Abstract: State supported cyber-attack can intrude into substations automation systems via vendor of control and monitoring system by supply chain attack. It could initiate synchronous disturbance coordinated cyber-attack to trip all circuit breakers within multiple substations without communication among substation, and trigger blackout to maximize the consequence of cyber-attack. The way of switch attack of substation is analyzed. A disturbance based coordination mechanism is proposed to synchronize cyber- attack in various substations. Synchronous disturbance coordinated cyber-attack with under-voltage is simulated with IEEE 39 node system. Simulation result indicates that short circuit fault could trigger targeted malware in neighboring substations and result in proactive cascade outage of multiple substations or even catastrophic blackout. The way to detect undermined targeted malware coordinated by disturbance in substations automation system is proposed in the end.