Get a MacBook Air, $400 Amazon Gift Card, or Take $400 Off with OnDemand Training - Learn More


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Sorry, the slides for this webcast are not available for download.

Analyzing the Ukrainian Power Grid Cyber-Attacks

  • Monday, March 14, 2016 at 7:15 PM EDT (2016-03-14 23:15:00 UTC)
  • Jake Williams


  • Waterfall Security

You can now attend the webcast using your mobile device!



At the end of December, 2015 as many as 80,000 residents in Western Ukraine lost power. Subsequent investigation into the incident indicated that coordinated cyber-attacks contributed to the power outages by disrupting control systems and flooding call centers. Some of the malware deployed contained destructive capabilities, which is fairly unusual for most APT campaigns. Many investigators have attributed this attack to Russia, with some speculating that it may be a precursor to larger scale cyber attacks.

In this session, we will review the publicly available evidence and discuss the prevailing theories about the attacks and how the evidence supports them (or in some cases doesnt). Well also examine some of the malware involved in the attack and discuss why certain capabilities may have been deployed. Finally, well discuss attack attribution and try to determine if based on the available evidence we can come to the same conclusions as other analysts (and the media). This session will have content appropriate for all skill levels, including those without any previous ICS/SCADA exposure.

Speaker Bio

Jake Williams

Jake Williams is a Principal Consultant at Rendition Infosec. He has more than a decade of experience in secure network design, penetration testing, incident response, forensics, and malware reverse engineering. Before founding Rendition Infosec, Jake worked with various cleared government agencies in information security roles.

Jake is the co-author of the SANS FOR610 course (Malware Reverse Engineering) and the FOR526 course (Memory Forensics). He is also a contributing author for the SEC760 course (Advanced Exploit Development). In addition to teaching these courses, Jake also teaches a number of other forensics and security courses. He is well versed in Cloud Forensics and previously developed a cloud forensics course for a US Government client.

Jake regularly responds to cyber intrusions performed by state-sponsored actors in financial, defense, aerospace, and healthcare sectors using cutting edge forensics and incident response techniques. He often develops custom tools to deal with specific incidents and malware reversing challenges.

Additionally, Jake performs exploit development and has privately disclosed a multitude of zero day exploits to vendors and clients. Why perform exploit development? It's because metasploit != true penetration testing. He found vulnerabilities in one of the state counterparts to and recently exploited antivirus software to perform privilege escalation.

Jake has spoken at Blackhat, Shmoocon, CEIC, B-Sides, DC3, as well as numerous SANS Summits and government conferences. He is also a two-time victor at the annual DC3 Digital Forensics Challenge. Jake used this experience with, and love of, CTF events to design the critically acclaimed NetWars challenges for the SANS malware reversing and memory forensics courses. Jake also speaks at private engagements and has presented security topics to a number of Fortune 100 executives.

Jake developed Dropsmack, a pentesting tool (okay, malware) that performs command and control and data exfiltration over cloud file sharing services. Jake also developed an anti-forensics tool for memory forensics, Attention Deficit Disorder (ADD). This tool demonstrated weaknesses in memory forensics techniques.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.