructure is being inflicted using Iranian-made Shahed drones. Unlike the years of cyberattacks, Ukraine’s defense forces have had to rapidly learn how to defend against the drones. They say they’re catching on quickly — even claiming to have succeeded in a total shut-out over the nights of New Year’s Eve and New Year’s Day — but that success is rare and expensive. The drones are cheaper to produce and launch than the defensive measures needed to bring them down, and in a war of attrition the cost of that asymmetry, and the civilian deaths it brings, will mount.

An infrastructure assault

On December 23, DTEK — which consists of six companies including heat, wind, and solar power plant operators, alongside oil and gas enterprises and electricity suppliers — said that a Russian attack on a power plant in an undisclosed location had killed one employee and injured another. Equipment at the plant was damaged and it stopped generating electricity.

“Before the war, DTEK controlled eight thermal power plants. After the invasion, two of them were captured by the Russians, and the remaining six were under fire and were damaged,” said chief information officer Osyka.

“In general, about 50% of the country's entire energy infrastructure has been damaged since the beginning of the war, including thermal power plants, main power transmission lines and substations. Most energy facilities were attacked several times,” said a Ukrenergo spokesperson.

“We cannot give more precise figures, because knowing the number of the company's facilities on which the country's energy supply depends, Russia can determine the capacity of Ukraine's energy system, as well as to what extent it has achieved its goal of its complete destruction,” the spokesperson added.

These kinetic attacks do not appear to be contributing to any ground offensive by Russian forces. They target civilian infrastructure hundreds of miles away from the territories contested by the Russian Federation’s conscripted troops and the Wagner mercenaries. Andriy Yermak, the head of the Ukrainian presidential office, said at the beginning of December that the destruction of Ukraine’s energy infrastructure was an attempt to freeze the country into submission or death


Local authorities have responded by opening so-called ‘Points of Invincibility’ across every part of the country that isn’t under occupation, allowing people to charge their phones, warm up, and receive free food and water. The Ukrainian government has not yet published any data relating to the number of civilians who have died as a result of the cold – and the coldest months, January and February, are yet to come.

People’s experiences of the challenges differ. "There were times when I didn't have electricity for almost three days,” said Denys, in Kyiv, who admitted to The Record that his life was strangely normal during the blackouts. Back when local authorities warned Ukrainians to prepare for a grim cold winter, Denys bought several power banks, battery-powered lamps, and candles. He said his main treasure was a portable EcoFlow charging station with a capacity of 1600 watts, which can power almost all of his household devices — even his PlayStation 5.

The 7-kilogram charging station, which looks like a small gray box, costs more than $1,100. In a country where the average salary is less than $400 a month, most people can’t afford such equipment. They are left hoping for a quick return of electricity, the supply of which dwindles with every Russian strike. The price of power banks, candles and generators has soared since February and sometimes they cannot be ordered for weeks.

“I'm lucky — I have water and heat, and my company recently bought power generators and Starlink satellite internet so people can work in the office when there's no electricity or internet at home,” Denys said. “Some people have it worse,” he acknowledged.

Like Nadiya, for example, a 34-year-old German language tutor who usually has her lessons in cafes or in the subway, since electricity is available only a few hours a day on her street on the other side of the capital.

Most of the cafes, bars, gyms and shopping centers in Kyiv have generators in order to keep running despite the power outages, but municipal services including traffic lights simply turn off during the blackouts, forcing people to cross the road carefully, particularly in the city center during rush hour. 

“When there is no electricity, the mobile internet also does not work and sometimes it is even difficult to call an Uber to go to the city center,” Nadiya told The Record. She said she also has no water or heating due to the outages, so she usually showers in the gym. “Believe it or not but you can get used to it,” Nadiya said. “All you need is to quickly do household chores and charge all your devices as soon as the electricity is restored.”

Viktor Zhora insisted that issues with power supply will “not crash the Ukrainian spirit.”

“The Russian government uses energy resources for blackmail, the Russian military create the hazardous situation at our nuclear power plant by establishing military bases there, disrupting work of the staff and shelling them,” he said.

“You see the resistance the Ukrainians demonstrate against Russia’s aggression, you see our military defending the country without fear and our citizens fighting the armed Russian occupants with bare hands. We are ready to sacrifice a lot for one purpose: to banish the enemy from our land and to do our best so that it will never happen again. It is our duty to the future generations.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

Alexander Martin

Alexander Martin

is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.