The Ukraine Power Grid
Engineers in Kyiv watched their own mouse cursors open breakers in distant substations while a flood of fake calls jammed the customer-service lines.
On December 23, 2015, three regional electricity distribution companies in western Ukraine — Prykarpattyaoblenergo, Kyivoblenergo, and Chernivtsioblenergo — began losing control of their own networks. Operators sat at workstations watching ghost mouse pointers click through the supervisory interface and methodically open circuit breakers in substation after substation.
A live demonstration
Roughly 230,000 people lost power. Call centers received a flood of automated calls timed to keep the lines busy while customers tried to report outages. The operators' own workstations were then hit with firmware-corrupting commands that disabled the serial-to-Ethernet converters connecting them to field equipment — turning what should have been a brief incident into one requiring weeks of physical visits to substations to manually re-energize.
The intrusion had begun months earlier with a spear-phishing campaign that delivered the BlackEnergy 3 malware to office machines. The attackers spent the intervening time studying SCADA workflows and harvesting credentials for the operational network.
A second time, a different way
A year later, in December 2016, a single Kyiv transmission substation went dark for about an hour. The mechanism this time was different — a piece of purpose-built malware named Industroyer that spoke industrial protocols natively, without needing a human to drive the mouse. It was the first piece of code in the wild that targeted electric grids as a primary goal.
What the chronicle remembers
The Ukraine grid attacks were the first publicly confirmed cyberattacks to cause a blackout. They moved the long-theoretical idea of cyber-physical warfare into the documented record and gave defenders elsewhere a concrete playbook to study before the same techniques arrived at their door.