More than a half A decade has passed since the notorious Russian hacker known as Sandworm targeted a power transmission station north of Kyiv a week before Christmas 2016, use automatic, unique code to directly interact with the station’s circuit breakers and turn off the lights to a small part of the capital of Ukraine. That unprecedented sample of industrial control system malware has never been seen again — so far: In the midst of Russia’s brutal invasion of Ukraine, Sandworm seems to be playing its old tricks. .
On Tuesday, the Ukrainian Computer Emergency Response Team (CERT-UA) and the Slovakian cybersecurity firm ESET advised that the Sandworm hacker group, identified as Unit 74455 of the military intelligence agency Russia’s GRU, has targeted high-voltage substations in Ukraine using a variant of a malware known as Industroyer or Crash Override. The new malware, dubbed Industroyer2, can directly interact with equipment in electrical utilities to send commands to current-controlled substation devices, just like the previous model. It signaled that Russia’s most active cyber-attack team attempted a third blackout in Ukraine, many years later historical cyberattacks on the Ukrainian power grid in 2015 and 2016remains the only outage confirmed to be caused by hackers.
ESET and CERT-UA said malware was installed on targeted systems in a Ukrainian energy company in the region on Friday. CERT-UA says that the attack was successfully detected in progress and stopped before any real power outages could be triggered. But an earlier separate advisory from CERT-UA last week, first reported by MIT Technology Review today, said it had temporarily cut off power to nine power substations.
Both CERT-UA and ESET declined to name the affected utility. But more than 2 million people live in the area it serves, according to Farid Safarov, Deputy Minister of Energy of Ukraine.
Viktor Zhora, a senior official at Ukraine’s cybersecurity agency, known as the Special Service for the Protection of Information and Communications (SSSCIP), said: “The attack did not affect the electricity supply. at the power company. . “But the intended disruption is huge.” When asked about an earlier report that seemed to describe an attack that was at least partially successful, Zhora described it as a ” preliminary report” and stands by his and CERT-UA’s most recent public statements.
According to CERT-UA, the hackers infiltrated the targeted electric utility in February, or possibly earlier – exactly how is still unclear – but only managed to deploy a new version of Industroyer on Friday. . The hackers also deployed various forms of “wiper” malware designed to destroy data on computers in the gadget, including wiper software that targets Linux and Solaris-based systems , as well as more common Windows wipers, and a piece of code called CaddyWiper have been found inside Ukrainian banks in recent weeks. CERT-UA announced on Tuesday that it was also able to catch this wiper malware before it could be used. “We are very fortunate to have been able to react in time to this cyberattack,” Zhora told reporters at a news conference on Tuesday.
