Ukraine "is ready to help restore the energy grids" after the blackouts affecting Spain and Portugal, as just declared by the Ukrainian Energy Minister, German Galuschenko. "We are willing to share the knowledge and experience, including those acquired during the systematic Russian attacks on the energy infrastructure," Galuschenko stated in a publication on X.
Red Eléctrica, the Spanish electricity transmission operator, indicated that the cause of the blackout was unknown at the moment, but in Kiev, many believe it could be a cyber sabotage from Moscow, similar to those suffered by Kiev since 2015.
The major blackout in the Iberian Peninsula has been widely discussed in Ukrainian media, where certain hacker groups close to Russia are suspected of causing the chaos, although the Government has not commented on this situation pending further information.
In December 2015, Ukraine became the first country in the world to suffer a blackout caused by a cyber attack. The hack left 250,000 people without power in the country's west in the middle of winter. It was the prelude to a new era of hybrid conflicts, where weapons are not always missiles or bullets, but lines of malicious code to infiltrate a system to steal its data or damage it to make it stop working.
The attack was meticulously planned for months. The hackers from the Russian group Sandworm, the perpetrators of the attack, had resources akin to a state and likely its support, as they also had ties to Moscow's intelligence services. According to Andy Greenberg, a reporter for the magazine Wired who studied them for his book of the same name, "Sandworm is not just a group of hackers. It is a cyber military force serving a state, and its battlefield is the whole world."
Sandworm agents infiltrated the networks of three Ukrainian electricity companies using social engineering techniques: a simple email with an attachment infected with the BlackEnergy malware allowed the attackers to remotely take control of the SCADA systems, the digital brains that manage electricity distribution.
At 3:30 p.m. on December 23, the attackers launched their offensive. From a distance, they disconnected electrical switches, disabled backup systems, and overwrote software with the KillDisk malware to render recovery systems inoperable. They even blocked call centers so citizens couldn't report the outages. The level of coordination surprised cybersecurity experts worldwide.
A year later, in December 2016, the aggressors struck again, this time with a more sophisticated tool: Industroyer, also known as CrashOverride. Unlike its predecessor, this malware did not require human intervention once inside the system. Its ability to communicate directly with industrial protocols—such as IEC-101 and IEC-104, common in European power grids—made it an autonomous weapon. Although its impact was limited to about an hour of blackout in Kiev, it demonstrated an alarming advancement: the ability to automate an electrical sabotage on a large scale.
Both incidents marked a turning point in cybersecurity history. Ukraine, far from being a passive victim, reacted swiftly. It physically separated its critical networks from the internet, reinforced its response teams, established constant monitoring protocols, and implemented realistic attack drills. Certain critical structures returned to analog control, and its experience became a global case study, laying the groundwork for defensive strategies applied even in countries like the United States, Germany, or Japan.
This attack showed the world that 21st-century conflicts are not only fought in trenches but also in servers. And that a simple click can plunge an entire city into darkness.
Mark Galeotti, one of the most renowned experts in Russian security and hybrid warfare, has extensively studied the use of cyber attacks as strategic tools within modern warfare, especially by Moscow: "These actions allow for destabilizing, intimidating, or weakening the enemy without firing a single shot. The attacks on Ukraine in 2015 and 2016 served to demonstrate power and vulnerability simultaneously. Hybrid warfare is more about theater and perception than territorial dominance." "The real danger lies not only in isolated attacks but in persistent campaigns that lay the groundwork for future sabotage (known as pre-positioning)," states Russian-American security analyst Dimitri Alperovitch.