What would have happened if the blackout had been the result of a cyberattack by a hostile country?

The government managed the massive blackout from the outset based on the assumption that a "technical problem, a breakdown" had plunged the entire Iberian Peninsula into darkness, according to sources involved in the crisis management.

There was "not a single hint" of a cyberattack, although this possibility has not been completely ruled out until forensic analysis of the electrical system determines it.

But what scenario would have been triggered if there had been suspicions that what was known as an advanced persistent threat (APT) was behind the blackout of the century?

Defense and cybersecurity experts paint a much more chaotic and protracted picture, as containing and releasing the attack by a foreign actor would have delayed the recovery process, in addition to representing yet another twist in the turbulent geopolitical landscape.

The historic day of April 28th would have been rewritten very differently if a foreign power had claimed responsibility for digital sabotage. An APT capable of causing an unprecedented blackout like this week's is no ordinary computer virus. And it's within the reach of very few. These are sophisticated, long-term cyberattacks with the goal, among other things, of disrupting critical infrastructure operations for extended periods. They are typically carried out by adversaries with abundant resources, such as nations. Intelligence and information service sources name names like Russia, China, the United States, and Israel as countries with the capacity to do so. Behind advanced persistent threats is not just malicious code, but a brutal effort to gather information about the target—vulnerabilities and defenses—to penetrate the network—virtually or physically with an infiltrated agent—to escalate privileges to access the most critical data, and to hide traces to avoid detection.

In the event of digital sabotage that caused a massive blackout, military presence on the streets would be unquestionable.

A FireEye Mandiant study revealed that the average time an APT remains undetected on a network is approximately 146 days.

Josép Albors, director of research and awareness at ESET Spain, stated in a telephone conversation with La Vanguardia that "it is possible" that an APT could cause a blackout of such magnitude, although he considers it "highly unlikely" in the recent case. However, he insists that this hypothesis has not been completely ruled out, and that it could be confirmed "in several months."

The ESET researcher recalls that the Industroyer malware, both its original and improved versions, was developed specifically to attack a power grid, causing widespread blackouts. This virus has been used against Ukraine, both before and after the outbreak of the war.

Read also

Previously, in 2010, the Stuxnet worm penetrated the computer system of the Natanz nuclear plant in Iran via an infected USB flash drive. Once there, it sought out the software controlling the centrifuges that separated the different types of uranium. After taking control, the virus reprogrammed the thousand centrifuges to spin at highly unusual speeds for several months, causing them to disintegrate. The New York Times reported that Stuxnet, considered the first cyberweapon, was a joint creation of the United States and Israel.

If the Cyber ​​Coordination Office, which employs around fifty National Police and Civil Guard officers, or the National Center for the Protection of Critical Infrastructures (CNPIC), had found the slightest indication that the blackout was due to a persistent threat, they would have activated cyberattack protocols, which broadly speaking have three phases: containment of the attack, release of the computer system—which is generally hijacked—and recovery of the affected activity.

There is no doubt in the military leadership that a cyberattack could trigger NATO's Article 5.

Instead, last Monday, the country went straight to the so-called blackout, restarting power to the entire country. Recovering from an APT, the same sources explain, is not a matter of twelve hours, like the ones it took to recover 100% of electricity demand. And this is the main difference between what was and what could have been: a more prolonged blackout, which would pose a different scenario than the one the National Security Council considered earlier this week, with a more than likely military presence beyond the Military Emergency Unit (UME).

In fact, one of the biggest concerns of the autonomous communities that had requested that the government assume coordination was the fear that the blackout would extend into the early hours of the morning, potentially generating situations of absolute chaos. In such a dystopian scenario, the intelligence and information services would have been focused on searching for possible actors who could claim responsibility for the attack, since determining 100% responsibility for a sophisticated cyberattack through a subsequent investigation is practically impossible. That is, not only in the search, but also in the verification.

Due to this lack of complete certainty regarding authorship in these types of attacks, what is known as a false flag operation could be taking place, designed to make it appear as if it was carried out by another nation. If this were the case, military leaders have no doubt that invoking Article 5 of the Treaty of the Atlantic Alliance, which enshrines the principle of collective defense, would have been considered.

The call between Prime Minister Pedro Sánchez and NATO Secretary General Mark Rutte on the day of the blackout would, of course, have been on different terms.

However, experts doubt that an APT that caused an entire country to shut down could be used as a simple warning of what such an adversary might be capable of. "No one uses such a large amount of ammunition simply to warn of what you can do, but rather as a strategic advantage for a specific purpose," explains Albors, who recalls how Russia launched high-intensity cyberattacks against critical infrastructure before invading Ukraine.

Russia, China, the United States and Israel are among the few countries capable of such sabotage.

The Industroyer malware caused thousands of homes to lose power in Kyiv in late 2016 after attacking a local electrical substation. This is precisely the precedent cited by National Court Judge José Luis Calama in his order to open an investigation into the incident.

This Thursday, sources from the Ministry of Ecological Transition, which leads the committee created to analyze the blackout, recalled that, although Red Eléctrica has preliminarily ruled out a cyberattack on its facilities, there are thousands of locations in the electrical system that are interconnected and not owned by the company. If this is confirmed—an unlikely outcome—the government has no doubt that "many red lines" have been crossed.