Cyber attack against electrical power grid in Ukraine

Russia tried to cut off electricity to about two million Ukrainians in a cyber operation scheduled to take place on Friday night, April 8th. The Russian state-sponsored hacking group known as Sandworm tried on Friday to take down a large Ukrainian energy provider by disconnecting its electrical substations with a new variant of the Industroyer malware for industrial control systems (ICS). The attack was on the Ukrainian energy company Oblenergo, whose systems were successfully infiltrated. If successful, the attack would have blackouted some two million Ukrainians.

According to ESET, the attack, whose likely goal was to carry out destructive actions in the targeted energy facility and cause power outages on April 8, involved the deployment of several pieces of malware, in both the ICS network and systems running Solaris and Linux. The attack used ICS-capable to Industroyer2 malware and regular disk wipers for Windows, Linux and Solaris operating systems. Sandworm attackers made an attempt to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine. This malware designed to cause damage by manipulating industrial control systems (ICS). The plan was to control the substations so that it will shut down power and try to damage several critical electrical power distribution equipment. CERT-UA notes that the threat actor’s goal was “decommissioning of several infrastructural elements.”

The attack, which targeted high-voltage electrical substations and reportedly failed, has been analyzed by Ukraine’s Computer Emergency Response Team (CERT-UA), cybersecurity firm ESET, and Microsoft. The cyber weapon installed to the systems was neutralized on Thursday 7th April The destructive actions were scheduled for Friday night, April 8th 2022. The artifacts suggest that the complex attack had been planned for at least two weeks and cyber operation began months ago with intelligence how to get into the systems. After discovering the vulnerabilities, the attackers managed to gain access to the energy company’s workstations. They managed to expand their foothold and eventually gain access to the company’s electrical network management systems. There is high confidence that the APT group Sandworm is responsible for this new attack. According to the analysis the the attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine.

Industroyer2 attack overview from ESET



  1. jyoti says:

    Nice info. Thanks for sharing
    For interior designs plz visit

  2. Tomi Engdahl says:

    Ukraine says Russian hackers tried and failed to attack an energy provider

    Ukraine says Russian military hackers attempted to disrupt an energy provider in the country, but they were unsuccessful. The Computer Emergency Response Team of Ukraine (CERT-UA) claims it was able to thwart an effort to gain access to computers linked to substations and wipe all files on them. That would have shut down the unnamed provider’s infrastructure. The company in question is said to provide power to customers in a highly populated area.

    Cybersecurity company ESET, which has been helping shore up Ukraine’s defenses, said Sandworm was behind the latest attempt as well. Sandworm is said to have used a new version of the Industroyer malware it employed to shut down Ukraine’s power grid in late 2015.

    The latest attempted attack had been in the works for at least two weeks, according to ESET. Microsoft also helped ESET and Ukraine fend off the hackers, according to Viktor Zhora, a cybersecurity official in the country. According to CNBC, Zhora said the attackers did gain access to some systems and created disruption at one power facility, but they were snuffed out before any residents lost electricity.

    Ukraine says Russian cyberattack sought to shut down energy grid

    Russian military hackers tried and failed to attack Ukraine’s energy infrastructure last week, the country’s government and a major cybersecurity company said Tuesday.

    The attack was designed to infiltrate computers connected to multiple substations, then delete all files, which would shut that infrastructure down, according to Ukraine’s summary of the incident.

  3. Tomi Engdahl says:

    Study finds TikTok’s ban on uploads in Russia failed, leaving it dominated by pro-war content

    Tracking Exposed found pro-war content dominates on TikTok in Russia after poor implementation of ban
    With Facebook, Twitter and Instagram banned by the Kremlin, TikTok is the last global social media platform still operating in Russia. In response to the Russian invasion of Ukraine, it announced it had banned new uploads on March 6 to protect users from Russian “fake news” law.

    But a new report has found that the ban was applied inconsistently; that new content uploads related to the war outnumbered anti-war content by 10-1; and that these pro-war posts now dominate TikTok’s war-related content. This has left the platform – after the ban was fully applied – effectively frozen in time, and Russian TikTokers none-the-wiser about new developments.

  4. Tomi Engdahl says:

    In the midst of Russia’s brutal invasion of Ukraine, Sandworm appears to be pulling out its old tricks.

    Russia’s Sandworm Hackers Attempted a Third Blackout in Ukraine

    The attack was the first in five years to use Sandworm’s Industroyer malware, which is designed to automatically trigger power disruptions.

  5. Tomi Engdahl says:

    US agencies warn of custom-made hacking tools targeting energy sector systems

    Several advanced persistent threat (APT) actors have created custom-made tools designed to breach IT equipment used in critical infrastructure facilities, according to a new advisory from multiple US agencies.

    In an alert released on Wednesday, the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) warned critical infrastructure operators of potential attacks targeting multiple industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices.

    The alert says the tools used in the attacks were designed specifically for Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers.

    Eric Byres, chief technology officer of ICS cybersecurity software firm aDolus Technology, told The Record that Schneider Electric MODICON PLCs and OPC Unified Architecture (OPC UA) servers are incredibly common and are used widely within many major industrial facilities across the US.

    “The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities,” the alert explained.

    “By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.”

  6. Tomi Engdahl says:

    U.S. Warns New Sophisticated Malware Can Target ICS/SCADA Devices

    The U.S government is sounding a loud alarm after discovering new custom tools capable of full system compromise and disruption of ICS/SCADA devices and servers.

    A joint advisory from the Department of Energy, CISA, NSA and the FBI warned that unidentified APT actors have created specialized tools capable of causing major damage to PLCs from Schneider Electric and OMRON Corp. and servers from open-source OPC Foundation.

    “The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities,” the agencies warned.

    “By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions,” according to the joint advisory [PDF].

    The government warning comes on the heels of a series of wiper malware attacks linked to Russia’s invasion of Ukraine and a software supply chain compromise that effectively crippled Viasat’s satellite internet service.

    APT Cyber Tools Targeting ICS/SCADA Devices

  7. Tomi Engdahl says:

    Alert (AA22-110A) – Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
    he cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom are releasing this joint Cybersecurity Advisory (CSA). The intent of this joint CSA is to warn organizations that Russias invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity . This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States and U.S. allies and partners.
    Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks (see the March 21, 2022, Statement by U.S. President Biden for more information).

  8. Tomi Engdahl says:

    Ex-tiedustelupäällikkö: Ukraina on ollut kahdeksan vuotta kybernyrkkeilysäkki, mikä on opettanut sen torjumaan Venäjän kyberhyökkäyksiä
    Kahdeksan vuotta kestänyt sodankäynti Itä-Ukrainassa on opettanut ukrainalaisille, kuinka puolustustautua Venäjän kohdistamiin kyberhyökkäyksiin. Ukraina on kehittynyt esimerkiksi kyvyssään reagoida ja estää toimintaa, joka pyrkii tietoliikennejärjestelmien tai sähköverkkojen lamauttamiseen, arvioi Puolustusvoimien entinen tiedustelupäällikkö ja nykyinen puolustusministeriön neuvotteleva virkamies Harri Ohra-aho.

  9. Tomi Engdahl says:

    Insight: Russia is failing’ in its mission to destabilize Ukraine’s networks after a series of thwarted cyber-attacks
    That was the takeaway from WithSecure’s Sphere conference this week, as chief research officer Mikko Hyppönen told attendees that Putin’s regime is “largely failing”. During the event, held in Helsinki, Finland, Mikko shared insight into the conflict between the two countries, which has now been ongoing for more than three months.

  10. Tomi Engdahl says:

    Euroopan suurin ydin­voimala Ukrainassa on vaurioitunut pahasti tulituksessa, kertoo voimalan käytöstä vastaava yhtiö

  11. Tomi Engdahl says:

    2. Industroyer2: Sandworm’s Cyberwarfare Targets Ukraine’s Power Grid Again (Robert Lipovsky and Anton Cherepanov, ESET).

    Industroyer2 – a new version of the only malware to ever trigger electricity blackouts – was deployed in Ukraine amidst the ongoing Russian invasion. Like in 2016 with the original Industroyer, the aim of this recent cyberattack was to cause a major blackout – this time against two million+ people and with components amplifying the impact, making recovery harder. Researchers believe the malware authors and attack orchestrators are the notorious Sandworm APT group, attributed by the US DoJ to Russia’s GRU.

    This presentation covers the technical details: reverse engineering of Industroyer2, and a comparison with the original. Industroyer is unique in its ability to communicate with electrical substation ICS hardware – circuit breakers and protective relays – using dedicated industrial protocols. While Industroyer contains implementations of four protocols, Industroyer2 “speaks” just one: IEC-104.

    Expect a higher-level analysis of the attackers’ modus operandi and discuss why and how the attack was mostly unsuccessful. One of the most puzzling things about Industroyer has been the stark contrast between its sophistication and its impact: a blackout lasting one hour in the middle of the night is not the worst it could’ve achieved. Industroyer2 didn’t even accomplish that.

    Why does it matter? These presentations shine a bright spotlight on an apex threat actor previously caught using some of the most destructive malware tools. As we have previously reported, this malware attack has some major geopolitical implications and all new disclosures will be closely followed.

  12. Tomi Engdahl says:

    Mitä Zaporizzjan ydin­voimalan tulittamisesta voi seurata? Asiantuntija kertoo mahdollisista skenaarioista

  13. Tomi Engdahl says:

    Ukrainan sota, päivä 174: Ukrainan ydinvoimamonopoliin kohdistui valtava kyberhyökkäys
    Tähän artikkeliin on koottu tiistain tärkeimmät tapahtumat Ukrainan sotaan liittyen.

    Ukrainan ydinvoimamonopoliin kohdistunut valtava kyberhyökkäys

    Ukrainan valtiollinen ydinvoimayhtiö Energoatom on kertonut mittavan kyberhyökkäyksen kohdistuneen tiistaina sen verkkosivuihin.

    Yhtiö kertoo hyökkäyksestä Telegram-kanavallaan.

    Energoatomin mukaan kyseessä on mittavin kyberhyökkäys sitten Venäjän hyökkäyssodan alkamisen. Yhtiö kertoo varmistuneensa siitä, että hyökkäyksen takana on venäläinen taho.

    Uutistoimisto Reutersin mukaan tiistain hyökkäys kesti kolme tuntia, eikä se aiheuttanut merkittäviä ongelmia.

  14. Tomi Engdahl says:

    Zelenskyi: Säteilyonnettomuudelta vältyttiin täpärästi

    Venäläisjoukkojen miehittämä ydinvoimala irtosi Ukrainan sähköverkosta siirtolinjan vaurioiduttua, mutta saatiin myöhemmin taas kytkettyä. Zelenskyi syyttää Venäjää siirtolinjan vaurioitumisesta.

    – Jos voimalan dieselgeneraattorit eivät olisi käynnistyneet, eivätkä automatiikka ja henkilökuntamme olisi reagoineet asiaan katkoksen aikana, meillä olisi jo käsillämme säteilyonnettomuus, Zelenskyi sanoo.

  15. Tomi Engdahl says:

    Fitful Ukrainian Nuclear Plant Stokes Powerful Fears Fire and blackouts shut Zaporizhzhia down; then, ignoring safety experts, its operator turned it back on

    For several weeks now shelling from, on, and around the Zaporizhzhia nuclear power station has emboldened nuclear safety experts in Ukraine to openly advocate for a controlled shutdown of the beleaguered plant. As IEEE Spectrum reported last week, they argue that proactively stopping power generation at the two units still operating, and cooling their reactors, would reduce the likelihood of a nuclear disaster—one that Ukrainian state experts say could be more devastating than the Chernobyl and Fukushima accidents.

    Yesterday disruption of a crucial transmission line forced a total shutdown in a dangerous series of events that once again spotlighted Zaporizhzhia’s precarious situation.

  16. Tomi Engdahl says:

    ”Eurooppa oli yhden askelen päässä ydinkatastrofista” torstaina – Zaporižžjan ydinvoimala tippui Ukrainan sähköverkosta ensi kertaa ikinä, reaktorien jäähdytys dieselin varassa

    Kuten Fukushiman voimala Japanissa, Zaporižžjan voimala tarvitsee ulkopuolista sähköä toimiakseen. Tilanne voimalassa on erittäin vakava.

    Ukrainan sodassa pelottavan kuuluisaksi muodostunut Zaporižžjan ydinvoimala kytkettiin kokonaan irti Ukrainan sähköverkosta torstaina useiksi tunneiksi, kertoo uutistoimisto Reuters. Perjantaiaamuisen uuden uutisen mukaan voimala on sittemmin palautettu sähköverkkoon. Voimalassa on toiminnassa kaksi reaktoria kuudesta.

    Ukrainan valtion ydinenergiayhtiö Energoatomin mukaan toimenpide olisi johtunut tulipalosta viereisen hiilivoimalan tuhkakasoissa, mikä häiritsi sähkönsiirtoa ydinvoimalan ja verkon välillä. Tarkempia yksityiskohtia ei selitetty.

  17. Tomi Engdahl says:

    Russian roulette at Zaporizhzhia nuclear plant in Ukraine after disaster near-miss

    Beijing warns just one incident might cause a serious nuclear accident ‘with irreversible consequences for the ecosystem and public health of Ukraine and its neighbouring countries’

    China has issued a thinly veiled attack on Russia’s brinkmanship over the Zaporizhzhia nuclear plant in Ukraine, as fears of disaster escalate following a near-miss at the site.

    A senior Chinese official told the UN on Friday that just one incident might cause a serious nuclear accident “with irreversible consequences for the ecosystem and public health of Ukraine and its neighbouring countries”.

    Mr Zelensky said Russian shelling on Thursday sparked fires in the ash pits of a nearby coal power station, wihch disconnected the Zaporozhzhia plant from the power grid. A Russian official claimed Ukraine was to blame.

  18. Tomi Engdahl says:

    Ukrainalaiset kertoivat Venäjän iskeneen yöllä sähkövoimalaan Harkovassa. Lopputuloksena sähköt ovat poikki miljoonilta ihmisiltä.

    Voisiko Venäjä hävitä? Asian­tuntija listaa neljä ratkaisevaa asiaa

  19. Tomi Engdahl says:

    Energoatom: Venäjä iskenyt jälleen Zaporizzjan ydin­voimalaan

  20. Tomi Engdahl says:

    Varoitus Ukrainasta: Tässä Venäjän seuraava kohde

    Venäjän suunnitelmiin kuuluu hyökätä Ukrainan energiantuotantoon ja -jakeluun sekä kyberhyökkäyksin että tavanomaisin asein, sanoo Ukrainan sotilastiedustelu. Kohteita voi olla myös muissa maissa.

    VENÄJÄN suunnitelmiin kuuluu toteuttaa mittava kyberisku Ukrainan kriittistä infrastruktuuria, erityisesti energianjakelua vastaan. Lähestyvä talvi ja energiantuotanto ovat kohteita paitsi Ukrainassa, myös sen läheisissä liittolaismaissa Puolassa ja Baltian maissa. Kohteet myös muissa maissa voivat tulla kysymykseen, sanoo Ukrainan sotilastiedustelu.

    – Tämä liittyy Moskovan yrityksiin murtaa Euroopan maiden halu seistä Ukrainan tukena. Samaan aikaa Venäjä yrittää parantaa asemiaan maasodassa meneillään olevalla osittaisella liikekannallepanolla, tietoturvayhtiö Nixun uhkatiedustelu kertoo blogissa.


Leave a Comment

Your email address will not be published. Required fields are marked *