Ukraine says it thwarted a sophisticated Russian cyberattack on power grid
By Kate Conger
Ukrainian officials said Tuesday that they had thwarted a Russian cyberattack on Ukraine’s power grid that could have knocked out power to 2 million people, raising fears that Moscow will increase its use of digital weapons in a country already pummeled by war.
Ukraine’s power grid has been knocked offline twice before, in 2015 and 2016, causing widespread blackouts. Russia has long used online attacks alongside traditional warfare; just days before the Russian invasion began Feb. 24, Ukraine said a cyberattack hit its Defense Ministry, its army and two of its banks.
But experts said the latest hacking — while unsuccessful — was among the most sophisticated cyberattacks they have seen in the war. It used a complex chain of malware, including some custom-built to control utility systems, suggesting that Russia had planned the attack over several weeks and intended to maximize the damage by sabotaging computer systems that would be needed to restore the electrical grid.
The attack was scheduled to begin on the evening of April 8 as civilians returned home from work, Ukrainian officials said, and could have made it impossible for them to go about their daily lives or gain access to information about the war. The breach targeted several electrical substations in the country, and had it been successful, it would have deprived roughly 2 million people of electricity and made it difficult to restore power.
In recent weeks, U.S. officials have warned that Russia could try to expand its cyberwarfare — perhaps even by disrupting U.S. pipelines and electric grids in retaliation for the sanctions that the United States has imposed on Moscow.
Hackers affiliated with the GRU, Russia’s military intelligence unit, were responsible for the attack, using malware similar to that deployed in the 2016 breach that plunged at least 100,000 people into darkness, Ukraine’s security and intelligence service said. That unusual malware can take over industrial control systems, essentially switching off the lights, and is rarely used. Cybersecurity researchers have not detected similar malware on computer systems outside the 2016 attack, which was attributed to the GRU.
“This is yet more evidence of Russia’s capability,” said John Hultquist, a vice president for threat analysis at cybersecurity firm Mandiant. “The question is intent. Do they intend to do this outside of Ukraine?”
The hackers customized a version of the 2016 malware for the attack last week on the Ukrainian electrical company and also deployed so-called wiper malware, which is designed to erase data, on its computer systems in an apparent attempt to make it more difficult for the utility to restore service after a blackout began.
“Trying to cut the power is definitely something very significant,” said Jean-Ian Boutin, director of threat research at cybersecurity firm ESET, which helped Ukraine analyze the malware. “The fact that they have tools that allow them to do that is very concerning for the future as well.”
The attackers may have broken into the electrical company’s systems as early as February, Ukrainian officials said, but they emphasized that some details of the attack, including how the intruders made their way into the company’s systems, were not yet known.
Officials declined to name the company that suffered the breach and the region its substations are in, citing fears of continuing cyberattacks.
“It is self-evident that the aggressor’s team, the malefactors, had enough time to get prepared very thoroughly and they planned the execution on a sophisticated, high-quality level,” said Victor Zhora, deputy head of Ukraine’s cybersecurity agency, the State Service of Special Communications and Information Protection. “It looks that we have been very lucky that we were able to respond in a timely manner to this cyberattack.”
Ukrainian companies in finance, media and energy have been subject to regular cyberattacks since the war began, according to Zhora. His agency said that since Russia’s invasion began, it had recorded three times as many attacks as it had tracked in the previous year.
The use of wiper malware has become a persistent problem in Ukraine since the war began, with attacks hitting Ukrainian critical infrastructure, including government agencies responsible for food safety, finance and law enforcement, cybersecurity researchers said.
Hackers have also broken into communications systems, including satellite communication services and telecom companies. Investigations into those breaches are continuing, although cybersecurity analysts and U.S. officials believe Russia is responsible. Other hacking groups, including one affiliated with Belarus, have broken into media companies’ systems and social media accounts of high-profile military officials, trying to spread disinformation that claimed Ukraine planned to surrender.
Some analysts believed that Russia would back up its ground invasion with crippling cyberattacks and were puzzled when widespread hacking campaigns did not materialize during the early days of the war. But cybersecurity experts said the complex attack on the electrical company was a sign that Russia was beginning to shift its tactics.
“We see a shift in what’s going on, on the ground, and we see a shift in what’s going on in the cyber realm as well,” Boutin said. As Russia reorganizes its troops in Ukraine, it may also begin a new cyber campaign, he added.
“If the Russian advance has dissipated,” Hultquist said, “this may be another way for them to put pressure on Ukraine.”