More than half It’s been a decade since notorious Russian hackers known as Sandworm targeted a power station north of Kiev a week before Christmas in 2016, using a unique, automated code to interact directly with the station’s circuit breakers and knock out lights in part of the capital of Ukraine. This unprecedented instance of industrial control system malware has never been seen again—until now: In the midst of Russia’s brutal invasion of Ukraine, Sandworm appears to be up to its old tricks.
On Tuesday, Ukraine’s Computer Emergency Response Team (CERT-UA) and Slovakian cybersecurity firm ESET issued advice that the Sandworm hacking group, confirmed as Unit 74455 of the Russian military intelligence GRU, had attacked high-voltage electrical substations in Ukraine using a variation of a piece of malware known as Industroyer or Crash Override. The new malware, called Industroyer2, can interact directly with equipment in the power supply to send commands to the substation devices that control the flow of power, just like this earlier sample. It signals that Russia’s most aggressive cyberattack team has attempted a third blackout in Ukraine, years after its historic cyberattacks on Ukraine’s power grid in 2015 and 2016, still the only known confirmed outages. that they are caused by hackers.
ESET and CERT-UA say the malware was planted on targeted systems at a regional Ukrainian energy firm on Friday. CERT-UA says the attack was successfully detected in progress and stopped before any actual power outage could be triggered. But an earlier private advisory from CERT-UA last week, first reported by MIT Technology Review today said that nine electrical substations have been temporarily shut down.
Both CERT-UA and ESET declined to name the affected utility. But more than 2 million people live in the area it serves, according to Farid Safarov, Ukraine’s deputy energy minister.
“The hacking attempt did not affect the supply of electricity at the power company. It was immediately detected and mitigated,” said Viktor Zhora, a senior official at Ukraine’s cybersecurity agency known as the State Services for Special Communication and Information Protection (SSSCIP). . “But the planned disruption was huge.” Asked about the earlier report, which appeared to describe an attack that was at least partially successful, Jorah described it as a “preliminary report” and stood by his and CERT-UA’s recent public statements.
According to CERT-UA, the hackers broke into the targeted electric company in February or possibly earlier – it’s not yet clear exactly how – but they only attempted to deploy the new version of Industroyer on Friday. The hackers also deployed multiple forms of wiper malware designed to destroy data on computers in the utility, including wiper software that targets Linux- and Solaris-based systems, as well as more common Windows wipers, as well as a piece of code known as CaddyWiper that was discovered in Ukrainian banks in recent weeks. CERT-UA said Tuesday that it was also able to catch this wiper malware before it could be used. “We were very fortunate that we were able to respond in time to this cyber attack,” Jorah told reporters at a briefing on Tuesday.
