Why one researcher mimicked Russian hackers in breaking into a European utility

Jason Larsen was tired of hearing how skilled Sandworm was, so he used one of their techniques to improve a client's security.
Jason Larsen ioactive

Jason Larsen was tired of hearing about the skills of Russian-linked hackers, particularly those who cut power in parts of Ukraine in 2015 and 2016.

These were groundbreaking and worrying attacks, he thought to himself, but giving the attackers too much credit makes defending against them more complicated than it needs to be.

So Larsen, a researcher at cybersecurity company IOActive, broke into the substation network of a European electric utility using one of the Russian hackers’ techniques. The first segment of the attack — gaining root access on some firmware— took him 14 hours. He took notes by the hour and shared them with the distribution utility, one of his clients, to improve their defenses.

“We’ve embodied them with all of these god-like abilities,” Larsen said of Sandworm, the group said to be responsible for the attacks and which many believe to work on behalf of Russia’s military intelligence agency. The group turned the lights off for some 225,000 people in Ukraine in 2015, and then hit a transmission substation outside of Kiev the following year.


As the first known cyberattacks to cause power outages, there is no downplaying the seriousness of the Ukraine grid disruptions. In the 2016 attack, the Russian hackers showed they were learning more about the industrial control systems they were attacking by deploying malware carefully tailored to that environment.

But by demystifying the Russian hackers’ techniques, researchers have helped organizations defend against them. Larsen went a step further by using the techniques himself.

Exploiting the same gear, but for good and not ill

To break into the European distribution utility, Larsen targeted a serial-to-ethernet converter, which translates commands from devices in the field to a utility’s substation control systems. The Russians exploited the same technology in 2015 in Ukraine. He picked apart the firmware on the device and found a vulnerability that let him dump all the device’s memory and recover its password.  Like the Russians, he used his own firmware implant to take control of the converter.

Larsen did not do this on a whim: He was on site at the utility, with a company employee next to him, when he conducted the carefully planned attack. He eventually burrowed into the network on the utility’s substation, which converts power from high to low voltage so it can be delivered to homes and businesses. He used the firmware implant to manipulate data running through the serial-to-ethernet converter, blinding the utility’s operators to his presence on the substation’s network.


Although Larsen performed the attack a couple of years ago, he only just this week at the S4 conference in Miami Beach publicly presented his findings. He had to keep the details of the attack to himself until Moxa, the maker of the converter, issued a patch for the vulnerability last year.

‘This is the real world, prepare for it!’

It took some convincing for the European utility, which Larsen declined to name, to let him perform the attack. One utility employee had to lobby intensely to let Larsen do his hacking. “This is the real world, prepare for it!” he recalls the employee telling his colleagues.

Larsen praised the utility’s progressive attitude toward security. “That’s why they actually hire consultants like us to go break into them because they want to see what they’re missing.”

Organizations shouldn’t rely on expensive monitoring devices to keep hackers out of their networks because attackers can acquire that same equipment and figure out how to break it, Larsen said.


Analysts expect Sandworm to continue to evolve and develop its capabilities.

But guarding against future attacks needn’t be overly elaborate, Larsen said. It will mean adhering to security practices that are effective against other threats: hunting for signs of a malicious intruder and keeping critical control systems segmented from more standard IT devices.

Since he compromised the utility’s substation network, “trust [with the client] has increased over time” and they’re more aware of the threats, Larsen told CyberScoop. “Now, whenever they build something…they build it with that mind.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts