After the occupation of Crimea and Donbas, Ukraine has repeatedly been the target of cyber attacks by the Russian Federation. In 2016 and 2017, Ukraine suffered economic losses to the tune of more than $10 billion as a result of attacks launched by Russian hackers, including by means of Russian-made software and services. In 2020 alone, the Cybersecurity Department of the Security Service of Ukraine neutralised more than 600 cyberattacks on critical infrastructure of Ukraine. Powerful cyber attacks, which would entail catastrophic consequences, targeted Ukrainian networks of energy, banking, transport sectors, as well as infrastructure information systems. A significant part of hackers, whose purpose was to cause damage to the government agencies of Ukraine (including during elections) and enterprises of the defence industry, was directly controlled from the Russian Federation.
Given this threat, Ukraine has gradually taken steps to protect its cyberspace from possible attacks by the aggressor country. In February 2015, in accordance with the decision of the National Security and Defence Council, the Cabinet of Ministers banned the software produced by Russian company Kaspersky Lab from being used in the Ukrainian government agencies. In May 2017, the decision of the National Security and Defence Council “On imposition of personal special economic and other restrictive measures (sanctions)” was enacted by a decree of the President of Ukraine. In particular, Kaspersky and Doctor Web antivirus software, as well as 1C accounting software designed in the Russian Federation, were subject to sanctions.
In March 2020, the sanctions were extended by President’s Decree of 14 May 2020 No. 184/2020. However, Russian Parus IT company and Saprun consulting company were removed from the sanctions list. Ukrainian cybersecurity experts have repeatedly expressed concern that Russian software could become a “Trojan Horse,” giving Russia access to Ukraine’s critical infrastructure. Of particular concern to IT professionals was the possibility of using Russian software at Ukrainian nuclear power plants, which would jeopardise Ukraine’s energy security.
Business as usual?
Russia’s constant attempts to get Ukraine “addicted” to Russian gas, Russian electricity supplies with threats to leave consumers without heating — all these are elements of energy component of Russia’s hybrid war against Ukraine. It is all the more worrying when the desire of top managers of Ukrainian energy companies to do business as usual with Russia prevails over rationale and self-preservation instinct.
Close collaboration between power engineering and power generation companies in the countries of the former Soviet Union was formed for decades and has continued since the collapse of the USSR. In particular, a cooperation agreement between the Russelprom electric engineering concern (Russia) and the State Enterprise “National Nuclear Energy Generating Company Energoatom” (Ukraine) on the supply of Russian equipment to Ukrainian nuclear power plants was signed in 2011.
But, perhaps, the cooperation between the Russian concern and the operator of Ukrainian nuclear power plants, which provide more than 50% of power generation, was terminated after the occupation of Crimea and part of Donbas with consideration to the country’s energy security?
The online service of public procurements demonstrates that the Russian energy concern Russelprom continues to supply the NNEGC Energoatom with goods and services.
According to the agreement No. 15212-124-GOOODS-1 between NNEGC Energoatom and TES Vsetin s.r.o. (the Czech Republic), turbogenerator excitation systems were delivered to Unit No. 3 of the South Ukrainian NPP, Unit No. 1 and Unit No. 2 of the Khmelnytskyi NPP, Unit No. 3 and Unit. 4 of the Rivne NPP.
A detailed study of the tender documentation for electrical tests at Unit No. 3 of the South Ukrainian NPP in October-November 2020 proves that although a Czech company is a formal supplier of equipment for Ukrainian NPPs, the excitation systems such as BSV-REM-320-380 were designed in accordance with technical specification developed and approved by the OOO “NPP “Ruselprom-Elektromash” (Russian Federation).
In addition, the online service of Ukrainian public procurements also indicates that “Ruselprom” (Russia) is the manufacturer of software for generators’ excitation systems installed at Ukrainian nuclear power plant. It is also noted that only the software developer, i.e., the Russian OOO “NPP “Ruselprom-Elektromash,” can carry out high-quality electrical tests for excitation systems and automatic regulator of turbogenerator’s excitation systems.
In fact, the Czech company acted as a buffer company in this tender. It was a “Trojan Horse,” thanks to which Ukrainian NPPs received equipment manufactured according to the technical documentation of the Russian Federation, which should be serviced exclusively by Russian specialists, and, most importantly, this equipment for Ukrainian nuclear power plants is operated by Russian-made software.
Two independent cybersecurity experts also confirmed in a comment to the author of the article that Russian-made software for turbogenerators’ excitation systems is supplied to Ukrainian NPPs in a compiled form, i.e., with closed source. Thus, the software consumer, in this case the specialists of the three Ukrainian nuclear power plants, cannot see what is inside the software. IT experts confirmed that Russian software for Ukrainian nuclear power plants could potentially contain malicious code that would turn off generators at Ukrainian nuclear power plants.
Moreover, according to the agreement concluded between NNEGC Energoatom, represented by Director General of the South Ukrainian NPP V.A. Lisnichenko and OOO “NPP “Ruselprom-Elektromash” represented by Managing Director A.L. Komkov on 29 September 2020, the Russian company undertook it to send two of its specialists to the facility (power unit No. 3 of the South Ukrainian NPP).
In summary
In the seventh year of the war, three Ukrainian nuclear power plants obtain equipment produced by the aggressor country of the Russian Federation that may contain dangerous parts of code, including those that can stop the operation of NPP generators. NNEGC Energoatom invites specialists of the Russian energy concern to service this equipment at Ukrainian nuclear power plants.
As of the date of publication of this article (26 March 2021), our colleague, editor-in-chief of Real Donbass media outlet Andriy Udod received no official response to his information inquiry sent to the management of Energoatom.
Background: Ukraine’s energy system has been repeatedly hit by cyber attacks after the Russia-Ukraine war started. On 23 December 2015, the operator of regional electric networks “Prykarpattiaoblenerho” was attacked. Experts from the international cybersecurity company ESET claimed that the attackers used the Black Energy Trojan virus which ran a special program KillDisk that prevents computers from booting. As a result, about 30 substations were shut down, leaving more than 200,000 residents without electricity for several hours.
At the same time, Kyivoblenerho and Chernivtsioblenerho were attacked, having milder consequences. Experts from the Electricity Information Sharing and Analysis Center (E-ISAC), specialising in protection of power grids in North America, said it was the first known cyberattack that resulted in blackout. It was also one of the few such attacks that damaged the physical infrastructure of energy facilities.
The second attack took place in December 2016. Its target was the Northern substation of the Ukrenergo National Power Company, resulting in blackout in the districts of Kyiv’s right bank and several villages of the Kyiv region, which lasted more than an hour. ESET experts said that Russia could be behind both cases of cyber attacks on Ukraine’s energy sector.
In June 2017, a large-scale hacker attack using the Petya. A virus software disrupted operation of several government agencies and enterprises. Zaporizhzhiaoblenerho, Dniprooblenerho and Chornobyl NPP were among the targets. As a result, the Chernobyl radiation monitoring system was switched to manual mode. The Security Service of Ukraine and Secretary of the National Security and Defence Council Oleksandr Turchynov then claimed possible involvement of Russian special services in the attack.
Perhaps, the countdown to a new cyber attack on the Ukrainian power grid, including nuclear power plants, has already started.
Valentyna Bykova, International Center for Countering Russian Propaganda