The document, written by the state-run Ukrainian Computer Emergency Response Team (CERT), describes “at least two successful attack attempts,” one of which began on March 19, just days after Ukraine joined the European power grid. in an effort to end dependence on Russia.
After publication, Victor Zhora, the deputy head of the State Special Service for Digital Development in Ukraine, described the private report as “preliminary” to Wired, calling it a “mistake”.
Successful or not, the cyber attacks on Ukraine’s power grid represent a dangerous continuation of Russian aggression against Ukraine through a hacking group known as Sandworm, which the United States has identified as Unit 74455 of Russian military intelligence.
Hackers believed to be working for Russian intelligence previously disrupted the power system in Ukraine in both 2015 and 2016. While the 2015 attack was largely manual, the 2016 incident was an automated attack carried out using malware known as Industroyer. . The malware that researchers found in the 2022 attacks is called Industroyer2 because of its similarity.
“We are dealing with an adversary who has drilled us into cyberspace for eight years,” Zhora told reporters on Tuesday. “The fact that we have been able to prevent it shows that we are stronger and better prepared [than last time]†
ESET analysts have dissected Industroyer2’s code to map out its capabilities and goals. The hackers tried not only to cut the power, but also to destroy computers that the Ukrainians use to run their electrical grid. That would have cut off the ability to quickly get power back online using the power company’s computers.
In previous cyber attacks, Ukrainians were able to quickly regain control within hours by reverting to manual operations, but the war has made that extremely difficult. It’s not that easy to send a truck to a substation when enemy tanks and soldiers can be nearby and the computers have been sabotaged.
“If they are openly waging war on our country and beating Ukrainian hospitals and schools, there’s no point in hiding,” Zhora said. “Once you hit Ukrainian homes with missiles, you don’t have to hide anymore.”
Given Moscow’s successful track record of aggressive cyber-attacks against Ukraine and the rest of the world, experts anticipated that the country’s hackers would emerge and wreak havoc. United States officials have warned for months of escalation from Russia as it struggles in the ground war with Ukraine.
Over the course of the war, Ukraine and the United States have both blamed Russian hackers for using multiple windshield wipers. Financial and government systems have been affected. Kiev has also been the target of denial-of-service attacks, rendering government websites useless at key moments.
However, the Industroyer2 attack marks the most serious known cyberattack in the war to date. Ukrainian cybersecurity officials are working with Microsoft and ESET to investigate and respond.
It is one of the few publicly known incidents where government-backed hackers have targeted industrial systems.
The first came to light in 2010, when it was revealed that malware known as Stuxnet was created — allegedly by the United States and Israel — to sabotage Iran’s nuclear program. Russian-backed hackers have also reportedly launched several such campaigns against industrial targets in Ukraine, the United States and Saudi Arabia.
The article was updated to note that a Ukrainian official described the earlier UA-CERT report as “preliminary” and an “error”.
