Russia tried to cut off electricity to about two million Ukrainians in a cyber operation scheduled to take place on Friday night, April 8th. The Russian state-sponsored hacking group known as Sandworm tried on Friday to take down a large Ukrainian energy provider by disconnecting its electrical substations with a new variant of the Industroyer malware for industrial control systems (ICS). The attack was on the Ukrainian energy company Oblenergo, whose systems were successfully infiltrated. If successful, the attack would have blackouted some two million Ukrainians.
According to ESET, the attack, whose likely goal was to carry out destructive actions in the targeted energy facility and cause power outages on April 8, involved the deployment of several pieces of malware, in both the ICS network and systems running Solaris and Linux. The attack used ICS-capable to Industroyer2 malware and regular disk wipers for Windows, Linux and Solaris operating systems. Sandworm attackers made an attempt to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine. This malware designed to cause damage by manipulating industrial control systems (ICS). The plan was to control the substations so that it will shut down power and try to damage several critical electrical power distribution equipment. CERT-UA notes that the threat actor’s goal was “decommissioning of several infrastructural elements.”
The attack, which targeted high-voltage electrical substations and reportedly failed, has been analyzed by Ukraine’s Computer Emergency Response Team (CERT-UA), cybersecurity firm ESET, and Microsoft. The cyber weapon installed to the systems was neutralized on Thursday 7th April The destructive actions were scheduled for Friday night, April 8th 2022. The artifacts suggest that the complex attack had been planned for at least two weeks and cyber operation began months ago with intelligence how to get into the systems. After discovering the vulnerabilities, the attackers managed to gain access to the energy company’s workstations. They managed to expand their foothold and eventually gain access to the company’s electrical network management systems. There is high confidence that the APT group Sandworm is responsible for this new attack. According to the analysis the the attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine.