Sandworm, a Russian state-sponsored hacking group, attempted to infiltrate Ukrainian power substations of a private energy company to deploy malicious code capable of shutting off electricity to two million people, Ukrainian government officials and cyber researchers said Tuesday.
The cyberattack, which Russia’s military spy agency originally planned for Friday evening, appears to have fallen short of cutting off power. The Ukrainian government’s computer emergency response team said it was able to stop the hackers from “carrying out [their] malicious intent.”Top Ukrainian cyber official Victor Zhora said the attack was “effectively rebuffed.”
According to cyber researchers, the hacking group, which the Justice Department has previously linked to GRU Russian military intelligence, used damaging malware known as “Industroyer ICS,” which is designed to disrupt civilian electrical supply by targeting high-voltage electrical substations, according to cybersecurity firm ESET.
This was the work of “military IT hackers from the Russian Federation,” Zhora said, and the investigation is ongoing.
The malware “was empowered to send commands to the switchers,” Zhora explained, noting the malicious code was more sophisticated than the version deployed during the NotPetya attack.
Russian-backed hackers tried to cover their tracks by deploying CaddyWiper and other data-wiping malware after the intrusion.
For years, Russia-backed hackers have tested their cyber weapons on Ukraine. The 2017 NotPetya attack by the GRU, deployed the same tactics as the 2020 SolarWinds attack that compromised nine U.S. government agencies and scores of American companies, sabotaging a widely-used piece of software to break into thousands of Ukraine’s networks.
CISA Director Jen Easterly tweeted Tuesday that the agency is working closely with Ukrainian officials to understand the incident and relay relevant information to U.S. infrastructure partners.
The Sandworm hacking group has succeeded in cutting power to parts of Ukraine in the past, in 2015 and 2016. “Proud of Ukrainian cyber defenders and ESET this morning,” John Hultquist, vice president of intelligence analysis at Mandiant tweeted Tuesday. “This is a big win against a determined adversary. You’re setting the standard for defenders.” Ukrainian officials said they first learned of the intrusion on April 7, the eve of the planned attack on April 8.
Ukrainian officials declined to say which specific energy company or facilities had been targeted. “The name of the facility cannot be put into public domain,” Zhora said. But he added that the cyber attack “was supposed to inflict serious damages and consequences both for the staff of the facility who were renovating and renewing the electricity supplies of the facilities [targeted] and for the ordinary customers coming back home.”
Since the hackers planned to launch their attack on Friday evening, Ukrainian officials speculated that any outage could have affected Ukrainians who “were looking to television to know what was going on in the country, the news from the front line.”
While this incident failed to cause any electricity outages, Zhora noted the malware code “has been successful at getting into the management technological system.” He added, “There were some disruptions at one of the components in the system, but we detected it immediately and fixed it.”
The attack did impact a few networks within one company. Investigators are continuing to check “to see if remnants of codes are in other energy facilities,” in an effort to prevent similar attacks.
Ukraine’s computer security team indicated in a Facebook post Tuesday that the targeted organization “suffered two waves of attacks.” The first compromise occurred “no later than February 2022,” and “the power outage and the removal of the company’s infrastructure were scheduled for Friday evening, April 8, 2022,” but “at the moment has been prevented.”
Ukrainian officials stressed that despite the seriousness of this attack, the onslaught isn’t new. “We are dealing with an opponent that has been constantly draining us for eight years in the cyber space, drilling us since 2014. We’ve been on the end of constant aggression,” Zhora said.