Skip to main content

Cyberattack on Critical Infrastructure: Russia and the Ukrainian Power Grid Attacks

October 11, 2017

Authors:

Donghui Park, Julia Summers, Michael Walstrom

On December 23, 2015, the control centers of three Ukrainian electricity distribution companies were remotely accessed. Taking control of the facilities’ SCADA systems, malicious actors opened breakers at some 30 distribution substations in the capital city Kiev and western Ivano-Frankivsk region, causing more than 200,000 consumers to lose power.[1] Nearly a year later, on December 17, 2016, a single transmission substation in northern Kiev lost power. These instances of sabotage took place on the tail of a political revolution in Kiev, the annexation of Crimea, and amid military clashes in the eastern Donetsk and Luhansk regions.

Governments and cybersecurity companies have attributed the hacks to Russian groups with suspected, although unclear, associations with the Russian government.[2] Russian hackers have a long history of participating in political and military conflicts in Eastern Europe and consistently carry out espionage operations around the world in support of Russian interests.[3]

These attacks represent a growing category of hacks intended to sabotage critical infrastructure. International norms and laws to address nation-state sponsored hacking are in their infancy and investigators are rarely able to trace hacks back to individuals.[4] Instead, investigators point to faceless hacking collectives and the nations they live in.[5] It is similarly difficult to connect hackers to governments, despite evidence indicating such connections.[6] Attribution difficulties give victim countries pause before they name an attacker or retaliate, and create plausible deniability for malicious governments.[7]

However, in spite of the challenges attribution poses, the Ukrainian grid hacks have served Russian interests in at least two ways. First, they are a component of a destabilization campaign aimed at Ukraine as it reduces its dependence on Russia and leans west toward the European Union (EU) and NATO economically, politically, and militarily. Second, the attacks were meant to demonstrate the offensive capabilities of Russian hackers and allowed Russian to prove its effectiveness on a country that cannot retaliate in kind.

Attributing Russian Cyberattacks on Ukraine

Ukrainian and U.S. government officials have attributed the grid hacks to Russia and cybersecurity firms have linked the malware present in the effected systems to Russian cyber-criminal groups.[8] In March 2016, Ukrainian investigators stated the attackers were Russian speaking and one claimed that the Russian group known as APT28 (Advanced Persistent Threat 28 or “Fancy Bear”) may have been involved. APT28 is thought to have ties to the Russian government and has a history of high profile hacks with targets that include the Pakistani military, Ukrainian Election Commission, and the U.S. Democratic National Committee.[9]

In February 2016, U.S. Deputy Energy Secretary Elizabeth Sherwood-Randall attributed the first attack on the Ukrainian grid to Russia at a meeting with U.S. energy industry executives.[10] Around the same time, Ukraine’s deputy energy minister stated that one of the affected distribution companies was attacked from Russian Internet networks.[11] Investigations quickly drew the blame away from APT28 and toward the Sandworm Team, another Russian group that has targeted NATO, European governments, and industrial control systems generally. [12]

A major component of attribution has been the presence of a malware trojan named “BlackEnergy3,” which has helped confirm the Sandworm Team as responsible for the outages.[13] Investigators and researchers involved in the second hack on the grid also pointed to the Sandworm Team and believe that their actions align with Russian state interests, which suggests but does not prove state support.[14] In February 2017, Ukrainian officials made their attribution, blaming Russian security services and the group behind the BlackEnergy malware.[15] Private security company Dragos has also attributed the attack to the Sandworm Team, which used a new malware named Industroyer (aka CrashOverride).[16]

The Sandworm Team, BlackEnergy3, and Industroyer

Sandworm Team has a growing profile of sophisticated and high impact operations that will likely keep growing. The group’s long life, technical skills, and politically oriented operations suggest some affiliation to the Russian government.[17] Espionage and sabotage operations cannot be monetized on black markets in the same way as credit card or bank account numbers can be, making them more difficult to track and attribute. In the case of espionage and sabotage, the primary beneficiaries are governments. The Sandworm Team’s targets – from NATO to Ukrainian energy companies – are organizations in which the Russian government has a strategic interest.[18]

The Sandworm Team and the tools they use have a long developmental record. The original BlackEnergy malware was used as far back as 2007 for Distributed Denial of Service (DDOS) attacks; the second version was tailored to target the human-machine-interfaces that control industrial processes.[19] However, BlackEnergy3 is more general and modular because of its diverse plugins.[20] Delivered in attachments to spearphishing emails, it creates a backdoor in systems giving the Sandworm Team an entry point to steal information and work through further reaches of a network.[21] BlackEnergy3 was also used to deliver Killdisk malware that wipes files and makes computers unable to reboot. Both have been found in the networks of other companies that use industrial processes, including a Ukrainian mining company and state owned railway operator.[22]

Sandworm Team’s first hacking campaign began as early as May 2014 with phishing emails and reconnaissance.[23] In this case, BlackEnergy3 was likely installed on utility company systems six months before hackers caused the blackouts on December 23, 2015.[24] Phishing emails with infected attachments were sent to the companies’ offices.[25] When the attachments were opened, macros enabled hackers to gain remote access. After they gained access they began harvesting credentials for the virtual private networks (VPN) used by grid operators to access the control centers remotely.[26] Using the VPNs, they explored control center networks and connected devices.[27]

In addition to opening breakers at substations, the Sandworm Team explored methods to extend the blackouts.[28] They carried out a denial of service attack against one company’s call center, flooding it with fake calls to stop company personnel from identifying the blackout area. At other control centers, supporting equipment was tampered with to slow recovery operations. These appear to be exploratory elements of a campaign that was as much about learning as causing a single blackout.[29]

Sandworm Team developed new malware before taking down the transmission substation on December 17, 2016.[30] Industroyer is significantly more advanced than BlackEnergy3; it is tailor made for manipulating industrial control systems. With built-in knowledge of communication protocols used in electric grid equipment Industroyer can directly control remote equipment without having to rely on the software grid operators use.[31] It is an upgrade over BlackEnergy 2 and 3 that provides more stealth.

Russian Hybrid Warfare 

As the Ukrainian case illustrates, Russian hacker groups continue to be successful in espionage and sabotage operations around the world. In particular, post-Soviet countries serve as a testing ground for new kinds of cyber operations. But cyberwarfare is only one aspect of a broader hybrid warfare strategy that Russia is using in Ukraine and other Eastern European countries. For more than a decade Russia has used cyber operations alongside traditional military force and political and economic pressure to exert control over, and destabilize countries along its western border. While the Ukrainian grid hacks are the first of their kind, they are typical of Russia’s engagement with former Soviet countries.[32] In response, the targeted states have accused the Russian government of having organized cyberattacks—a useless effort due to the ambiguity of the relationship of the attackers to the Russian government and the resulting plausible deniability.[33]

What is Russian Hybrid Warfare?

Since the late 2010s, Russia has attempted to combine conventional and cyber tactics to achieve its national strategic goals – particularly its national goal to bring Russia back to prominence in the international arena.[34] To do this, Russia has combined cyber warfare tactics with traditional strategy to create a new type of hybrid warfare that relies on proxies and surrogates to prevent attribution and intent, and to maximize confusion and uncertainty using both simple and sophisticated technologies in innovative ways.[35]

Hunter and Piret define “hybrid warfare” as:

Sophisticated campaigns that combine low-level conventional and special operations; offensive cyber and space actions; and psychological operations that use social and traditional media to influence popular perception and international opinion.[36]

However, in comparison to physical warfare, which consists of state military forces and physical attacks on real world targets, hybrid warfare can be generally characterized as a type of low-intensity conflict that can become high-intensity depending on circumstance. Within hybrid warfare, Golling and Stelte define “cyber operations” as:

The unauthorized conducting of a penetration by, on behalf of, or in support of, a government into another state’s computer or network, or any other activity affecting a computer system, which the purpose is to add, alter, falsify or delete date, or cause the disruption of or damage to a computer or network, or the objects a computer system controls, such as SCADA-system.[37]

The official Russian government stance is that it does not engage in offensive cyber activities. At the end of 2011, the Russian government released its first official doctrinal statement on the role of the Russian military in cyberspace.[38] This document is entirely defensive in tone, focusing on force protection and prevention of information warfare. The document seems intended to suggest that Russia does not pursue offensive cyber activities, as it does not discuss any hybrid warfare activities.

However, former and current Russian Chiefs of the General Staff, Generals Nikolay Makarov and Valery Gerasimov, gave different, yet coinciding, pictures about Russian military strategy. In January 2012, Makarov emphasized three main tasks for any new command: “disrupting adversary information systems, including by introducing harmful software; defending our own communications and command systems” and “working on domestic and foreign public opinion using the media, Internet and more.”[39]

In an article just over a year later, Gerasimov proposed a new Russian style of warfare that blends conventional and unconventional warfare with aspects of national power, often referred to as “hybrid warfare.”[40] In other words, the Russian military has tried in recent years to conduct hybrid warfare, consisting of conventional and cyber operations, to maintain political leverage on post-Soviet areas near its western border.

Meanwhile, historically, the concept of Russian hybrid warfare is not new one, but an upgraded version of classic military strategy, which is strengthened by cyber capability. In general, advancement in military science and technology has been recognized as an important condition for countries or armed groups to win wars – especially against comparatively weak opponents.[41] However, in response, weaker actors adapt – creating new strategies that maximize their advantages, such as guerilla warfare. Such strategies allow actors to overcome the weaknesses that would lead to defeat in an all-out war.

The use of “irregular” tactics by weaker actors has been prominent since Spanish militia groups formed guerilla units during the Napoleon War.[42] In the Chinese Civil War, Mao Zedong defeated the U.S. supported Kuomintang, by applying an upgraded asymmetric guerilla warfare strategy to his forces.[43] North Korea also has developed a mixed tactics strategy that focuses on combining regular strategy with innovative cyber tactics, to achieve strategic goals against its comparatively strong enemies – the U.S. and South Korea – based on the classic concept of hybrid warfare.[44]

In this context, the Russian hybrid strategy could be recognized as another version of strategy innovation in that it includes both guerrilla strategy and cutting-edge information technologies to achieve political and economic goals. Specifically, the Russia government has pursued its aims against Ukraine with several irregular strategic methods, such as supporting anti-Ukraine rebel groups, sending its own soldiers to Crimea without Russian insignia, spreading misinformation, and encouraging pro-government hackers to threaten Ukrainian critical networks.[45] These tactics are being used everywhere – ranging from Ukrainian eastern border to the center of Ukraine.[46]

How has Russian hybrid warfare previously worked in post-Soviet areas?

Before the attacks on the Ukrainian power grid, there were two major suspected cases of Russian hybrid warfare against its former territory: the 2007 Cyberattacks on Estonia and the 2008 Russo-Georgian War.

In the first case, pro-Russian hackers attacked important government and private websites in response to the removal of a memorial statue.[47] In April 2007, the newly-elected Estonian government moved a memorial statue honoring Soviet World War II dead out of the heart of the nation’s capital.[48] In response, pro-Russian riots broke out.[49] The Russian government’s initial response was to pressure the Estonian government to put the statues back, and the state-owned Russian Railway announced it would cancel certain passenger trains service.[50]

However, along with the conventional street protests, distributed denial-of service (DDOS) attacks, website defacements, DNS server attacks, mass email, and comment spam also targeted Estonia for three weeks.[51] While these attacks were never directly attributed to the Russian government, some experts and Estonian officials believe that Moscow was involved in drumming up patriotic hackers.[52] In short, to maintain its leverage on Estonia, the Russian government used cyber operations against Estonia, an action made possible in part by the heavily wired nature of Estonia.

In the second case, Georgian networks were attacked by pro-Russian hackers and online groups prior to the Russian military maneuver to South Ossetia.[53] That region, although recognized by most of the international community as Georgian, had been under de facto control by pro-Russian separatists, stemming from conflicts between 1992 and 1993.[54] In early August of 2008, Georgian military launched a surprise attack against the separatist groups following separatist provocations.[55] In response, the Russian government sent its military into Georgian territory.[56] At the same time, a large number of Georgian government websites went down due to cyberattacks. [57]

In Georgia, the cyber operations were well coordinated with Russian conventional military movements, stopping the Georgian government from effectively responding to Russian physical maneuvers. Georgia was the first manifestation of a hybrid war strategy that drew on cyber warfare tactics.

As these cases illustrate, the Russian government has attempted to dominate neighbors and bring them back into its sphere of influence using cyber warfare. In this context, Russian hybrid warfare strategy has been an optimal means to achieve this desire, while also receiving relatively low pushback from the international community.

While the strategy represented in cyberattacks on Estonia in 2007 and Georgia in 2008 confused citizens of both countries, Moscow enjoyed the plausible deniability for its actions that often originates from hybrid warfare cyber operations.[58] The attacks on Ukraine follow the action in Estonia and Georgia.

Russia’s Underlying Interests in Ukraine

Since 2014, Russia has been conducting cyber warfare and kinetic operations against Ukraine in an attempt to halt Ukraine’s turn to Europe, prevent Ukraine from joining NATO, and promote Russia’s economic and geopolitical goals in the region.[59] While Russia is concerned about Ukraine turning to the West, it is also concerned with Ukraine’s moves to end its dependence on Russian energy sources. As Ukraine has discovered natural gas sources in its own territory, Russia has faced the loss of a major policy lever in Ukraine.

Ukraine’s Turn to the West

The central reason for Russia’s military intervention in Ukraine in 2014 hinges on Ukrainians’ desire to turn to the West – a move that is incompatible with Russia’s national interests.[60] Additionally, the successful anti-governmental revolutions in Ukraine demonstrated collective resistance against Russian-leaning policies, and rampant corruption in the public sector of Ukraine.[61] Such pro-Western moods in Ukraine are alarming to the Kremlin because they undermine Russia’s hegemony in the region and, ultimately, its desire to be the counterbalancing influential power to the United States on the global arena.[62]

The anti-governmental protests in Ukraine presented a direct threat to Putin’s regime in Russia in the context of spreading of “color revolutions” in the region at the time.[63] Given close cultural and historical connection the two countries share, Ukraine’s uprisings were viewed as contagious. Thus, Russia began its military operations in the eastern part of the country, through proxies – the separatists – which also complicated any plans for Ukraine’s desire to join NATO.[64]  Furthermore, through continuous ongoing destabilization of Ukraine, socially and economically, Russia aims at slowing down Ukraine’s development, and the realization of benefits from “Westernization” there.

Russia’s Energy Interests in Ukraine

Although Ukraine’s Western aspirations could undermine the stability of Russia’s state, Ukraine’s desire to end its dependence on Russia’s gas also threatens Moscow because it means Russia loses a powerful policy lever in Ukraine.[65] Beginning with the 2004 Ukrainian Orange Revolution, Russia used its monopoly on Ukraine’s gas supply as a coercive policy tool.[66] For instance, in both 2006 and 2009 Russia cut the gas supply to Ukraine in response to Ukraine’s president Victor Yushchenko. Yushchenko favored a European course of development and closer ties with the NATO.[67] During the presidency of pro-Russian Victor Yanukovych, and his distancing from Europe, the gas supply to Ukraine flowed freely.[68] The new “Revolution of Dignity” in 2013-2014 that ousted pro-Russian Victor Yanukovych brought about yet more gas cuts from Moscow.[69]

Unwilling to have Russia control its politics through gas supply, Ukraine has begun searching for ways to gain energy independence from Russia. Prior to the annexation of Crimea, vast deposits of shale oil and gas were discovered in the Black Sea basin off the Crimean shelf, in the Eastern Ukraine’s Yuzivska shale block (Donbas), and Western Ukraine’s Olesska shale block.[70] According to 2013 statistics published by U.S. Energy Information Administration, Ukraine’s shale gas deposits were third largest in Europe.[71] Thus, Ukraine’s prospects for becoming the energy center in Europe are feasible.[72] Currently, Russia sells over 75% of its natural gas resources to Europe and satisfies 30% of Europe’s gas demand.[73] Ukraine’s gas exports, if developed, would not only undermine Moscow’s economic interests in Europe, but also the political influence Russia’s gas monopoly grants the Kremlin there.[74]

Given the availability of natural gas resources, Ukraine signed a production contract with Royal Dutch Shell for an investment in tapping the shale gas resources in Yuzivska (Eastern Ukraine) in 2013, which by some estimates could produce up to 20 billion cubic meters of gas annually by 2030.[75] That amount alone would satisfy over half of what Ukrainians consumed in 2015.[76] The map below illustrates the location of these shale gas deposits.

Map_of_Ukraine_Shale_Locations

Another energy giant – the U.S.’s Chevron – also signed an agreement to develop shale gas deposits in the Western Ukraine’s Olesska shale block the same year.[77] However, both Shell and Chevron froze their shale-developing activities when Ukraine plunged into military conflict with Russia, because the conflict was undermining the security of their investments.[78]

Therefore, the annexation of Crimean Peninsula in 2014 and the subsequent Russian military intervention in the Eastern Ukraine was not just a decision to keep Russia’s Black Sea Naval fleet stationed in Sevastopol and a demonstration of Russian power in the region overall.[79] The invasion was also a part of farseeing economic strategy.[80] Heavily dependent on the export of its energy resources, Russia preserved its influence and income by taking Ukraine’s gas prospects out of equation.[81] Moscow put heavy focus on pipeline building, ensuring its uninterrupted gas supply directly to Europe.[82]

Ukrainian Shale Deposits and Russian Electrical Grid Attacks

The discovery of shale deposits has prompted Russian attempts to stall their developments and sabotage much needed business deals for Ukraine’s foreign capital thirsty economy. Russia’s military operation on the ground solved the prospects of Ukrainian energy competition problem for Russia, albeit partially.[83] The warzone in the Eastern Ukraine covers the Donetsk region part of Yuzivska shale bloc, and, thus, closed it to development.

In addition, the Kharkiv region (second half of the shale bloc) has been subject to destabilizing activities. Among these actions were the recent explosions at an arms warehouse in Balaklia, in the Kharkiv region, which, according to Ukraine’s defense minister Poltorak, was staged by Russia.[84] It is also worth noting that at the beginning of the unrest in the Eastern Ukraine, there were numerous attempts, however unsuccessful, to create Russia-backed third separatist enclave in Kharkiv region.[85]

To prevent the development of energy sources in Ukraine’s west, Moscow has employed various methods to destabilize the region – including attacks on the electrical grid. On December 23, 2015, Russian-led cyberattack on the Prykarpattyaoblenergo distribution center created enough uncertainty to hurt the prospects of setting up industrial fracking operations in that region. [86] Prykarpattyaoblenergo is responsible for supplying electricity to the Ivano-Frankivsk region that hosts part of Olesska’s shale block. Russian has also financed fracking protests.[87] The map below illustrates the locations of the major attacks on the electrical grid.

The methods Russia uses to manipulate Ukraine’s vulnerable developing economy has proven to be very effective.[88] Frequent cyberattacks on Ukraine’s critical infrastructure impose damages and economic loses to the country, and submerge Ukraine’s entire territory into a state of hybrid warfare and social instability. Additionally, in the larger context of growing reliance on cyber weapons by world powers, Ukraine appears to have become a test ground for new cyber-offensive technology Russia can use elsewhere.[89]

Implications

Ukraine’s crisis is ultimately a part of a larger system of events in the East-European region. Russia is conducting its foreign policy in the region chiefly based on its perception of the ongoing events there and their impact on Russia’s foreign and domestic interests. To achieve its goals, Russia is using various methods to influence the course of development that its neighbors choose to pursue. The methods now appear to include, among others, the combination of conducting the covert military operations on the ground and in cyberspace, spreading of pro-Russian and anti-Western disinformation domestically and internationally, as well as attacking various elements of critical infrastructure and exerting control over the national economies of the Eastern European states.

While the West’s economic sanctions against Russia are working, the Kremlin seems to retaliate in increasingly aggressive ways in cyberspace and on the ground against Ukraine. With the presidential elections around the corner, Russia possibly will intensify its hybrid warfare operations in the region, especially if Russia’s internal affairs follows current unstable trajectory.

The pattern in Ukraine could be a foreshadowing of the future for all states. The number of cyberattacks are on the rise and the most sophisticated among them have been attributed to nation-state actors.[90] Nation-states have the resources and the intelligence available to conduct multilayered and well-orchestrated attacks over long periods of time. The evolving security threats from cyberattacks led by nation-states range from espionage to cyberattacks on critical infrastructure. The motivation to use cyberspace as a fifth domain of conflict is driven by relatively low costs, the covert nature of cyber operations, and the strategic advantage they present, as opposed to conventional warfare. Through cyberattacks nation-states strive to achieve geopolitical and economic goals that otherwise might seem unattainable to them.[91] The Russian attacks on Ukrainian electricity distribution companies perfectly captures the nature of this new landscape and how embedded it is in existing geopolitical relations.

Endnotes

[1]E-ISAC, SANS ICS. “Analysis of the Cyber Attack on the Ukrainian Power Grid” March 18 2016. p4. http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf

[2] Volz, Dustin and Finkle, Jim. “U.S. Helping Ukraine Investigate Power Grid Hack.” January 12, 2016. http://www.reuters.com/article/us-ukraine-cybersecurity-usa/u-s-helping-ukraine-investigate-power-grid-hack-idUSKCN0UQ24020160112.

[3] FireEye. “APT28: A Window Into Russia’s Cyber Espionage Operations?” October 27, 2014. pg 6-18. https://www2.fireeye.com/apt28.html

[4] Davis II et al. “Stateless Attribution Toward International Accountability in Cyberspace” 2017. Pg 9-10. RAND. https://www.rand.org/pubs/research_reports/RR2081.html

[5] Schmitt, Michael N., and Vihul, Liis. “Proxy Wars in Cyberspace: The Evolving International Law of Attribution.” Fletcher Security Review 1, no. 2. Pg 55-56. Spring 2014. https://ccdcoe.org/sites/default/files/multimedia/pdf/c28a64_2fdf4e7945e9455cb8f8548c9d328ebe.pdf

[6] Davis II et al. “Stateless Attribution Toward International Accountability in Cyberspace” 2017. Pg 10 ~ RAND. https://www.rand.org/pubs/research_reports/RR2081.html

[7] F-Secure. “BLACKENERGY & QUEDAGH The convergence of crimeware and APT attacks” September 2014. Pg 1. https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf

[8] Dragos Inc. “CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations,” June 13, 2017. Pg 10. https://dragos.com/blog/crashoverride/CrashOverride-01.pdf

[9] Fireeye isight Intelligence. “APT28: At the Center of the Storm” January 2017. Pg 4-5. https://www2.fireeye.com/WEB-2017-RPT-APT28.html?utm_source=FEcom&utm_campaign=intel-apt28&utm_medium=blog

[10] Perez, Evan. “U.S. Official Blames Russia for Power Grid Attack in Ukraine.” CNN. 02-11-2016. http://www.cnn.com/2016/02/11/politics/ukraine-power-grid-attack-russia-us/index.html

[11] Polityuk, Pavel. “Ukraine Sees Russian Hand in Cyber Attacks on Power Grid.” http://www.reuters.com/article/us-ukraine-cybersecurity/ukraine-sees-russian-hand-in-cyber-attacks-on-power-grid-idUSKCN0VL18E

[12] Hultquist, John. “Sandworm Team and the Ukrainian Power Authority Attacks”. January 7, 2016. https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html

[13] FireEye. “Cyber Attacks on the Ukrainian Grid: What You Should Know.”  https://www.fireeye.com/content/dam/fireeye-www/global/en/solutions/pdfs/fe-cyber-attacks-ukrainian-grid.pdf

[14] Finkle, Jim. ““U.S. Firm Blames Russian ‘Sandworm’ Hackers for Ukraine Outage.” January 7, 2016. http://www.reuters.com/article/us-ukraine-cybersecurity-sandworm/u-s-firm-blames-russian-sandworm-hackers-for-ukraine-outage-idUSKBN0UM00N20160108

[15] Zinets, Natalia. “Ukraine Charges Russia with New Cyber Attacks on Infrastructure.” Reuters, February 15, 2017. http://www.reuters.com/article/us-ukraine-crisis-cyber-idUSKBN15U2CN

[16] Dragos Inc. “CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations,” June 13, 2017. https://dragos.com/blog/crashoverride/CrashOverride-01.pdf

[17] FireEye ““Cyber Attacks on the Ukrainian Grid: What You Should Know.” https://www.fireeye.com/content/dam/fireeye-www/global/en/solutions/pdfs/fe-cyber-attacks-ukrainian-grid.pdf

[18] Zetter, Kim. “Russian ‘Sandworm’ Hack Has Been Spying on Foreign Governments for Years.” WIRED. October 14, 2014. https://www.wired.com/2014/10/russian-sandworm-hack-isight/

[19] Wilhoit, Kyle and Gogolinsk, Jim. “Sandworm to Blacken: The SCADA Connection“ October 16, 2014. http://blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-the-scada-connection/

[20] Samani, Raj, and Beek, Christiaan. “Updated BlackEnergy Trojan Grows More Powerful.” McAfee Blogs, January 14, 2016. https://securingtomorrow.mcafee.com/mcafee-labs/updated-blackenergy-trojan-grows-more-powerful/

[21] E-ISAC, SANS ICS. “Analysis of the Cyber Attack on the Ukrainian Power Grid” March 18 2016. P7. http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf

[22] Wilhoit, Kyle. “KillDisk and BlackEnergy Are Not Just Energy Sector Threats.” TrendLabs Security Intelligence Blog, February 16, 2016. http://blog.trendmicro.com/trendlabs-security-intelligence/killdisk-and-blackenergy-are-not-just-energy-sector-threats/

[23] E-ISAC, SANS ICS. “Analysis of the Cyber Attack on the Ukrainian Power Grid” March 18 2016. P7. http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf

[24] Polityuk, Pavel. “Ukraine Sees Russian Hand in Cyber Attacks on Power Grid.” http://www.reuters.com/article/us-ukraine-cybersecurity/ukraine-sees-russian-hand-in-cyber-attacks-on-power-grid-idUSKCN0VL18E.

[25] E-ISAC, SANS ICS. “Analysis of the Cyber Attack on the Ukrainian Power Grid” March 18 2016. P5-6. http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf

[26] Booz Allen Hamilton. “When the Lights Went Out,” 2016.  P 34. https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf.

[27] E-ISAC, SANS ICS. “Analysis of the Cyber Attack on the Ukrainian Power Grid” March 18 2016. P7. http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf

[28] Ibid.

[29] Greenberg, Andy. “How An Entire Nation Became Russia’s Test Lab for Cyberwar” June 20, 2017. https://www.wired.com/story/russian-hackers-attack-ukraine/

[30] Cherepanov, Anton and Lipovsky, Robert. “Industroyer: Biggest threat to industrial control systems since Stuxnet” June 12, 2017. https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/

[31]  Ibid.

[32] Herzog, Stephen. “Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses.” Journal of Strategic Security IV, no. 2 (2011): 49–60; Giles, Keir. “‘Information Troops’ – a Russian Cyber Command?” Cyber Conflict (ICCC), 2011 3rd International Conference on, 2011 3rd International Conference on Cyber Conflict, 2011, 45–60; Giles, Keir. “Russia’s ‘New’ Tools for Confronting the West Continuity and Innovation in Moscow’s Exercise of Power.” Russia and Eurasia Programme. London: Chatham House, the Royal Institute of International Affairs, March 2016.

[33] Traynor, Ian. “Russia Accused of Unleashing Cyberwar to Disable Estonia.” The Guardian, May 17, 2007, sec. World news. http://www.theguardian.com/world/2007/may/17/topstories3.russia; Markoff, John. “Before the Gunfire, Cyberattacks.” The New York Times, August 12, 2008, sec. Technology. https://www.nytimes.com/2008/08/13/technology/13cyber.html; Zinets, Natalia. “Ukraine Charges Russia with New Cyber Attacks on Infrastructure.” Reuters, February 15, 2017. https://www.reuters.com/article/us-ukraine-crisis-cyber-idUSKBN15U2CN; Higgins, Andrew. “Maybe Private Russian Hackers Meddled in Election, Putin Says.” The New York Times, June 1, 2017, sec. Europe. https://www.nytimes.com/2017/06/01/world/europe/vladimir-putin-donald-trump-hacking.html.

[34] Connell, Michael, and Sarah Vogler. “Russia’s Approach to Cyber Warfare.” Center for Naval Analyses Arlington United States, March 2017. http://www.dtic.mil/docs/citations/AD1032208.

[35] Monaghan, Andrew. “Putin’s Way of War: The ‘War’ in Russia’s ‘Hybrid Warfare.’” Parameters 45, no. 4 (n.d.): 65–74. p. 66. Hoffman, Frank G. “Conflict in the 21th Century: The Rise of Hybrid Wars.” Arlington, VA: Potomac Institute for Policy Studies, December 2007. p. 7.

[36] Hunter, Eve, and Piret Pernik. “The Challenges of Hybrid Warfare.” Tallinn, Estonia: RKK International Centre for Defence and Security, April 2015. p. 3.

[37] Golling, Mario and Bjorn Stelte. “Requirements for a Future EWS – Cyber Defence in the Internet of the Future.” 2011 3rd International Conference on Cyber Conflict, Tallinn, 2011. p. 136.

[38] “The Military Balance 2017: Chapter 5. Russia and Eurasia.” International Institute for Strategic Studies 116 (February 14, 2017). p. 224.

[39] Ibid.

[40] Bartles, Charles K. “Getting Gerasimov Right.” Military Review, February 2016. p. 30.

[41] Sullivan, Patricia L. “War Aims and War Outcomes: Why Powerful States Lose Limited Wars.” Journal of Conflict Resolution 51, no. 3 (June 2007): 496–524.

[42] Hammes, Thomas X. “Insurgency: Modern Warfare Evolves into a Fourth Generation.” Strategic Forum, no. 214 (January 2005): 1–8.

[43] Johnson, Chalmers. “The Third Generation of Guerrilla Warfare.” Asian Survey 8, no. 6 (June 1968): 435–47.

[44] Park, Donghui. “North Korea Cyber Attacks: A New Asymmetrical Military Strategy.” The Henry M. Jackson School of International Studies, June 28, 2016. https://jsis.washington.edu/news/north-korea-cyber-attacks-new-asymmetrical-military-strategy/.

[45] Monaghan, Andrew. “Putin’s Way of War: The ‘War’ in Russia’s ‘Hybrid Warfare.’” Parameters 45, no. 4 (n.d.): 65–74; Zetter, Kim. “Everytig We Know about Ukraine’s Power Plant Hack.” Wired, January 20, 2016, sec. Security. https://www.wired.com/2016/01/everything-we-know-about-ukraines-power-plant-hack/; “Ukraine Crisis in Map.” BBC News, February 18, 2015, sec. Europe. http://www.bbc.com/news/world-europe-27308526.

[46] Ibid.

[47] Blank, Stephen. “Web War I: Is Europe’s First Information War a New Kind of War?” Comparative Strategy 27, no. 3 (July 25, 2008), pp. 227–228.

[48] Connell, Michael, and Sarah Vogler. “Russia’s Approach to Cyber Warfare.” Center for Naval Analyses Arlington United States, March 2017. pp. 13-14.

[49] Ibid.

[50] Lesk, Michael. “The New Front Line: Estonia under Cyberassault.” IEEE Security & Privacy 5, no. 4 (August 2007): 76–79. p. 76.

[51] Schmidt, Andreas. “The Estonian Cyberattacks.” In The Fierce Domain – Conflict in Cyberspace, 1986 to 2012, 2013. p. 8.

[52] Connell, Michael, and Sarah Vogler. “Russia’s Approach to Cyber Warfare.” Center for Naval Analyses Arlington United States, March 2017. p. 13; Applegate, Scott D. “Cybermilitias and Political Hackers: Use of Irregular Forces in Cyberwarfare.” IEEE Security and Privacy 9, no. 5 (September 2011): 16–22.

[53] Hollis, David. “Cyberwar Case Study: Georgia 2008.” Small Wars Journal 7, no. 1 (January 6, 2011): 1–9. p. 2.

[54] Tikk, Eneken, Kadri Kaska, Kristel Runnimeri, Mari Kert, Anna-Maria Taliharm, and Liis Vihul. Cyber Attacks Against Georgia: Legal Lessons Identified. Tallinn, Estonia, 2008. p. 4.

[55] Tikk, Eneken, Kadri Kaska, Kristel Runnimeri, Mari Kert, Anna-Maria Taliharm, and Liis Vihul. “Cyber Attacks Against Georgia: Legal Lessons Identified.” Tallinn, Estonia: Cooperative Cyber Defece Centre of Excellence, November 2008. p. 4.

[56] Ibid.

[57] Markoff, John. “Before the Gunfire, Cyberattacks.” The New York Times, August 12, 2008, sec. Technology. https://www.nytimes.com/2008/08/13/technology/13cyber.html.

[58] Fitton, Oliver. “Cyber Operations and Gray Zones: Challenges for NATO.” Connections: The Quarterly Journal 15, no. 2 (2016): 109–19. pp. 109-110 & 118; Foxall, Andrew. “Putin’s Cyberwar: Russia’s Statecraft in the Fifth Domain.” London, UK: The Russian Studies Centre, The Henry Jackson Society, May 2016. pp. 2 & 12-13.

[59] “Putin: Russia Will Take ‘Countermeasures’ to NATO Expansion”. Voice of America. November 21, 2016. Accessed July 10, 2017.  https://www.voanews.com/a/putin-nato-film-stone-russia-crimea-ukraine/3605862.html

[60] Clover, Charles, White Snow, Black Wind: The Rise of Russia’s New Nationalism, New Haven, CT; Yale University Press, 2016

[61] Menon, Rajan and Rumer, Boris, Conflict in Ukraine: the Unwinding of the Post-Cold War Order, Boston, MA: MIT Press, 2015

[62] Stent, Angela R., The Limits of Partnership: US-Russia Relations in the 21st Century, Princeton University Press, 2014

[63] Korsunskaya, Darya. Putin says Russia must prevent ‘color revolution’. Reuters. November 20, 2014. Accessed July 10, 2017.  http://www.reuters.com/article/us-russia-putin-security-idUSKCN0J41J620141120

[64] Killalea, Debra. Ukraine joining NATO would be trigger for war with Russia. News.com.ua. August 15, 2016. Accessed May 30, 2017. http://www.news.com.au/finance/work/leaders/ukraine-joining-nato-would-be-trigger-for-war-with-russia/news-story/a8c91f47dcf67b5877bbacd51c8132a5

[65] Kramer, Andrew E. Ukraine Looks to Texas for an Energy Path. The New York Times. May 4, 2011. Accessed July 19, 2017. http://www.nytimes.com/2011/05/05/business/global/05shale.html?mcubz=1

[66] Timeline: Gas crises between Russia and Ukraine. Reuters. January 11, 2009. Accessed May 30, 2017. http://www.reuters.com/article/us-russia-ukraine-gas-timeline-sb-idUSTRE50A1A720090111

[67] Menon, Rajan and Boris Rumer. Conflict in Ukraine: The Unwinding of the Post-Cold War Order, Boston, MA: MIT Press, 2015

[68] Grytsenko, Oksana. Yanukovych confirms refusal to sign deal with EU. Kyiv Post. November 26, 2013. Accessed July 21, 2017. https://www.kyivpost.com/article/content/ukraine-politics/yanukovych-confirms-refusal-to-sign-deal-with-eu-332493.html

[69] Walker, Shaun. Russia cuts off gas supply to Ukraine after talks collapse. The Guardian. June 16, 2014. Accessed May 30, 2017.https://www.theguardian.com/world/2014/jun/16/russia-cuts-off-gas-supply-ukraine

[70] Analysis and Projections. U.S. Energy Information Administration: Ukraine. September 24, 2015. Accessed May 30, 2017.https://www.eia.gov/analysis/studies/worldshalegas/

[71]Ibid.

[72] The State of Ukraine’s Energy Sector. Webcast. Atlantic Council. July 12, 2017. Accessed July 19, 2017. http://www.atlanticcouncil.org/events/upcoming-events/detail/the-state-of-ukraine%E2%80%99s-energy-sector

[73] Country Analysis Brief: Russia. U.S. Energy Information Administration. October 25, 2016. Accessed July 12, 2017. https://www.eia.gov/beta/international/analysis_includes/countries_long/Russia/russia.pdf

[74] Mazneva, Elena and Anna Shiryaevskaya. Putin’s Russia Seen Dominating European Gas for Two Decades. Bloomberg. March 1, 2017. Accessed July 19, 2017. https://www.bloomberg.com/news/articles/2017-03-01/putin-s-russia-seen-dominating-european-energy-for-two-decades

[75] Batkov, Szilvia. Russia’s silent shale gas victory in Ukraine. Euractiv. Sptember 2, 2015. Accessed May 30, 2017. https://www.euractiv.com/section/energy/opinion/russia-s-silent-shale-gas-victory-in-ukraine/

[76] The World Fact Book. Country Comparison: Natural Gas Consumption. Central Intelligence Agency. Accessed July 19, 2017. https://www.cia.gov/library/Publications/the-world-factbook/rankorder/2250rank.html

[77] Reed, Stanley, and Andrew E. Kramer. Chevron and Ukraine Set Shale Gas Deal. New York Times. November 5, 2013. Accessed May 30, 2017. http://www.nytimes.com/2013/11/06/business/international/chevron-and-ukraine-sign-deal-on-shale-gas.html

[78] Batkov, Szilvia. Russia’s silent shale gas victory in Ukraine. Euractiv. Sptember 2, 2015. Accessed May 30, 2017. https://www.euractiv.com/section/energy/opinion/russia-s-silent-shale-gas-victory-in-ukraine/

[79] Treisman, Daniel. Why Putin Took Crimea. Foreign Policy. May/June 2016. Accessed May 30, 2017. https://www.foreignaffairs.com/articles/ukraine/2016-04-18/why-putin-took-crimea

[80] Umbach, Frank. The energy dimensions of Russia’s annexation of Crimea. NATO Review magazine. Accessed July 11, 2017. http://www.nato.int/docu/review/2014/NATO-Energy-security-running-on-empty/Ukraine-energy-independence-gas-dependence-on-Russia/EN/index.htm

[81] Metelitsa, Alexander. Oil and natural gas sales accounted for 68% of Russia’s total export revenues in 2013.  U.S. Energy Information Administration. July 23, 2014. Accessed July 13, 2017. https://www.eia.gov/todayinenergy/detail.php?id=17231

[82] Rapoza, Kenneth. Russia’s Gazprom Doubling Down on ‘Anti-Ukraine’ Baltic Pipeline. Forbes. March 14, 2017. Accessed July 14, 2017. https://www.forbes.com/sites/kenrapoza/2017/03/14/russias-gazprom-doubling-down-on-anti-ukraine-baltic-pipeline/#3d3c50417b0c

[83] Олександр Савицкий, Татьяна Вежис, Сланцевый газ в Украине: добыча не в ближайшей перспективе. FINANCE.UA. 10-ое Марта, 2016. Accessed July 2, 2017.  http://news.finance.ua/ru/news/-/371208/slantsevyj-gaz-v-ukraine-dobycha-ne-v-blizhajshej-perspektive

[84] Davies, Gareth. Ukrainian arms warehouse storing 138,000 TONNES of rockets and tank ammunition is blown up by saboteurs forcing 20,000 to be evacuated. DailyMail. March 23, 2017. Accessed July 14, 2017. http://www.dailymail.co.uk/news/article-4341530/Ukrainian-arms-warehouse-blown-saboteurs.html

[85] Pro-Russian Protesters Declare ‘People’s Republic’ in Kharkiv. RadioFreeEurope. April 8, 2014. Accessed July 14, 2017. https://www.rferl.org/a/kharkiv-separatists-declare-republic/25325304.html

[86] Zetter, Kim. Everything we know about Ukraine’s power plant hack. WIRED. January 20, 2016. Accessed July 20, 2017. https://www.wired.com/2016/01/everything-we-know-about-ukraines-power-plant-hack/

[87] Higgins, Andrew. Russian Money Suspected Behind Fracking Protests. The New York Times. November 30, 2014. Accessed July 19, 2017. https://www.nytimes.com/2014/12/01/world/russian-money-suspected-behind-fracking-protests.html?mcubz=1&_r=0

[88] Batkov, Szilvia. Russia’s silent shale gas victory in Ukraine. Euractiv. Sptember 2, 2015. Accessed May 30, 2017. https://www.euractiv.com/section/energy/opinion/russia-s-silent-shale-gas-victory-in-ukraine/

[89] Greenberg, Andy. How and entire nation became Russia’s Test Lab for cyberwar. WIRED. June 20, 2017. Accessed July 18, 2017. https://www.wired.com/story/russian-hackers-attack-ukraine/

[90] * Stuxnet was attributed to the United States and Israel, Ukrainian power grid hack was attributed to Russia.

[91] Paganini, Pierluigi. Cyber warfare-Cyber Space and the status quo balance of power; dichotomy or symphony? How Technology backfires. Security Affairs. February 1, 2015. Accessed May 29, 2017. http://securityaffairs.co/wordpress/33448/cyber-warfare-2/cyber-warfare-balance-of-power.html

This publication was made possible in part by a grant from Carnegie Corporation of New York. The statements made and views expressed are solely the responsibility of the author.