Russian hackers Sandworm made a third attempt to cut off electricity in Ukraine

- Advertisement -

More than a half It’s been ten years since the infamous Russian hackers known as Sandworm, shelled a power station north of Kyiv the week before Christmas in 2016 using unique automated code snippet interact directly with the station switches and turn off the lights in part of the capital of Ukraine. This unprecedented piece of industrial control malware has never been seen again—until now: in the midst of Russia’s brutal invasion of Ukraine, Sandworm appears to be playing its old tricks.

- Advertisement -

On Tuesday, the Ukrainian Computer Emergency Response Team (CERT-UA) and Slovak cybersecurity firm ESET released reports that the Sandworm hacker group, confirmed as Russian military intelligence unit GRU 74455, attacked high-voltage electrical substations in Ukraine using a variety of malware known as Industroyer or Crash Override. The new malware, dubbed Industroyer2, can communicate directly with equipment on power grids to send commands to substation devices that control the flow of electricity, just like the previous sample. This signals that Russia’s most aggressive cyberattack group has launched its third blackout attempt in Ukraine years after its historic cyber attacks on Ukrainian energy systems in 2015 and 2016are still the only confirmed power outages known to have been caused by hackers.

- Advertisement -

ESET and CERT-UA report that malware was injected into targeted systems of a regional Ukrainian energy company on Friday. CERT-UA reports that the attack was successfully detected in progress and stopped before any actual shutdown could be triggered. But an earlier private consultation from CERT-UA last week, first reported MIT Technology Overview today announced that electricity was temporarily cut off at nine electrical substations.

Both CERT-UA and ESET declined to name the affected utility. But, according to Deputy Minister of Energy of Ukraine Farid Safarov, more than 2 million people live in the territory he serves.

- Advertisement -

“The burglary attempt did not affect the supply of electricity to the electric company. It was quickly detected and eliminated,” says Viktor Zhora, a senior official at the Ukrainian cybersecurity agency known as the State Service for Special Communications and Information Protection (SSIS). . “But the planned failure was huge.” Asked about an earlier report that appeared to describe an attack that was at least partially successful, Zhora called it a “preliminary report” and backed up the latest public statements made by him and CERT-UA.

According to CERT-UA, the hackers infiltrated the targeted electric utility in February, and possibly earlier — exactly how is still unclear — but only attempted to deploy the new version of Industroyer on Friday. The hackers have also deployed several forms of malware “cleaners” designed to destroy data on computers inside the utility, including cleaners designed for Linux and Solaris-based systems, as well as the more common Windows cleaners, as well as a piece of code known like CaddyWiper. which have been found in Ukrainian banks in recent weeks. On Tuesday, CERT-UA said it was also able to catch this malware before it could be used. “We are very lucky that we were able to respond to this cyber attack in a timely manner,” Zhora told reporters at a briefing on Tuesday.

The original Sandworm Industroyer malware, discovered after a December 2016 cyberattack on the Ukrainian energy company Ukrenergo, was the first instance of malware found in the wild that could directly interact with power grid equipment with the intention of causing a power outage. Industroyer could send commands to circuit breakers using any of the four industrial control system protocols, and allowed modular code components for those protocols to be replaced so that malware could be redirected to other utilities. The malware also included a component to disable security devices known as protective relays, which automatically shut off power flow if dangerous electrical conditions are detected. cause potentially catastrophic physical damage to the target transmitting station’s equipment when the operators of Ukrenergo turned on the electricity again.

Both Zhora from SSSCIP and ESET say that the new version of Industroyer had the ability to send commands to circuit breakers to trigger a power outage, just like the original version did. ESET also found that malware can send commands to protection relays, and its analysts reported a clear similarity between the components of the new Industroyer and the original, giving them “high confidence” that the new malware was created by the same authors. . But the exact capabilities of the new mesh-targeted malware sample remain far from clear.

However, the emergence of a new version of Industroyer signals that the days of hacking the Sandworm network are far from over – despite the group’s apparent shift over the past five years to other forms of subversive attacks, such as the 2017 release of self-monitoring. Spread NotPetya malware which caused $10 billion in damage worldwide, Cyberattack of the Olympic destroyer at the 2018 Winter Olympics and a massive cyberattack on Georgian websites and TV channels in 2019. “The fact that this group still uses and maintains this tool and uses it against industrial control systems is of great importance,” says the head of ESET Threats. research, Jean-Yan Boutin. “That means they are developing tools that will allow them to really interfere with things like electricity and energy. So it’s definitely a threat to other countries in the world as well.”

The exposure of the Sandworm blackout attempt provides further evidence that the Russian invasion of Ukraine was accompanied by a new wave of cyberattacks on the country’s networks and critical infrastructure, albeit with mixed success. For example, an attack on satellite Internet company Viasat on February 24, just as Russia launched its full-scale invasion, resulted in a significant disruption of Ukrainian military communications, as well as disconnection of the Internet connection of thousands of other Viasat users outside of Ukraine. But other cyberattacks, such as waves of Wiper malware infections targeting Ukrainian networks, have taken place. far less impact than previous destructive hacking operations who have been beating Ukraine since 2014.

At a press briefing on Tuesday, SSSCIP’s Zhora took the opportunity to argue that the relatively limited damage from Russia’s cyber operations reflects not only Russia’s lack of focus on cyber warfare as it wages full-scale physical warfare, but also Ukraine’s growing ability to defend itself in the digital domain. “We were dealing with an opponent who constantly trained us, trained. Since 2014, we have been under constant aggression, and our expertise in how to repel this aggression is unique,” ​​Zhora says. “We are stronger. We are more prepared. And, of course, we will ensure victory.”

Added more information about the earlier private Industroyer malware attack recommendation.

More Great WIRED Stories


Credit: /

- Advertisement -

Stay on top - Get the daily news in your inbox

DMCA / Correction Notice

Recent Articles

Related Stories

Stay on top - Get the daily news in your inbox