The notorious Russian hackers known as Sandworm attacked an electrical substation in Ukraine last year and caused a brief power outage, according to a report released Thursday by the cybersecurity firm Mandiant.
The attack is the first time since 2017 that the power has gone out in Ukraine due to a cyberattack, and Thursday’s report sheds new light on how Russian hackers are carrying out digital attacks on Ukrainian infrastructure since last year’s invasion.
A hacking group linked to Russia’s Main Intelligence Directorate (GRU), Sandworm, carried out the attack by relying on tools already found on the substation’s operational technology networks before using a wiper to cover their tracks on the victim’s IT networks, according to Mandiant, which was acquired by Google last year.
The attack appears to have been carried out to achieve a psychological impact rather than a specific military objective, said John Hultquist, Mandiant’s chief analyst.
“There’s not much evidence that this attack was designed for any practical, military necessity. Civilians are typically the ones who suffer from these attacks and they are probably carried out to exacerbate the psychological toll of the war,” Hultquist said. “It’s important that we not lose sight of the serious threat Ukraine is still facing, especially as winter approaches.”
The attack on the Ukrainian grid represents one component of broad, frequent attacks on Ukrainian infrastructure by Russian hackers. Both private and public entities in Ukraine have faced thousands of cyberattacks since Russia invaded, but Kyiv has been fairly successful in repelling these digital assaults. The attack on Ukraine’s grid described by Mandiant this week is the first known instance of Russian hackers successfully turning out the lights since the February 2022 invasion.
It’s not clear how Sandworm initially got into the substation’s networks, but the initial intrusion is thought to have happened sometime around June 2022. On Oct. 10, 2022, the attackers cut power by manipulating the substation’s systems. The power outage lasted less than a day, according to Mandiant.
Two days later, Sandworm deployed a variant of the Caddywiper malware on the IT networks of the substation to hide its tracks.
Sandworm is among the most enduring and effective publicly known Russian hacking operations. The group has been blamed for the NotPetya attack, which is believed to be the most economically damaging cyberattack on record, and attacks on the 2018 Winter Olympics in South Korea.
Sandworm has carried out a series of attacks on the Ukrainian grid since seizing control of the Crimean peninsula in 2014, kicking off the conflict between Moscow and Kyiv. In 2016 and 2017, Sandworm successfully attacked the Ukrainian grid, shutting off power in the dead of winter.
The group has a long-standing focus on Ukraine, the researchers said Thursday, deploying multiple rounds of wiper malware both before and after Russia’s 2022 invasion. Ukraine’s Computer Emergency Response Team (CERT-UA), which tracks the group as UAC-0082, has blamed the unit for multiple incidents during the war, including a thwarted attack on several electricity substations and other parts of a grid serving 2 million people in April 2022, Ukrainian officials said at the time.
Victor Zhora, a top Ukrainian cyber official, said that this was the second time a “cyber weapon” was used against Ukrainian energy companies since the Russian invasion last year. Speaking at the CYBERWARCON security conference in Arlington, Va., on Thursday, Zhora said that the latest attacks were “thankfully, not very effective,” though he did point to other outages that could have been caused by a cyberattack.
Ukrainian officials have also blamed Russian hackers for deploying the malware Industroyer.V2, which was discovered before it could be used to disrupt power.
Since the launch of Russia’s full-blown invasion last year, analysts have puzzled over the extent to which the Kremlin has succeeded in integrating kinetic and cyber operations. The invasion coincided with a Russian attack on a Viasat satellite internet system, disrupting communications for Kyiv at a crucial moment in the conflict. But as the conflict has dragged on, Russian cyber operations have shifted toward intelligence gathering.
The attack on the substation may be a rare example of coordinated Russian cyber and kinetic attacks, but that remains difficult to confirm. Mandiant’s analysts note that the attack on the Ukrainian substation coincided with the “start of a multi-day set of coordinated missile strikes on critical infrastructure across Ukraine,” but caution that they “lack sufficient evidence to assess a possible link.”
Nathan Brubaker, head of emerging threat and analytics at Mandiant, said that Sandworm could have carried out the attack weeks earlier. “Sandworm is a very, very capable and well-resourced organization, so without question, they could have done this sooner if they wanted to,” Brubaker said.
Sandworm appears to have developed the operational technology component of the attack in around two months. Successful attacks on industrial plants or utilities that target operational technology typically take much longer due to the complex and unique nature of each industrial facility. The speed with which Sandworm developed the attack speaks to its resources and the skills of its members.
Sandworm’s substation attack relied entirely on tools already present in the target environment — a technique known as “living off the land.” This gave Sandworm added flexibility to carry out the attack, while also making it harder for defenders to detect them.
It also means that instead of spending millions of dollars to develop complex OT-specific malware — like the Russian-developed Triton malware that targeted a Saudi Arabian petrochemical plant in 2017 — Sandworm could instead rely on its members’ exquisite understanding of the system they attacked to disable it, Brubaker said.
While it’s unclear how Sandworm carried out the initial intrusion, after gaining access to the substation the hackers used commands within an end-of-life MicroSCADA control system to likely open circuit breakers, causing the outage.
What’s concerning is that there is nothing unique about the MicroSCADA device, meaning that Sandworm can “carry out some similar type of attack at some other target anywhere in the world, theoretically, using what’s present in the local environment,” Brubaker said.
“It makes it really difficult for the defender,” he added. “They have to both defend against malware coming in, or new files coming in, and existing technologies and files and software that exists.”