Ukraine says it stopped a Russian cyberattack targeting its electrical grid

13 Apr 2022

Image: © yelantsevv/

It is believed the Russian hacker group Sandworm was behind the cyberattack, which used a new version of malware that brought down a Ukrainian energy provider in 2016.

Ukraine said it managed to prevent a cyberattack from Russian hackers last week that targeted the country’s electrical grid.

The Computer Emergency Response Team of Ukraine (CERT-UA) said that the attack targeted high-voltage electrical substations, along with devices that had Windows and Linux operating systems. CERT-UA did not say which energy provider was targeted.

The attack came in two waves, with the “initial compromise” taking place no later than February. The second attack was intended to shut down electrical substations and was scheduled for last Friday (8 April), CERT-UA said in a statement yesterday (12 April).

Ukrainian cybersecurity official Viktor Zhora said a “military hacking team” was responsible but “they did not succeed and we’re investigating”, Reuters reported.

The Ukrainian response team attributed the incident to Russian hacker group Sandworm.

Sandworm is believed to be affiliated with Russia’s GRU and its main centre for special technologies, and was connected to a new malware that was detected earlier this year.

Cybersecurity firm ESET also believes “with high confidence” that Sandworm was behind the attack. ESET said it worked with CERT-UA to analyse the cyberattack on the Ukrainian energy company. The firm said it discovered a new variant of Industroyer malware, which it has named Industroyer2.

Industroyer is a form of malware that was used at the end of 2016 to bring down Ukrenergo, an energy provider in Ukraine, and cut power in the country.

“At this point, we don’t know how attackers compromised the initial victim nor how they moved from the IT network to the industrial control system (ICS) network,” ESET said in an executive summary.

The cybersecurity firm added that another destructive malware was detected called CaddyWiper, which it believes was meant to slow down the recovery process and prevent the targeted company from regaining control of ICS consoles.

The risk for the private sector

Jamie Moles, senior technical manager at infosec company ExtraHop, said that it’s “only a matter of time” before Russian cyber weapons are “trained on new targets” outside of Ukraine. He added that private sector organisations should adopt a “heightened security posture”, particularly if they have been vocal against Russia.

“Digitalisation has indeed redrawn the lines of the battlefield in many ways already, and we’re about to see the next era of that as nation states target the influential private organisations that act against them,” Moles said.

Cybersecurity strategy director of IoT security firm Nozomi Networks, Chris Grove, added that there were indications the threat actor targeting the Ukrainian energy grid had “intimate knowledge” of the environment they deployed the malware in.

“Much like the similar malware that Sandworm deployed in Ukraine in 2016, ICS operators must monitor their networks for any strange activity, as Russian tactics prove to sit in environments for weeks to months before executing these attacks,” Grove said.

A report on last year’s massive HSE cyberattack in Ireland found that the attacker gained access to the HSE’s systems eight weeks before ransomware was detonated.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic