Ukraine stopped Russian hackers who were trying to attack its power grid

CERT-UA and cybersecurity researchers at ESET detail how malware attacks by Sandworm hacking group are attempting to interfere with industrial control systems and power grids.
Written by Danny Palmer, Senior Writer

Hackers deployed a new form of malware in an attack that aimed to disrupt an energy facility in Ukraine. 

According to the Governmental Computer Emergency Response Team of Ukraine (CERT-UA), "urgent measures" were taken after malicious hackers launched a malware attack designed to disconnect and decommission industrial infrastructure controlling high-voltage electrical substations. 

CERT-UA says that an attack intended to decommission infrastructure was set for the evening on Friday 8 April, but that this has been prevented.  

Analysis by cybersecurity researchers at ESET, who aided CERT-UA in combating the attack, has linked the campaign to the hacking group Sandworm.

Cybersecurity agencies – including the UK National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) – have previously attributed Sandworm and other Sandworm campaigns to the GRU, which is part of the Russian military.  

SEE: White House warns: Do these 8 things now to boost your security ahead of potential Russian cyberattacks

The attack uses an updated version of Industroyer, a form of malware used in previous campaigns by Sandworm, which infamously caused power outages in Ukraine in 2015. Analysis of the footprint left behind by Industroyer2, which is designed for industrial environments, suggests that an attack against the power systems had been planned for weeks  

It's still uncertain how the targeted power facility was initially compromised, or how the intruders moved from the IT network to the Industrial Control System (ICS) network, but according to CERT-UA, the attackers first entered the network as a whole no later than February 2022. 

In addition to evidence of Industroyer on the network, the attackers also deployed a new version of CaddyWiper destructive malware. Researchers believe that this was planted with the intention of slowing down recovery processes of the energy company from regaining control of the ICS consoles following the planned attack.  

CaddyWiper was also deployed on the machine infected with Industroyer2, in what was likely an attempt to cover up traces of an attack. 

"Ukraine is once again at the center of cyberattacks targeting their critical infrastructure. This new Industroyer campaign follows multiple waves of wipers that have been targeting various sectors in Ukraine," said ESET researchers in a blog post

Cybersecurity researchers have previously identified several forms of malware used in cyberattacks against Ukranian organisations before and during Russia's invasion of Ukraine.  


Editorial standards