BlackEnergy and KillDisk Linked to Cyberattack on Ukraine’s Power Grid
Ukrainian authorities reported that attackers used the BlackEnergy malware family and the destructive KillDisk component during a coordinated intrusion into electric power distribution networks, leading to a temporary disruption of electricity supply. The operation reportedly involved unauthorized remote access to operator environments, interaction with SCADA/RTU infrastructure, and actions that interfered with control and communications systems, causing outages that lasted roughly 1 to 3.5 hours and affected a small share of total annual electricity delivery.
The incident was described as a multi-stage compromise of critical infrastructure rather than an isolated malware infection, with the attackers moving from IT environments into operational technology systems used to manage power distribution. In response, CERT-UA and Ukrainian officials highlighted defensive measures including stronger network segmentation, limiting direct Internet exposure, improving monitoring and detection, and hardening protections around critical infrastructure networks to reduce the risk of similar grid-disruption attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Ukraine ministry publishes analysis linking attack to BlackEnergy and KillDisk
Ukraine's energy ministry published a notice describing the power-sector cyberattack and referencing the BlackEnergy malware family and the KillDisk destructive component. The notice also included defensive recommendations such as network segmentation, limiting Internet exposure, stronger monitoring, and better protection of critical infrastructure networks.
Ukraine power grid cyberattack causes temporary outages
In late 2015, attackers conducted a coordinated intrusion into Ukrainian electric power distribution environments, remotely interacting with SCADA/RTU-related systems and disrupting communications. The incident caused temporary power outages lasting roughly 1 to 3.5 hours and affected about 73 MWh of electricity supply.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
̳���������� ���������� �� ������� ������������ ������ :: ̳������������� �� ���� �������� ����� �� ������ ������������ ��� ������������ ��������, �� ������� �� ����� ��������� ̳����������, ��� �������� ����������� ���� ���������� ����������������� ��������� � ������ �����������
web.archive.org
Open source���������� ����� DRAM ����� ���� ���������� � ���������� ���������� ������
opennet.me
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Sandworm Linked to Cyberattack That Disrupted Ukraine’s Power Grid
Ukrainian electric utilities suffered a coordinated cyberattack that caused power outages for civilians, marking one of the clearest cases of a cyber operation producing a real-world disruption of critical infrastructure. Reporting from iSIGHT Partners and SANS ICS assessed with high confidence that the outage was intentional and attributed the intrusion to **Sandworm Team**, citing the presence of **BlackEnergy 3** malware in affected environments and the use of the destructive component **KillDisk** during the operation. U.S. government industrial control system alerts later documented the incident as a cyberattack against Ukrainian critical infrastructure and tied it to a broader, ongoing malware campaign targeting ICS environments. The reporting said **KillDisk** may have been used less to trigger the outage than to hinder restoration and operator visibility after the attack, while flooding utility call centers with phone traffic likely complicated response efforts; the incident also fit Sandworm’s wider pattern of targeting Ukrainian entities, regional power organizations, and other government and media networks while showing sustained interest in **SCADA** and industrial control systems.
May 25, 2026
BlackEnergy Used in Targeted Attacks Against Organizations in Ukraine and Poland
ESET reported that the **BlackEnergy** malware family was used in targeted intrusions against organizations in **Ukraine and Poland**, linking the activity to a broader campaign focused on compromising selected victims in the region. The reporting described BlackEnergy as an established threat platform adapted for espionage and follow-on malicious activity, with attackers using it to gain footholds inside targeted networks. The campaign highlighted BlackEnergy’s continued evolution from earlier criminal use into a tool deployed in politically sensitive operations. The incidents underscored the risk to regional government and private-sector entities, showing that attackers were leveraging a known malware framework in focused attacks rather than indiscriminate mass infections.
Jun 22, 2026
Suspected Russian-Linked Intrusions Raise Alarm Over Power Grid Targeting
Investigators linked a second cyber-induced power disruption in Ukraine to the same threat actors believed responsible for the 2015 grid attack, reinforcing concerns that attackers had developed repeatable capabilities against electric utilities. Reporting on the incident said the intrusion affected a Ukrainian power station and was widely viewed as further evidence that grid operators remained exposed to targeted attacks capable of interrupting electricity delivery. At the same time, U.S. officials disclosed that malware associated with the Russian campaign labeled **Grizzly Steppe** had been found on a Burlington Electric laptop in Vermont, prompting warnings about possible reconnaissance against American energy infrastructure. Burlington Electric said the compromised device was **not connected to grid control systems**, was isolated immediately, and did not disrupt operations, but the discovery intensified fears that Russian-linked operators were probing utility networks in the United States while earlier attacks in Ukraine demonstrated the potential consequences.
May 25, 2026