BOSTON – Russian military hackers tried to knock out power to millions of Ukrainians last week in a long-planned attack, but were averted, Ukrainian government officials said Tuesday.
At a targeted high-voltage power plant, the hackers managed to penetrate and disrupt part of the industrial control system, but people defending the station were able to prevent power outages, the Ukrainians said.
“The threat was serious, but it was prevented in a timely manner,” a top Ukrainian cyber security official, Victor Zhora, told reporters through an interpreter. “It looks like we were very lucky.”
The hackers from the Russian military intelligence agency GRU used an upgraded version of malware, which was first seen in its successful attack in 2016, which caused power outages in Kiev, said officials, who were adapted to target multiple substations. At the same time, they sowed malware designed to wipe out computer operating systems, preventing recovery.
Authorities did not specify how many transformer stations were targeted or their location, citing safety concerns, but a deputy energy minister, Farid Safarov, said “2 million people would have been without power supply if successful.”
Zhora, vice president of the State Service of Special Communications, said the malware was programmed to turn off the power Friday night, just as people were returning home from work and turning on news reports.
He said the power grid was penetrated before the end of February when Russia invaded and that the attackers later uploaded the malware, called Industroyer2. The malware managed to disrupt a component of the affected power plant’s management systems, also known as SCADA systems.
Zhora would not give further details or explain how the attack was defeated or which partners could have directly helped defeat it. He acknowledged the depth of international assistance Ukraine has received in identifying the intrusion and challenges by trying to free the government, power grids and telecommunications networks from attackers. The helpers include keyboard fighters from the US Cybercommand.
Cybercom was asked if it assisted in the emergency response, but did not respond immediately.
Ukraine’s Computer Emergency Response Team thanked Microsoft and cybersecurity firm ESET for their help in dealing with the attack on the power grid in a bulletin published online.
Officials said the destructive attacks had been planned at least since March 23, and Zhora speculated that it was timed by Russia to “revive” its troops after taking heavy losses in a failed attempt to conquer the capital Kyiv.
Zhora stressed that Russian cyber attacks have not successfully knocked out any power to Ukrainians since this invasion began.
GRU hackers from a group that researchers call Sandworm twice successfully attacked Ukraine’s electricity network – in the winters of 2015 and 2016. US prosecutors accused six GRU officials in 2020 of using an earlier version of Industroyer malware to attack Ukraine’s electricity network by to gain control of electrical substation switches and switches.
In the 2016 attack, Sandworm hackers used Industroyer to turn on and off power outages in a sequence designed to create a blackout, said Jean-Ian Boutin, director of threat research at ESET.
“We know Industroyer still has the ability to turn off switches,” he said.
In close cooperation with Ukrainian respondents, ESET also determined that the attackers had infected networks on the targeted facilities with disk deletion software.
A successful activation of the malware would have put plant systems into operation, severely hampering remediation and recovery and destroying the digital footprint of attackers, Boutin said.
One of the destructive malware variants used in the attack, called CaddyWiper, was first discovered by ESET in mid-March and was used against a Ukrainian bank, he said.
Western prosecutors blame Sandworm for a series of high-profile cyber attacks, including the most devastating, the 2017 NotPetya wiper virus, which caused more than $ 10 billion in damage globally by destroying data on entire networks of computers from companies doing business in Ukraine, including those belonging to the shipper Maersk and the pharmaceutical company Merck.
Russia’s use of cyberattacks against Ukrainian infrastructure during the country’s invasion has been limited compared to experts’ expectations from before the war. In the early hours of the war, an attack blamed on Ukraine, an important satellite communications connection offline, which also affected tens of thousands of Europeans from France to Poland.
In another serious cyberattack during the war, hackers turned off the Internet and mobile services of a major telecommunications company serving the military, Ukretelecom, offline most of the day on March 28th.
Zhora said that “the potential of Russian (state-sponsored) hackers has been overestimated”, citing a number of reasons why he believes cyberattacks have not played a major role in the conflict:
– When the attacker encounters civilian targets with bombs and rockets, there is not much need to hide behind covert cyber activity.
– Ukraine has significantly increased its cyber defense with the help of volunteers from sympathetic countries.
Attacks as sophisticated as this effort to knock out power are complex and tend to require a lot of time.
“This is not an easy thing to do,” Zhora said.
Ukraine has been under constant Russian cyber attacks for the past eight years, with Zhora noting that the attacks have tripled since the invasion compared to the same period last year.
Russia has said its invasion was necessary to protect civilians in eastern Ukraine, a false claim that the United States had predicted Russia would make as a pretext for the invasion. Ukraine has called Russia’s attack a “war of aggression” and says it “will defend itself and win.”
Associated Press writer Alan Suderman of Richmond, Virginia, contributed to this report.