On December 23, 2015, coordinated cyberattacks against three Ukrainian electricity distribution companies — Prykarpattyaoblenergo, Chernivtsioblenergo, and Kyivoblenergo — caused the first confirmed power outages attributed to a cyberattack in history. Approximately 230,000 consumers lost power for 1–6 hours during a Ukrainian winter evening. The attack used BlackEnergy3 malware delivered via spear-phishing emails with malicious Word documents to electric company employees. After establishing persistent access for months, on December 23 the attackers simultaneously: (1) opened breakers via remote SCADA access to cut power; (2) deployed KillDisk to wipe SCADA workstation operating systems, preventing quick recovery; (3) conducted telephone denial-of-service attacks against customer call centers to delay public awareness. The attackers also manipulated UPS systems and serial-to-Ethernet converters at substations. Recovery required field engineers to manually restore each breaker. The attack was attributed to Sandworm (GRU Unit 74455). US-CERT and CISA issued joint advisories. This attack was a watershed moment in ICS/OT security, demonstrating that cyber operations could achieve kinetic (physical world) effects against civilian infrastructure — and preceded the more sophisticated Industroyer attack one year later.