Published in News

Russians have another pop at Ukraine with Sandworm

by on13 April 2022

Targeting electrical transmission site with a five year old worm

More than half a decade has passed since the notorious Russian hackers known as Sandworm targeted an electrical transmission station north of Kyiv a week before Christmas in 2016, using a unique, automated piece of code to interact directly with the station's circuit breakers and turn off the lights to a fraction of Ukraine's capital.

At the time the hackers were connected to Russia's GRU military intelligence agency and now it seems that they have dusted off the old tech, updated it and gave it another spin.

the Ukrainian Computer Emergency Response Team (CERT-UA) and the Slovakian cybersecurity firm ESET issued advisories that the Sandworm hacker group, confirmed to be Unit 74455 of Russia's GRU military intelligence agency, had targeted high-voltage electrical substations in Ukraine using a variation on a piece of malware known as Industroyer or Crash Override.

The new malware, dubbed Industroyer2, can interact directly with equipment in electrical utilities to send commands to substation devices that control the flow of power, just like that earlier sample. It signals that Russia's most aggressive cyberattack team attempted a third blackout in Ukraine, years after its historic cyberattacks on the Ukrainian power grid in 2015 and 2016, still the only confirmed blackouts known to have been caused by hackers.

ESET and CERT-UA say the malware was planted on target systems within a regional Ukrainian energy firm on Friday. CERT-UA says that the attack was successfully detected in progress and stopped before any actual blackout could be triggered.

A private advisory from CERT-UA last week, first reported by MIT Technology Review stated that power had been temporarily switched off to nine electrical substations. Both CERT-UA and ESET declined to name the affected utility. But more than 2 million people live in the area it serves.

It seems though that this time Industroyer2 only managed mixed results before it was disabled.


Last modified on 13 April 2022
Rate this item
(1 Vote)

Read more about: