top of page

Russian intelligence blamed for attempted attack on Ukraine’s power grid

Cybersecurity company ESET, along with Ukrain’s CERT, thwarted an attack attributed to Sandworm, the alleged cyber military arm of the GRU

Trostianets, Ukraine, April 15th 2022. Photo: REUTERS/Zohra Bensemra
Trostianets, Ukraine, April 15th 2022. Photo: REUTERS/Zohra Bensemra

It’s been over two months now since Russia invaded Ukraine, and side-by-side the over war of warplanes, tanks and artillery, the covert battlefront of cyber has also been constantly active – from attacks on Ukrainian government websites to global cybersecurity powers sending help to Kyiv, and local “hacker armies.”

In the latest turn of events, cybersecurity company ESET, together with the Ukrainian CERT, has recently identified a cyber attack against a large Ukrainian energy company – which it attributes with “high confidence” to the APT group Sandworm, an alleged cyber military unit of Russia’s main intelligence directorate, the GRU.

According to its report, ESET discovered a new variant of Industroyer malware – which it named Industroyer2. The company previously referred to this malware – also used by the same threat group to cut power in Ukraine in 2016 – as the “biggest threat to industrial control systems since Stuxnet.”

The researchers also discovered that the threat group had deployed the wiper malware CaddyWiper – used in the early days of the Russian invasion against several Ukrainian financial and government entities – scheduling it to operate after the Industroyer attack in order to erase its traces.

At the moment, the researchers don’t know how the attackers compromised the initial victim, nor how they moved from the IT network to the Industrial Control System (ICS) one.

“The attackers’ plan was to disable several infrastructure elements” such as high-voltage power substations and exploiting Windows and Linux vulnerabilities,” said Ukraine’s CERT in a statement, noting that it had “taken urgent measures” in response.

The victim also suffered two waves of the attacks, with the initial compromise taking place in February 2022. “The shutdown of electrical substations and decommissioning of the company’s infrastructure were scheduled for Friday evening, April 8, 2022,” says the CERT’s statement.

5 views0 comments
bottom of page