Russia’s Sandworm hackers attempted a third blackout in Ukraine

A decade has passed since the notorious Russian hackers known as Sandworm targeted an electrical transmission station north of Kyiv a week before Christmas in 2016 using a unique, automated piece of code to interact directly with the station's circuit breakers and turn off the lights to a fraction of their original size. In the midst of Russia's brutal invasion of Ukraine, Sandworm appears to be pulling out its old tricks.

On Tuesday, the Ukrainian Computer Emergency Response Team (CERT-UA) and the Slovakian cybersecurity firm ESET issued advisories that the Sandworm hacker group, confirmed to be Unit 74455 of Russia's GRU military intelligence agency, had targeted high-voltage electrical substations in Ukraine using a variation on a piece of malware known as Industroyer or Crash Override. The new malware, dubbed Industroyer2, can interact directly with equipment in electrical utilities to send commands to substation devices that control the flow of power, just like that earlier sample. It signals that Russia's most aggressive cyberattack team attempted a third blackout in Ukraine, years after its historic cyberattacks on the Ukrainian power grid in 2015 and 2016, still the only confirmed blackouts known to have been caused by hackers.

The CERT-UA and ESET say that a regional Ukrainian energy firm was the site of a malicious software attack on Friday. According to CERT-UA, the attack was detected in progress and stopped before it could cause any damage. According to an earlier private advisory from CERT-UA, power had been temporarily switched off to nine electrical substations.

Advertisement

Both CERT-UA and ESET did not name the utility. More than 2 million people live in the area it serves.

"The hack attempt did not affect the provision of electricity at the power company. It was promptly detected and mitigated," says Viktor Zhora, a senior official at Ukraine's cybersecurity agency, known as the State Services for Special Communication and Information Protection (SSSCIP). “But the intended disruption was huge.” Asked about the earlier report that seemed to describe an attack that was at least partially successful, Zhora described it as a "preliminary report" and stood by his and CERT-UA's most recent public statements.

According to CERT-UA, hackers penetrated the target electric utility in February, but only attempted to deploy the new version on Friday. The hackers also deployed multiple forms ofwiper, which were designed to destroy data on computers within the utility, as well as more common Windows wipers, and a piece of code known as CaddyWiper. The CERT-UA said Tuesday that it was able to catch the malicious software before it could be used.