Suspected Russian-Linked Intrusions Raise Alarm Over Power Grid Targeting
Investigators linked a second cyber-induced power disruption in Ukraine to the same threat actors believed responsible for the 2015 grid attack, reinforcing concerns that attackers had developed repeatable capabilities against electric utilities. Reporting on the incident said the intrusion affected a Ukrainian power station and was widely viewed as further evidence that grid operators remained exposed to targeted attacks capable of interrupting electricity delivery.
At the same time, U.S. officials disclosed that malware associated with the Russian campaign labeled Grizzly Steppe had been found on a Burlington Electric laptop in Vermont, prompting warnings about possible reconnaissance against American energy infrastructure. Burlington Electric said the compromised device was not connected to grid control systems, was isolated immediately, and did not disrupt operations, but the discovery intensified fears that Russian-linked operators were probing utility networks in the United States while earlier attacks in Ukraine demonstrated the potential consequences.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Researchers and media tied the 2016 Ukraine blackout to 2015 attackers
By January 2017, reporting and technical analysis concluded that the December 2016 Ukraine outage was likely carried out by the same group responsible for the 2015 grid attack. This attribution strengthened the view that the adversary was conducting a sustained campaign against Ukrainian energy infrastructure.
Initial reports suggested Russian hackers penetrated the U.S. electric grid
Media reports on the Burlington Electric discovery said Russian hackers had penetrated a U.S. utility, raising alarm about possible probing of the American electrical grid. Officials said the malware was not used to disrupt operations, but the case intensified concern about future Russian access to utility networks.
Burlington Electric found Grizzly Steppe-linked malware on a laptop
Burlington Electric Department in Vermont detected malware code associated with the Russian-linked Grizzly Steppe campaign on a company laptop. The utility said the laptop was not connected to grid operations, isolated the device, and notified federal authorities.
U.S. agencies released Grizzly Steppe indicators to critical infrastructure
After publicly attributing Russian cyber activity, DHS, FBI, and ODNI shared indicators associated with the Grizzly Steppe campaign with critical infrastructure operators. Those indicators were later used by utilities and investigators to identify related malware on systems in the United States.
Cyberattack triggered another power outage in Ukraine
A second cyber-induced blackout struck Ukraine in December 2016, affecting a power transmission facility near Kyiv. Subsequent analysis and reporting linked the incident to the same actors behind the 2015 Ukraine grid attack.
Russian-linked hackers caused a Ukraine power outage in 2015
Attackers linked to the BlackEnergy campaign disrupted Ukraine's power grid in late 2015, causing outages and establishing a precedent for cyberattacks on electric utilities. Later reporting tied the 2016 Ukraine blackout to the same adversaries.
Sources
4 references tracked. Mallory keeps watching after this page renders.
The Ukrainian Power Grid Was Hacked Again
vice.com
Open sourceLatest Ukraine Blackout Tied To 2015 Cyberattackers
darkreading.com
Open sourceRussians penetrated Burlington Electric Department computer - VTDigger
vtdigger.org
Open sourceRussian operation hacked a Vermont utility, showing risk to U.S. electrical grid security, officials say - The Washington Post
washingtonpost.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
BlackEnergy and KillDisk Linked to Cyberattack on Ukraine’s Power Grid
Ukrainian authorities reported that attackers used the **BlackEnergy** malware family and the destructive **KillDisk** component during a coordinated intrusion into electric power distribution networks, leading to a temporary disruption of electricity supply. The operation reportedly involved unauthorized remote access to operator environments, interaction with **SCADA/RTU** infrastructure, and actions that interfered with control and communications systems, causing outages that lasted roughly **1 to 3.5 hours** and affected a small share of total annual electricity delivery. The incident was described as a multi-stage compromise of critical infrastructure rather than an isolated malware infection, with the attackers moving from IT environments into operational technology systems used to manage power distribution. In response, **CERT-UA** and Ukrainian officials highlighted defensive measures including stronger network segmentation, limiting direct Internet exposure, improving monitoring and detection, and hardening protections around critical infrastructure networks to reduce the risk of similar grid-disruption attacks.
May 29, 2026
Russian-Linked Cyberattacks Hit Ukraine and Spill Into Wider European Targets
Ukrainian government, military, banking, and energy targets were repeatedly disrupted by cyber operations tied to Russia and the war around Ukraine. Reports describe attacks on a Ukrainian power station, outages affecting the websites of Ukraine’s defense ministry and major banks, and broader disruptive activity against the country’s financial sector. The UK government later said technical analysis by the National Cyber Security Centre assessed that Russia’s **GRU** was almost certainly involved in the February 2022 distributed denial-of-service attacks on Ukrainian banking targets, framing the incidents as part of continued Russian aggression. The campaign also expanded beyond Ukraine through both state-linked and pro-Russian actors. **Killnet**, a Russia-aligned hacktivist group, claimed retaliatory **DDoS** attacks on Lithuanian government and business websites after restrictions affecting transit to Kaliningrad, while other reporting said Russian-backed actors continued destructive operations against Ukraine, including **wiper malware** and attempted power-grid attacks. At the same time, pro-Ukrainian hackers mounted hack-and-leak operations against Russian institutions, underscoring how the conflict evolved into a broader regional cyber confrontation affecting governments, critical infrastructure, and financial services.
May 25, 2026
Cyber operations and attempted sabotage targeting national power grids amid Venezuela and Poland crises
Reporting described multiple state-linked cyber activities tied to geopolitical events, including a phishing campaign attributed with **moderate confidence** to China-nexus espionage group **Mustang Panda** (aka **UNC6384**, **Twill Typhoon**) that used the capture of Venezuelan President **Nicolás Maduro** as a lure to target US government agencies and policy organizations. Acronis researchers identified a ZIP lure (“US now deciding what’s next for Venezuela”) containing a legitimate executable side-loaded with a hidden DLL backdoor dubbed **Lotuslite**, though it remains unclear whether any targets were successfully compromised. Separately, unnamed US officials cited by *The New York Times* claimed a “precise” US cyber operation—reportedly involving **US Cyber Command**—briefly disrupted electricity in **Caracas** and interfered with Venezuelan military radar to support the helicopter mission that captured Maduro, but public technical details of the methods used were not provided. In Europe, **Poland** said it repelled what it described as its most serious cyberattack on energy infrastructure in years after attackers targeted communications between distributed renewable generation (solar and wind) and electricity distribution operators, an incident officials said came close to a blackout and “everything points to” **Russian sabotage,” while withholding specific technical indicators or a formal threat-actor attribution.
Mar 21, 2026