Sandworm Turned Off the Lights: What the 2015 Ukraine Power Grid Attack Still Teaches Us

On December 23, 2015, roughly 230,000 people in western Ukraine lost power in the middle of winter.

It wasn't a storm. It wasn't equipment failure. It was a cyberattack — the first publicly confirmed cyberattack to successfully take down a power grid. And the group behind it, known as Sandworm, has been targeting critical infrastructure ever since.

I've been studying this attack as part of my journey into ICS/OT security because it's the clearest example I've found of what makes attacks on operational technology fundamentally different from attacks on IT systems. Every time I think I understand the gap between IT and OT security, another layer of this attack reveals itself.

This is what I've learned so far.

Who is Sandworm?

Sandworm is an advanced persistent threat operated by Unit 74455, a cyberwarfare unit of the GRU — Russia's military intelligence service. [^1] They are not opportunistic criminals running ransomware for money. They are a state-sponsored group with a specific mandate: targeting critical infrastructure as an instrument of Russian foreign policy.

The name "Sandworm" comes from references to the science fiction novel Dune found in early samples of their malware — a naming convention spotted by researchers at iSIGHT Partners (now part of Mandiant) who first publicly identified the group in 2014. [^2]

Their track record is significant. In addition to the Ukraine power grid attacks, Sandworm is attributed to the NotPetya wiper malware (2017), an attack on the 2018 Winter Olympics opening ceremony, and various operations against European governments and NATO-affiliated organizations. Then-US Attorney Scott Brady described their cyber campaign as representing "the most destructive and costly cyber-attacks in history." [^1]

In October 2020, a US federal grand jury indicted six GRU Unit 74455 officers by name: Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko, and Petr Nikolayevich Pliskin. [^1]

The setup: how they got in

The 2015 Ukraine attack didn't start with someone hacking a substation. It started months earlier with something that would be completely familiar to any IT security professional.

Beginning as early as May 2014 — more than a year before the attack — Sandworm conducted spearphishing campaigns against Ukrainian organizations. [^3] The delivery mechanism was BlackEnergy 3 malware, embedded in malicious Microsoft Word attachments sent to utility company employees. [^4]

BlackEnergy started its life as a DDoS tool. By version 3, it had evolved into a modular backdoor—general-purpose, extensible, and capable of delivering additional payloads once it established a foothold. [^5] The phishing emails were targeted and credible enough that employees opened them.

This is the first thing that surprised me when I started studying this attack: the initial access was completely standard IT tradecraft. Nothing exotic. A spearphishing email, a malicious attachment, and malware installed on a corporate workstation.

According to the E-ISAC and SANS analysis of the attack, BlackEnergy 3 was likely installed on utility company systems approximately six months before the December attack. [^6] The attackers spent that time doing reconnaissance — mapping the networks, learning the specific SCADA software configurations, and identifying the VPN paths that connected corporate IT networks to operational technology systems.

Crossing the IT/OT boundary

This is where it gets interesting from an OT security perspective.

Once inside the corporate IT network, Sandworm needed to reach the industrial control systems — the SCADA systems that actually controlled the power distribution equipment. In theory, these networks should have been separated.

In practice, VPN connections existed between the corporate networks and the OT networks. Legitimate ones — used by operators for remote access and by vendors for maintenance. The attackers used these same paths to cross from IT into OT. [^6]

The SANS analysis of the attack is direct about this: the ICS tools and environment were ultimately used to achieve the desired effect. The attackers didn't bring ICS-specific malware to actually cause the outage — they used the utilities' own SCADA software, accessed through legitimate remote access tools, to manually operate the equipment. [^6]

This hit close to home for me, given my telecom background. Engineering workstations that bridge corporate and operational networks are everywhere in mission-critical infrastructure. The dual connection is convenient. It's also exactly the kind of thing that gets overlooked until an attacker finds it.

The attack itself

On December 23rd, the attackers executed a coordinated operation against three Ukrainian power distribution companies simultaneously, within minutes of each other. [^6]

Step 1: Lock out the operators. Before taking action on the grid, the attackers modified the firmware on serial-to-Ethernet converters at substations, rendering them inoperable. They also changed passwords across the SCADA systems to lock legitimate operators out. When the attack happened, the utilities found themselves watching their systems go dark with no ability to intervene remotely. [^7]

Step 2: Use the SCADA systems against themselves. The attackers used the utilities' own remote access tools and SCADA software — through the VPN connections they'd mapped during reconnaissance — to open breakers at 30 substations across the Ivano-Frankivsk region. This is a critical detail: they didn't use exotic ICS attack tools for this phase. They used the legitimate software that was already there. [^6]

Step 3: Flood the call centers. Simultaneously, the attackers launched a telephone denial-of-service attack against the utilities' customer service lines — flooding them with calls to prevent customers from reporting outages and to slow the utility's situational awareness of what was happening. [^7]

Step 4: Deploy KillDisk. After the outages occurred, the attackers deployed the KillDisk malware to wipe the master boot records on Windows workstations, rendering them inoperable. This wasn't what caused the outage — the outage was already done. KillDisk was designed to slow recovery and destroy forensic evidence. [^6]

The power was out for 1 to 6 hours, depending on the area, affecting approximately 230,000 customers. [^7]

That might sound short. It was short by design. The attackers demonstrated capability, then left. They had shown they could get in, coordinate an attack across three targets simultaneously, lock out defenders, and cover their tracks. The duration was a choice.

What made this different from an IT attack

This is the part I keep coming back to.

In a typical IT breach, the damage is data — exfiltrated credentials, encrypted files, and stolen intellectual property. The systems keep running, or can be restored from backups.

In this attack:

Physical consequences were the goal. Open breakers means no power. No power in winter in Ukraine means people without heat. The attack deliberately crossed from the digital world into the physical world. That crossing — from bits to physical reality — is what defines ICS/OT security as its own discipline.

Recovery required physical presence. Ukrainian operators had to drive to substations and manually operate equipment because the remote control capability had been compromised or locked out. This is the recovery scenario that keeps OT security people up at night: not just "can we restore the system," but "can we even get to the system?" [^7]

The attackers understood the environment deeply. They knew the specific SCADA software. They knew the substation configurations. They modified firmware on specific hardware. They understood the VPN architecture. This was not a general-purpose attack adapted for the power sector — it was purpose-built after extensive reconnaissance of these specific targets. [^6]

2016: They came back

Exactly one year later, on December 17, 2016, Sandworm hit the Ukrainian grid again. This time, approximately one-fifth of Kyiv lost power for about an hour. [^1]

The malware used in 2016 was different — and significantly more sophisticated. ESET discovered it and called it Industroyer. Dragos analyzed the same samples and called it CRASHOVERRIDE. Both names refer to the same malware framework.

Industroyer was purpose-built for attacking power grid infrastructure. Unlike the 2015 attack — which used the utilities' own tools — Industroyer contained modules that spoke industrial control protocols natively: IEC 101, IEC 104, and IEC 61850. [^8] It could directly issue control commands to substation equipment without a human operator at the controls.

Dragos and ESET both noted that the malware was also designed to support a DNP3 module — though no DNP3 module was found in the analyzed samples. Given that DNP3 is the dominant SCADA protocol in North American power grids, this extensibility was specifically highlighted as a concern. As Dragos founder Robert M. Lee stated: "The way this framework is built, it would be very easy to switch in a DNP3 module, and you'd be able to replay this against portions of the US grid." [^9]

Industroyer is widely considered the most significant ICS malware discovered since Stuxnet — and only the second malware ever known to directly communicate with industrial hardware to cause physical effects. [^10]

The DNP Users Group issued a security notice specifically recommending that member organizations implement DNP3 Secure Authentication in response to the Industroyer disclosure. [^11]

Why this still matters

Sandworm didn't stop after 2016. In April 2022, they attempted another power blackout in Ukraine — the first use of an Industroyer variant (Industroyer2) in five years — which was caught and disrupted by Ukrainian defenders with assistance from ESET. [^1] In December 2025, wiper malware samples were detected in the networks of multiple wind and solar farms and a power plant in Poland, attributed to Sandworm. [^1]

For anyone working in or around the US energy sector security, the question is not whether an attack like this could happen here. The 2015 attack template has been studied. The tooling has been adapted. The protocols being used in American substations — DNP3 in particular — were specifically identified as the next target for expansion.

The US grid has some structural advantages that Ukraine does not — greater segmentation, higher baseline security investments in some sectors, and NERC CIP compliance requirements for bulk electric system operators. But the attack surface is real, and the threat actor is active.

What I'm still figuring out

After researching this, here's what I genuinely don't have clear answers to:

How do defenders actually detect the kind of slow, methodical reconnaissance that preceded this attack — months of low-and-slow activity before anything destructive happens?
What is the current state of IT/OT network segmentation in US utilities? Are the VPN paths that enabled the Ukraine attacks still commonplace here?
The 2022 Industroyer2 attempt was reportedly stopped before causing outages. I'd like to understand more about what the defensive response actually looked like.

If you work in this space and have perspectives on any of these, I'd genuinely like to hear them.