Behind US cyberoperation that shut down electricity in Caracas ahead of January strikes Details revealed to The New York Times

The darkness that descended over Caracas in the hours before Venezuelan President Nicolás Maduro was captured on January 3, 2026 by the US military marked a striking illustration of modern warfare’s evolving character — the fusion of physical force and cyber operations. While global attention focused on the dramatic detention of Maduro and the first lady, a quieter but decisive offensive was unfolding inside the digital networks that underpin the capital’s critical infrastructure.

The blackout was not caused by destroyed transmission towers or severed power lines. Instead, it resulted from a precise and invisible manipulation of the industrial control systems that regulate electricity flows, according to US officials briefed on the operation who spoke to The New York Times.

The newspaper described the January 3 operation as one of the most public demonstrations of offensive US cyber capabilities in recent years. It showed that, at least in the case of a country such as Venezuela — whose military lacks sophisticated cyber defences — the United States can deploy cyberweapons with powerful and highly targeted effects.

In parallel, the US military used cyber tools to interfere with Venezuela’s air defence radar, according to people familiar with the matter who discussed sensitive details on condition of anonymity. They noted, however, that the country’s most powerful radar system was not operational at the time of the strikes.

Disabling Caracas’s power grid and degrading radar coverage allowed US military helicopters to enter Venezuelan airspace undetected as part of the mission to capture Maduro, who has since been transferred to the United States, where he faces drug-related criminal charges.

Understanding how grid manipulation works

To understand how an adversary’s power can be cut without firing a shot, experts point to the digital controllers that regulate modern infrastructure. These systems serve as the brains of power grids, responsible for opening valves, spinning turbines and routing electricity. Once considered simple and isolated devices, they have evolved into complex, internet-connected computers as grids have modernized.

In an article published by The Conversation, a cybersecurity researcher detailed how malware can compromise such controllers by creating a “split reality.” The malicious software intercepts legitimate commands sent by grid operators and replaces them with destabilizing instructions.

One technique involves rapidly opening and closing circuit breakers — known as flapping — which can physically damage transformers or generators by forcing them to overheat or fall out of synchronization with the grid. Such damage can trigger fires or explosions and may take months to repair.

At the same time, the malware calculates what sensor data should look like under normal conditions and feeds fabricated readings back to the control room. Operators may see stable voltage levels and green status indicators on their screens even as equipment fails in the physical world. This decoupling of digital information from reality blinds defenders, preventing effective diagnosis or response until the damage is done.

The researcher pointed to several historical precedents of the use of such technology. The Stuxnet malware, deployed in 2009, targeted Iran’s nuclear enrichment facilities by forcing centrifuges to spin at destructive speeds while displaying false “normal” data to operators. In 2016, Russia’s Industroyer malware attacked Ukraine’s power grid, using the grid’s own industrial communication protocols to open circuit breakers and cut electricity to Kyiv.

More recently, the Volt Typhoon campaign, which the United States has attributed to Chinese sources, was exposed in 2023 after infiltrating US critical infrastructure networks. Rather than causing immediate damage, the attackers sought to remain dormant, positioning themselves to disrupt communications and power systems during a future crisis.

Modern industrial controllers often host their own administrative websites, creating overlooked entry points for attackers. By infecting these web applications, malware can execute inside the browser of engineers or operators who log in to manage facilities. This allows malicious code to piggyback on legitimate user sessions, bypass firewalls and issue commands to physical machinery without cracking device passwords.

The scale of this vulnerability extends well beyond electricity networks to sectors such as transportation, manufacturing and water treatment. The author of The Conversation article warned that these exposed systems offer adversaries a rich environment for reconnaissance, enabling them to identify weak points that can serve as gateways into deeper, more secure networks.

By Nazrin Sadigova