Cyberwar (2016) s01e13 Episode Script
Lights Out in Ukraine
1 BEN: A country torn apart.
A cyber attack knocks out the power.
So while the operators are trying to recover, they're also dealing with the fact that all their systems are going down.
Ukraine blames the Russian government.
And the conflict moves online.
It's popping off.
(Gunshots) When I reported from the frontlines in Eastern Ukraine for VICE, I saw firsthand the raging war between Russian-backed separatists and Ukrainian military.
Since 2013, Ukraine has been in a state of turmoil.
That's when protests broke out against the pro-Russian government, which led Ukraine's president to skip the country.
Then Russia invaded and annexed the Ukrainian territory of Crimea while Russian-backed separatists started waging war in Eastern Ukraine.
But on December 23rd, 2015, a new front in the conflict may have opened up online.
That day, hackers attacked three power companies, known as "oblenergos" in Western Ukraine.
It's the first known cyber attack that caused outages in a nation's power grid, and it left at least a quarter of a million people in the dark.
The city of Ivano-Frankivsk was one of the ones hit.
The operators of the control centre agreed to walk me through what happened that day.
(Doorbell ringing) So this is the dispatcher control room? Right.
Thank you.
(Chattering) Bogdan Soychuk is a deputy director of the control room, which remotely controls dozens of substations around the region.
When did you realize that you were under a cyber attack, that it was not just some equipment-level mishap, that it was in fact some sort of attacker penetrating your network? Volodymyr Fedyk is the deputy director of I at the power company.
As Volodymyr and his team tried to figure out what was happening, substations controlled by the utilities started shutting down one by one.
It happened in the middle of the day, and as the power went out, residents had no way of knowing this wasn't a regular outage and they were actually in the middle of a very sophisticated cyber attack.
With the grid unplugged to prevent more outages, workers at the power company realized the only way to restore power was to physically drive out to the individual substations and switch the power on manually.
Yuriy Torin was on duty that day.
So we're going to one of the substations that was actually attacked and taken out.
Yeah.
And did you have to physically go turn it back on? Yes.
So there's 35,000 volts over there? Yeah.
And if I get how close, 60 centimetres? 60 centimetres.
- Bye-bye? - Yeah, bye-bye.
(Laughing) So this is what you had to do in December? Yeah, we should open this.
I'm gonna stay close to you.
So that's the They switch off this equipment, and they switch off that equipment.
So these substations and two transformers were without electricity.
Wow.
And this area was without - Electricity? - Yeah.
Open this box and press this button.
- To turn it back on? - Yeah.
It's more than 25,000 people.
Wow.
And that's just from this one substation.
Dozens of substations across the region went dark.
The outages lasted less than a day, but it took months for the power companies to get back to normal.
I also learned that at least one facility was attacked, but managed to keep the lights on, and there are likely even more targets who haven't come forward to avoid embarrassment.
It's clear this was a massive coordinated effort, so who did it and why? BEN: In 2015, two days before Christmas, at least three power companies in Western Ukraine were hit by a cyber attack, which knocked the power out for more than a quarter of a million people.
The hack came in the midst of an active military conflict between the government of Ukraine and Russian-backed separatists in the east.
(Gunshots) Within 5 days of the cyber attack, the SBU - Ukraine's equivalent of the FBI - blamed Russia.
After some lengthy negotiations, I met with a member of the SBU in the back of a van in Kiev, on the condition we not reveal his name or show his face.
He told me that officials had advanced knowledge of the attacks, but were unable to prevent them.
But the SBU hasn't offered up any proof to back up its claims.
Why isn't there any direct proof that it was Russia? Why don't you have that? Right, so this is a war.
This is a full-on war with Russia.
Both online, offline Ukraine was quick to blame Russia for the attacks, but the reality might be more nuanced.
After the hack, the US government sent a team to Ukraine to investigate, and several cybersecurity firms analyzed the publically available evidence.
There's so many things that Russia gets blamed for as a big bad boogeyman that you go, "Well, maybe not all of it's true," but some of it still is! (Laughing) Robert M.
Lee served in the Air Force as a cyberwarfare operations officer.
He also worked for an unnamed US intelligence agency, which he won't confirm or deny was the NSA.
Rob now runs his own company focused on securing critical infrastructure.
Working with electricity industry watchdogs, he co-wrote the definitive report on the Ukraine attacks.
Now, why don't you take me through the actual you know, in layman's terms, how'd this attack go down? 'Cause it's multifaceted.
There's a few different stages, right? Yep.
So it all started about 6 months previous to December, about 6 months previous.
There was phishing emails sent out.
So operators at the power grid were getting emails about a variety of different events going on in Ukraine.
When they opened up the email, a piece of malware called BlackEnergy 3 was dropped to the system.
That enabled the attackers to steal off credentials, usernames, passwords, things like that from the network, and then were able to come back in.
Over that 6 month period, they spent that time researching and understanding the environment.
So it wasn't this story that we hear sometimes thrown around about light speed, net speed cyber attacks.
No, it was human adversaries doing research to the environment.
So the attack starts.
When they did that, they also had a piece of malware called KillDisk positioned on the systems, so that when the systems reboot it would kick off, deleting all the files and deleting all the systems.
BEN: Wow.
So while the operators are trying to recover, they're also dealing with the fact that all their systems are going down.
And then in the midst of all that, they basically blew the bridges to those substations.
Now, let's talk about the actual people that did this attack in Ukraine.
The Ukrainian government said it was Russia.
So who was it? When you took a look it at and you actually went into it, who did it? If we're talking about should the US government come out and say it was Russia, I don't think they have enough proof.
One American cybersecurity firm, FireEye, blamed the Ukraine attack on a group they call Sandworm Team, which they say has ties to Russia.
Rob agrees.
I think the Sandworm team is more than likely a private for-hire team that goes around and kicks down the doors for places, and then it's possible that a military team or someone else comes in after.
But I do not think that the Sandworm team is the Russian government.
Sandworm Team may not be the Russian government, but the fact that Russia's been implicated in the attack could have international repercussions.
And it seems highly unlikely that people inside the country would do something so high profile and so obviously in Russia's interest without at least informing the government.
I can't imagine a scenario - and this doesn't mean it can't exist, but I don't feel that there's a scenario where a team operating out of Russia thought that it was a good idea to take down a portion of the power grid, and at least didn't notify somebody that they were gonna do it.
There's That's a very risky situation to begin.
BEN: The hack of Ukrainian power companies is the first time we know of that a cyber attack caused outages in a nation's power grid.
If the attack was actually pulled off by Russia, this wouldn't be the first time access to electricity has been used as a weapon in this conflict.
More than a year before the incident, Russia annexed Crimea from Ukraine.
Then some Crimeans got very pissed off and struck back.
They formed a blockade and cut off access from Crimea to Ukraine.
And in November 2015, they blew up pylons providing Crimea with electricity, leaving 2 million Crimeans in the dark.
That happened just a month before the cyber attacks on Ukraine's power grid.
Lenur Islyamov is a businessman and a former deputy prime minister of Crimea.
He's a Tatar, a Muslim ethnic minority in Ukraine.
He was the leader of the blockade, and the Russian government has charged him with terrorism and absentia.
Many believe the cyber attack on Western Ukraine's power grid was Russia's retaliation for the Crimea blackout, which happened just a month earlier.
The Russian government has actually named you personally for sabotaging the Crimean power grid.
How do you respond to that allegation? Do you think the FSB's following you? So do you personally think that the attack on the oblenergos in December in Ukraine was retaliation for the attack on the power grid in Crimea? Absolutely.
Do you think you'll ever go back to Crimea? Absolutely.
So you're going back to Crimea dead or alive, is what you're saying? I think so, okay? The Russians might've been the first to take the conflict in Ukraine online, but the battles being fought there are continuing from both sides.
Roman Burko and Vitalik Sororin not their real names are part of a group called InformNapalm.
Many of their members live in Crimea, or in separatist-controlled regions in Eastern Ukraine.
Officially the Russian military is not deployed in the East, but using a mixture of social media and on-the-ground intel gathering, InformNapalm is proving Russian Special Forces are actively operating in the region.
They've also published information about Russian soldiers serving in Syria.
They agreed to meet me in my hotel, and wore masks because they worry about what could happen to their family members and loved ones if their identities were ever revealed to Russian agents.
So what is InformNapalm, and what do you guys do? So this is more than just an info war between Ukraine and Russia.
This is essentially a cyberwar as well.
You're behind a keyboard and you're causing havoc for the Russian government, but are you willing to die for that cause? BEN: Russia never formally responded to Ukraine's allegation that the country's to blame for the cyber attack on Ukraine's power grid.
And some government officials within Russia really don't take the threats from Ukrainian hackers very seriously.
Vadim Dengin is a member of the Russian Parliament and the Committee on Informational Policy, Information Technology, and Communications.
The Russian government maintains it never invaded Ukraine, and that Russian soldiers in Eastern Ukraine are merely patriotic volunteers helping Ukrainians who wanna separate from the country and join Russia.
Dengin might think ragtag Ukrainian hackers are harmless, but the hackers I'm about to talk to are the exact guys who, in collaboration with InformNapalm, hacked the Kremlin and leaked the emails of Putin's right-hand man, Vladislav Surkov, making international headlines.
So right now I'm waiting to meet up with a hacking group that InformNapalm hooked us up with called RUH8.
And I don't know what these people look like, but I do know they're under investigation apparently, allegedly, by Russian intelligence because they've been hacking Russia.
But we should be meeting with them really soon.
We finally managed to figure out a safe location for the two black hat hackers I was about to meet.
They call themselves Dahmer and Ross.
They're part of the hacking group RUH8, and say Russian intelligence agencies like the FSB would be very interested in knowing who they are.
So if you could say anything to those Russian FSB investigators, what would you tell them? (Laughing) You're an outlaw, eh? (Laughing) So you have evidence then that they're actually after you? And you don't give a? But if they invade at some point (Sighing) This is war, so this is all war to you? Do you wanna explain some of the biggest hacks that RUH8 has ever done? The conflict in Ukraine is almost 3 years old and counting.
As I know from my own experience, getting shot at or being shelled is a daily occurrence in certain parts of the country.
But if Russia really was behind the power grid attacks in Western Ukraine, or even if Russia just allowed a private company to do it, a major line has been crossed.
Our critical infrastructure in the US and Canada is just as vulnerable to cyber threats as Ukraine's.
So if someone really wanted to turn the lights off in North America, they probably could.
And given that there have been no serious repercussions for what happened in Ukraine, what's really stopping someone from doing it again?
A cyber attack knocks out the power.
So while the operators are trying to recover, they're also dealing with the fact that all their systems are going down.
Ukraine blames the Russian government.
And the conflict moves online.
It's popping off.
(Gunshots) When I reported from the frontlines in Eastern Ukraine for VICE, I saw firsthand the raging war between Russian-backed separatists and Ukrainian military.
Since 2013, Ukraine has been in a state of turmoil.
That's when protests broke out against the pro-Russian government, which led Ukraine's president to skip the country.
Then Russia invaded and annexed the Ukrainian territory of Crimea while Russian-backed separatists started waging war in Eastern Ukraine.
But on December 23rd, 2015, a new front in the conflict may have opened up online.
That day, hackers attacked three power companies, known as "oblenergos" in Western Ukraine.
It's the first known cyber attack that caused outages in a nation's power grid, and it left at least a quarter of a million people in the dark.
The city of Ivano-Frankivsk was one of the ones hit.
The operators of the control centre agreed to walk me through what happened that day.
(Doorbell ringing) So this is the dispatcher control room? Right.
Thank you.
(Chattering) Bogdan Soychuk is a deputy director of the control room, which remotely controls dozens of substations around the region.
When did you realize that you were under a cyber attack, that it was not just some equipment-level mishap, that it was in fact some sort of attacker penetrating your network? Volodymyr Fedyk is the deputy director of I at the power company.
As Volodymyr and his team tried to figure out what was happening, substations controlled by the utilities started shutting down one by one.
It happened in the middle of the day, and as the power went out, residents had no way of knowing this wasn't a regular outage and they were actually in the middle of a very sophisticated cyber attack.
With the grid unplugged to prevent more outages, workers at the power company realized the only way to restore power was to physically drive out to the individual substations and switch the power on manually.
Yuriy Torin was on duty that day.
So we're going to one of the substations that was actually attacked and taken out.
Yeah.
And did you have to physically go turn it back on? Yes.
So there's 35,000 volts over there? Yeah.
And if I get how close, 60 centimetres? 60 centimetres.
- Bye-bye? - Yeah, bye-bye.
(Laughing) So this is what you had to do in December? Yeah, we should open this.
I'm gonna stay close to you.
So that's the They switch off this equipment, and they switch off that equipment.
So these substations and two transformers were without electricity.
Wow.
And this area was without - Electricity? - Yeah.
Open this box and press this button.
- To turn it back on? - Yeah.
It's more than 25,000 people.
Wow.
And that's just from this one substation.
Dozens of substations across the region went dark.
The outages lasted less than a day, but it took months for the power companies to get back to normal.
I also learned that at least one facility was attacked, but managed to keep the lights on, and there are likely even more targets who haven't come forward to avoid embarrassment.
It's clear this was a massive coordinated effort, so who did it and why? BEN: In 2015, two days before Christmas, at least three power companies in Western Ukraine were hit by a cyber attack, which knocked the power out for more than a quarter of a million people.
The hack came in the midst of an active military conflict between the government of Ukraine and Russian-backed separatists in the east.
(Gunshots) Within 5 days of the cyber attack, the SBU - Ukraine's equivalent of the FBI - blamed Russia.
After some lengthy negotiations, I met with a member of the SBU in the back of a van in Kiev, on the condition we not reveal his name or show his face.
He told me that officials had advanced knowledge of the attacks, but were unable to prevent them.
But the SBU hasn't offered up any proof to back up its claims.
Why isn't there any direct proof that it was Russia? Why don't you have that? Right, so this is a war.
This is a full-on war with Russia.
Both online, offline Ukraine was quick to blame Russia for the attacks, but the reality might be more nuanced.
After the hack, the US government sent a team to Ukraine to investigate, and several cybersecurity firms analyzed the publically available evidence.
There's so many things that Russia gets blamed for as a big bad boogeyman that you go, "Well, maybe not all of it's true," but some of it still is! (Laughing) Robert M.
Lee served in the Air Force as a cyberwarfare operations officer.
He also worked for an unnamed US intelligence agency, which he won't confirm or deny was the NSA.
Rob now runs his own company focused on securing critical infrastructure.
Working with electricity industry watchdogs, he co-wrote the definitive report on the Ukraine attacks.
Now, why don't you take me through the actual you know, in layman's terms, how'd this attack go down? 'Cause it's multifaceted.
There's a few different stages, right? Yep.
So it all started about 6 months previous to December, about 6 months previous.
There was phishing emails sent out.
So operators at the power grid were getting emails about a variety of different events going on in Ukraine.
When they opened up the email, a piece of malware called BlackEnergy 3 was dropped to the system.
That enabled the attackers to steal off credentials, usernames, passwords, things like that from the network, and then were able to come back in.
Over that 6 month period, they spent that time researching and understanding the environment.
So it wasn't this story that we hear sometimes thrown around about light speed, net speed cyber attacks.
No, it was human adversaries doing research to the environment.
So the attack starts.
When they did that, they also had a piece of malware called KillDisk positioned on the systems, so that when the systems reboot it would kick off, deleting all the files and deleting all the systems.
BEN: Wow.
So while the operators are trying to recover, they're also dealing with the fact that all their systems are going down.
And then in the midst of all that, they basically blew the bridges to those substations.
Now, let's talk about the actual people that did this attack in Ukraine.
The Ukrainian government said it was Russia.
So who was it? When you took a look it at and you actually went into it, who did it? If we're talking about should the US government come out and say it was Russia, I don't think they have enough proof.
One American cybersecurity firm, FireEye, blamed the Ukraine attack on a group they call Sandworm Team, which they say has ties to Russia.
Rob agrees.
I think the Sandworm team is more than likely a private for-hire team that goes around and kicks down the doors for places, and then it's possible that a military team or someone else comes in after.
But I do not think that the Sandworm team is the Russian government.
Sandworm Team may not be the Russian government, but the fact that Russia's been implicated in the attack could have international repercussions.
And it seems highly unlikely that people inside the country would do something so high profile and so obviously in Russia's interest without at least informing the government.
I can't imagine a scenario - and this doesn't mean it can't exist, but I don't feel that there's a scenario where a team operating out of Russia thought that it was a good idea to take down a portion of the power grid, and at least didn't notify somebody that they were gonna do it.
There's That's a very risky situation to begin.
BEN: The hack of Ukrainian power companies is the first time we know of that a cyber attack caused outages in a nation's power grid.
If the attack was actually pulled off by Russia, this wouldn't be the first time access to electricity has been used as a weapon in this conflict.
More than a year before the incident, Russia annexed Crimea from Ukraine.
Then some Crimeans got very pissed off and struck back.
They formed a blockade and cut off access from Crimea to Ukraine.
And in November 2015, they blew up pylons providing Crimea with electricity, leaving 2 million Crimeans in the dark.
That happened just a month before the cyber attacks on Ukraine's power grid.
Lenur Islyamov is a businessman and a former deputy prime minister of Crimea.
He's a Tatar, a Muslim ethnic minority in Ukraine.
He was the leader of the blockade, and the Russian government has charged him with terrorism and absentia.
Many believe the cyber attack on Western Ukraine's power grid was Russia's retaliation for the Crimea blackout, which happened just a month earlier.
The Russian government has actually named you personally for sabotaging the Crimean power grid.
How do you respond to that allegation? Do you think the FSB's following you? So do you personally think that the attack on the oblenergos in December in Ukraine was retaliation for the attack on the power grid in Crimea? Absolutely.
Do you think you'll ever go back to Crimea? Absolutely.
So you're going back to Crimea dead or alive, is what you're saying? I think so, okay? The Russians might've been the first to take the conflict in Ukraine online, but the battles being fought there are continuing from both sides.
Roman Burko and Vitalik Sororin not their real names are part of a group called InformNapalm.
Many of their members live in Crimea, or in separatist-controlled regions in Eastern Ukraine.
Officially the Russian military is not deployed in the East, but using a mixture of social media and on-the-ground intel gathering, InformNapalm is proving Russian Special Forces are actively operating in the region.
They've also published information about Russian soldiers serving in Syria.
They agreed to meet me in my hotel, and wore masks because they worry about what could happen to their family members and loved ones if their identities were ever revealed to Russian agents.
So what is InformNapalm, and what do you guys do? So this is more than just an info war between Ukraine and Russia.
This is essentially a cyberwar as well.
You're behind a keyboard and you're causing havoc for the Russian government, but are you willing to die for that cause? BEN: Russia never formally responded to Ukraine's allegation that the country's to blame for the cyber attack on Ukraine's power grid.
And some government officials within Russia really don't take the threats from Ukrainian hackers very seriously.
Vadim Dengin is a member of the Russian Parliament and the Committee on Informational Policy, Information Technology, and Communications.
The Russian government maintains it never invaded Ukraine, and that Russian soldiers in Eastern Ukraine are merely patriotic volunteers helping Ukrainians who wanna separate from the country and join Russia.
Dengin might think ragtag Ukrainian hackers are harmless, but the hackers I'm about to talk to are the exact guys who, in collaboration with InformNapalm, hacked the Kremlin and leaked the emails of Putin's right-hand man, Vladislav Surkov, making international headlines.
So right now I'm waiting to meet up with a hacking group that InformNapalm hooked us up with called RUH8.
And I don't know what these people look like, but I do know they're under investigation apparently, allegedly, by Russian intelligence because they've been hacking Russia.
But we should be meeting with them really soon.
We finally managed to figure out a safe location for the two black hat hackers I was about to meet.
They call themselves Dahmer and Ross.
They're part of the hacking group RUH8, and say Russian intelligence agencies like the FSB would be very interested in knowing who they are.
So if you could say anything to those Russian FSB investigators, what would you tell them? (Laughing) You're an outlaw, eh? (Laughing) So you have evidence then that they're actually after you? And you don't give a? But if they invade at some point (Sighing) This is war, so this is all war to you? Do you wanna explain some of the biggest hacks that RUH8 has ever done? The conflict in Ukraine is almost 3 years old and counting.
As I know from my own experience, getting shot at or being shelled is a daily occurrence in certain parts of the country.
But if Russia really was behind the power grid attacks in Western Ukraine, or even if Russia just allowed a private company to do it, a major line has been crossed.
Our critical infrastructure in the US and Canada is just as vulnerable to cyber threats as Ukraine's.
So if someone really wanted to turn the lights off in North America, they probably could.
And given that there have been no serious repercussions for what happened in Ukraine, what's really stopping someone from doing it again?