The Ukrainian government repelled a Russian cyberattack that was set to take out multiple electricity substations and other parts of a grid serving 2 million people on April 8, the Ukrainian government said Tuesday.
The Russian military intelligence hacking group known as Sandworm — a prolific and persistent operation behind the infamous 2016 power grid hack in Ukraine — used a “more developed and sophisticated” version of the “Industroyer” malware used in the 2016 incident, said Victor Zhora, the deputy chief of Ukraine’s State Service of Special Communication and Information Protection, during a briefing with reporters Tuesday.
Analysts with Slovak cybersecurity firm ESET and Microsoft helped the Ukrainian government respond to the attack. ESET on Tuesday published an analysis of the malware, which it’s calling “Industroyer2.” The researchers say they believe it would have been able to control specific industrial control systems in order to cut power at an unidentified electrical facility.
In addition to Industroyer2, ESET researchers reported seeing Sandworm deploy several destructive malware families against the electrical infrastructure that were likely part of an effort to both obfuscate any analysis of the destructive hacking campaign and make systems inoperable and unrecoverable.
The Ukrainians learned of the possible compromise of parts of the grid network from unnamed “partners” in the day before the attack was set to go live, Zhora told reporters. The attack was foiled and the initial investigation shows the attack was set to occur in two waves, with an initial compromise of the system in February 2022 and the planned destruction of the electrical infrastructure scheduled for April 8. The ESET analysis suggests the Industroyer2 malware was compiled on March 23, “suggesting the attackers had planned their attack for more than two weeks.”
“We were able to identify it, fight it, and destroy it,” Zhora said Tuesday, according to a translation of his comments originally delivered in Ukrainian. He added that his hypothesis is that the effort was designed to support Russian efforts to intensify attacks in the east of Ukraine.
“We all know that they are preparing a major onslaught in the Donbas and Kharkiv oblast,” he said. “This is a result of the military failure of the Putin soldiers in Kyiv who have failed at Kyiv’s gate, and he regrouped his army to conquer the east of Ukraine. And likely such actions of his lieutenants in the cybersphere were to buttress and invigorate the hostilities of his soldiers who keep killing the civilian population in our country.”
MIT Technology Review reported Tuesday that Ukraine’s Computer Emergency Response Team originally said the hackers temporarily turned off nine stations. Zhora told Wired in response that the earlier CERT report was a “preliminary report” and that he stood by statements about deflecting the attack. Zhora expressed displeasure with the earlier report leaking.
Later Tuesday, a spokesperson for Zhora’s agency issued another statement: “We are aware about only one substation (with up to nine outgoing transmission lines) among which only one line may have witnessed minute idle period, potentially caused by fault tolerance mechanism.”
Cybersecurity experts and officials in the U.S. reacted quickly to Tuesday’s revelation from the Ukrainians. Jen Easterly, the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) tweeted that her agency is working to exchange information with Ukraine’s Computer Emergency Response Team about the campaign:
John Hultquist, the vice president of intelligence analysis at cybersecurity firm Mandiant, said in a statement that “Sandworm is an apex predator, capable of serious operations, but they aren’t infallible. He added that “the best part of this story is the work by Ukraine CERT and ESET to stop these attacks, which would have probably only worsened Ukrainian suffering. It’s increasingly clear that one of the reasons attacks in Ukraine have been moderated is because defenders there are very aggressive and very good at confronting Russian actors.”
Updated 4/12/22: with additional reporting from MIT Technology Review and Wired, and Zhora and his agency.