More than half a decade has passed since the infamous Russian hackers known as Sandworm attacked an electrical transmission station north of Kiev a week before Christmas in 2016, using a unique, automated piece of code to communicate directly with the circuit breakers of the city. station and the light to a fraction of the capital of Ukraine. That unprecedented instance of malware for industrial control systems has never been seen again – until now: Amid Russia’s brutal invasion of Ukraine, Sandworm seems to be playing its old tricks.
On Tuesday, Ukraine’s Computer Emergency Response Team (CERT-UA) and Slovakian cybersecurity firm ESET advised that the Sandworm hacker group, confirmed to be Unit 74455 of Russian military intelligence GRU, had targeted high-voltage electrical substations in Ukraine using a variation of a piece of malware known as Industroyer or Crash Override. The new malware, called Industroyer2, can directly communicate with equipment in electrical utilities to send commands to substation devices that control the flow of power, just like that earlier example. It indicates that Russia’s most aggressive cyberattack team has attempted a third blackout in Ukraine, years after the historic cyberattacks on Ukraine’s power grid in 2015 and 2016, still the only confirmed blackout known to be by hackers causes.
ESET and CERT-UA say the malware was planted on target systems within a regional Ukrainian energy company on Friday. CERT-UA says the attack was successfully detected and stopped before an actual blackout could be triggered. But an earlier private advisory from CERT-UA last week, first reported today by MIT Technology Review, stated that power to nine electrical substations had been temporarily shut down.
Both CERT-UA and ESET declined to name the affected utility. But more than 2 million people live in the area it serves, according to Farid Safarov, Ukraine’s deputy energy minister.
“The hacking attempt did not affect the electricity supply to the power company. It was immediately detected and restricted,” said Viktor Zhora, a senior official at Ukraine’s cybersecurity agency known as the State Services for Special Communication and Information Protection (SSSCIP). “But the intended disruption was huge.” When asked about the earlier report that appeared to describe an attack that was at least partially successful, Zhora described it as a “preliminary report” and stuck to the most recent public statements by him and CERT-UA.
According to CERT-UA, hackers broke into the target power company in February, or possibly earlier – how exactly is not yet clear – but only tried to deploy the new version of Industroyer on Friday. The hackers also deployed multiple forms of “wiper” malware designed to destroy data on computers within the tool, including wiper software targeting Linux and Solaris-based systems, as well as more common Windows wipers, and also a piece of code known as CaddyWiper that was found in Ukrainian banks in recent weeks. CERT-UA also claimed Tuesday to be able to catch this wiper malware before it could be used. “We were very lucky to be able to respond to this cyber attack in a timely manner,” Zhora told reporters at a news conference on Tuesday.
This post Russian Sandworm Hackers Attempted A Third Blackout In Ukraine
was original published at “https://www.wired.com/story/sandworm-russia-ukraine-blackout-gru”
