The Department of Homeland Security said Tuesday that it is helping Ukraine investigate a recent cyberattack on its power grid that left roughly 80,000 people without power for several hours.
The notice, which was published by the agency’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, is the Obama administration’s first public comment about the Dec. 23 incident.
The outage has drawn attention as the first known blackout caused by hackers, reportedly through the implantation of malware.
DHS identified a specific piece of malicious code known as “BlackEnergy” in an update to an existent advisory on the same malware detected in U.S. critical infrastructure.
The department stopped short of confirming that the malware was the principle culprit behind the blackout.
ICS-CERT “can confirm that a BlackEnergy 3 variant was present in the system,” but “based on the technical artifacts, we cannot confirm a causal link between the power outage with the presence of the malware,” the agency said.
A report issued this weekend found that while malware enabled the attackers to carry out certain elements of their plan, it was not the direct cause of the outage.
Instead, malware was likely used to prevent system operators from detecting the attack while a remote attacker opened “breakers,” disconnecting parts of the network.
The attackers also a launched a DDoS attack on the power company’s customer service center, flooding it with phony calls to prevent customers from reporting the outages.
A report from the pseudo-government industry group the Electricity Information Sharing and Analysis Center (E-ISAC) last week called the blackout a “coordinated effort by a malicious actor,” urging its U.S. members to boost their network security in response.
The Ukrainian Security Service SBU was swift to blame Russia for planting malware to cause the blackout. Relations between the two nations have been in a steep decline since Russia annexed Crimea last year and began supporting pro-Russian separatists in Ukraine.
“We found that the [malware] came from Russia,” SBU said. “It was an attempt to interfere in the system. But it was discovered and prevented.”