Share this article on:
Ukrainian officials say an attempt by Russian hackers designed to knock out power nationwide had been thwarted.
The Russian hackers attempted to knock out power to millions of Ukrainians in a long-planned attack last week but failed.
According to Ukrainian government officials, at one targeted high-voltage power station, the hackers succeeded in penetrating and disrupting part of the industrial control system, but people defending the station were able to prevent electrical outages.
Top Ukrainian cyber security official, Victor Zhora, commented that “the threat was serious, but it was prevented in a timely manner”, and told reporters through an interpreter that “it looks that we were very lucky”.
The hackers used an upgraded version of malware first seen in its successful 2016 attack that caused blackouts in Kyiv, which was customised to target multiple substations. They simultaneously seeded malware designed to wipe out computer operating systems, hindering recovery.
Nozomi Networks Labs has provided insights on Ukraine’s defeat of a Russian cyber attack attempting to disrupt critical infrastructure. The hackers were targeting the electricity grid and related facilities, which would have severely damaged Ukraine’s defences.
The attack, believed to be carried out by a Russian military-supported group called “Sandworm”, is another effort to shutdown Ukraine’s key systems according to Nozomi Networks Labs. Sandworm’s strategy is to infiltrate systems and lie in wait for several weeks. This strategy can be particularly damaging as hackers may gain access to a wide range of services and facilities before detection.
The nature of this attack is one that everyone in the international critical infrastructure community should note, according to Chris Grove, director, cyber security strategy, Nozomi Networks, further explaining that it’s one of a handful of attacks that has directly hit operational technology (OT) systems.
“According to Nozomi Networks Labs, there have been reports of some hardcoded IPs in the malware sample, which is an indication that the threat actors had intimate knowledge of the environment they were deploying this in.
“Much like the similar malware that Sandworm deployed in Ukraine in 2016, industrial control systems (ICS) operators must monitor their networks for any strange activity, as Russian tactics prove to sit in environments for weeks to months before executing these attacks.”
Nozomi Networks Labs warns that critical infrastructure operators should now be on the lookout for strange activity.
Ukrainian authorities did not specify how many substations were targeted or their location, citing security concerns, but a deputy energy minister, Farid Safarov, revealed that “two million people would have been without electricity supply if it was successful”.
Zhora, the deputy chair of the State Service of Special Communications, further explained that the malware was programmed to knock out power on Friday evening just as people returned home from work and switched on news reports.
The power grid networks were penetrated before the end of February, when Russia invaded, and that the attackers later uploaded the malware, dubbed Industroyer2. The malware succeeded in disrupting one component of the impacted power station’s management systems, also known as SCADA systems.
Zhora would not offer further details or explain how the attack was defeated or which partners may have assisted directly in defeating it but acknowledged the depth of international assistance Ukraine has received in identifying intrusions and the challenges of trying to rid government, power grid and telecommunications networks of attackers. Zhora stressed that Russian cyber attacks have not successfully knocked out any power to Ukrainians since this invasion began.
The helpers include keyboard warriors from US Cyber Command.
Cybercom was asked if it assisted in the emergency response but did not immediately answer.
The Computer Emergency Response Team of Ukraine thanked Microsoft and the cyber security firm ESET for their assistance in dealing with the power grid attack in a bulletin posted online.
The destructive attacks had been planned at least since 23 March, according to officials, and Zhora speculated it was timed by Russia to “invigorate” its soldiers after they took heavy losses in a failed bid to capture Kyiv, the capital.
Comments powered by CComment