Russia’s Sandworm Hackers Attempted a Third Blackout in Ukraine
Credit to Author: Andy Greenberg| Date: Tue, 12 Apr 2022 14:44:39 +0000
To revist this article, visit My Profile, then View saved stories.
To revist this article, visit My Profile, then View saved stories.
More than half a decade has passed since the notorious Russian hackers known as Sandworm targeted an electrical transmission station north of Kyiv a week before Christmas in 2016, using a unique, automated piece of code to interact directly with the station's circuit breakers and turn off the lights to a fraction of Ukraine's capital. That unprecedented specimen of industrial control system malware has never been seen again—until now: In the midst of Russia's brutal invasion of Ukraine, Sandworm appears to be pulling out its old tricks.
On Tuesday, the Ukrainian Computer Emergency Response Team, or CERT-UA, and the Slovakian cybersecurity firm ESET issued advisories that the Sandworm hacker group, confirmed to be Unit 74455 of Russia's GRU military intelligence agency, had targeted high-voltage electrical substations in Ukraine using a variation on a piece of malware known as Industroyer or Crash Override. The new malware, dubbed Industroyer2, can interact directly with equipment in electrical utilities to send commands to substation devices that control the flow of power, just like that earlier sample. It signals that Russia's most aggressive cyberattack team attempted a third blackout in Ukraine, years after its historic cyberattacks on the Ukrainian power grid in 2015 and 2016, still the only confirmed blackouts known to have been caused by hackers.
ESET and CERT-UA say the malware was planted on target systems within a regional Ukrainian energy firm on Friday, but CERT-UA says that the attack was successfully detected in progress and stopped before any actual blackout could be triggered. Both CERT-UA and ESET declined to name the affected utility. But more than two million people live in the area it serves, according to Farid Safarov, Ukraine's Deputy Minister of Energy.
"The hack attempt did not affect the provision of electricity at the power company. It was promptly detected and mitigated," says Viktor Zhora, a senior official at Ukraine's cybersecurity agency, known as the State Services for Special Communication and Information Protection, or SSSCIP. "But the intended disruption was huge."
According to CERT-UA, hackers penetrated the target electric utility in February or possibly earlier—exactly how isn't yet clear—but only sought to deploy the new version of Industroyer on Friday. The hackers also deployed multiple forms of "wiper" malware designed to destroy data on computers within the utility, including wiper software designed to target Linux and Solaris-based systems, as well as more common Windows wipers, and also one piece of code known as CaddyWiper that had previously been found inside of Ukrainian banks in recent weeks. CERT-UA says it was also able to catch this wiper malware before it could be used. "We were very lucky to be able to respond in a timely manner to this cyberattack," Zhora told reporters in a press briefing Tuesday.
Sandworm's original Industroyer malware, when it was discovered in the wake of the hackers' December 2016 cyberattack on Ukraine's Ukrenergo utility, represented the first-ever malware found in the wild designed to directly interact with electric grid equipment with the intention of causing a blackout. Industroyer was capable of sending commands to circuit breakers using any of four industrial control system protocols, and it allowed the modular components of code for those protocols to be swapped out so that the malware could be re-deployed to target different utilities. The malware also included a component to disable safety devices known as protective relays—which automatically cut the flow of power if they detect dangerous electrical conditions—a feature that appeared designed to cause potentially catastrophic physical damage to the targeted transmission station's equipment when the Ukrenergo operators turned the power back on.
Both SSSCIP's Zhora and ESET say that the new version of Industroyer similarly had the ability to send commands to circuit breakers to trigger a blackout, just as the original did. ESET found, too, that the malware had the ability to send commands to protective relays, and its analysts found clear similarities between components of the new Industroyer and the original, giving them "high confidence" that the new malware was created by the same authors. But the exact capabilities of the new grid-focused malware specimen for now remain far from clear.
Even so, the appearance of a new version of Industroyer signals that Sandworm's grid-hacking days are far from over—despite the group's apparent transition to other forms of disruptive attacks over the last five years, such as its release of the self-spreading NotPetya malware in 2017 that caused $10 billion in damage worldwide, the Olympic Destroyer cyberattack on the 2018 Winter Olympics, and a mass-scale cyberattack on Georgian websites and TV stations in 2019. "The fact that this group is still using and maintaining this tool and using it against industrial control systems is significant," says ESET's head of threat research, Jean-Ian Boutin. "It means that they they are developing tools that will allow them to actually interfere with things like electricity and energy. So it's definitely a threat to other countries around the world as well."
The revelation of Sandworm's foiled blackout attack provides more evidence that Russia's invasion of Ukraine has been accompanied by a new wave of cyberattacks on the country's networks and critical infrastructure, though with only mixed success. For instance, an attack that struck the satellite internet firm Viasat on February 24th, just as Russia launched its full-scale invasion, caused a significant disruption to Ukraine's military communications, as well as cutting off the internet connections of thousands of other Viasat users outside Ukraine. But other cyberattacks, such as waves of wiper malware infections targeting Ukrainian networks, have had far smaller impacts than previous disruptive hacking operations that have pummeled Ukraine since 2014.
Following Sandworm's apparently failed blackout attack, SSSCIP's Zhora took the opportunity to argue that the relatively limited damage from Russia's cyber operations represents not merely a lack of focus from Russia on cyberwar as it carries out a full-blown physical war, but also Ukraine's growing ability to defend itself in the digital domain. "We have been dealing with an opponent that has been constantly training us, drilling us. Since 2014 we've been under constant aggression, and our expertise is unique in how to rebuff this aggression," says Zhora. "We're stronger. We're more prepared. And of course, we will secure victory."