December 23, 2015 – Ukrainian Power Plant Attacked-The set up for this attack likely started in March 2015 with spear phishing.
The power plant attack started from a spear phishing email appearing to come from the Ukrainian parliament. It contained a Word doc file laden with BlackEnergy3.
FireEye breached an unsecured command and control server and found instructions for BlackEnergy in Russian.[i] The detectives on the case, Lee and Assante, noticed there was no code written to control the circuit breakers for the power company. Yet on December 23, employees of the Kyivoblenergo plant lost control over the circuits and they were being controlled from somewhere else. Then the hackers used KillDisk to overwrite the firmware of the station converers used to control older equipment. Another site of the attack was at the Prykarpattyaoblenergo site. This time the attackers had engineered a batch of phone calls to keep customer’s from responding. One of the station operators recorded the incident on his iPhone 5s.
[i] https://www.wired.com/story/russian-hackers-attack-ukraine/