Russian cyber attack on power grid repelled

The electricity should have gone out in Ukraine on Friday evening. A cyber attack targeted substation controls and energy company computers and servers. The preparations for the sabotage action are said to have started weeks ago, as the Ukrainian authorities write on Tuesday. But the attack was discovered and stopped. IT security experts from Microsoft and the Slovakian company Eset were also involved.

How extensive the planned sabotage action should have been and which energy companies in Ukraine were specifically targeted, does not write the Ukrainian Computer Emergency Response Team (CERT-UA).. For the authorities, however, it is clear who is behind the attack: the Russian group Sandworm, which is attributed to the Russian military intelligence service GRU.

Sandworm has been conducting attacks in Ukraine for years

It is not surprising that the Sandworm group is active in the area of ​​sabotage of critical infrastructures such as the power supply. Rather, such cyber operations against the country’s infrastructure were already expected by many observers at the start of the Russian attack on Ukraine. As far as is known, however, they only took place to a limited extent.

The Sandworm group is known for its actions against critical infrastructure. Since the Russian annexation of Crimea in 2014, the group is said to have carried out numerous attacks in Ukraine. This also includes two attacks on the Ukrainian energy supply, which resulted in regional power outages.

In the attack that has now been foiled, malware is said to have been used, which the Ukrainian Cert calls “Industroyer 2”. This is likely to be the further development of the “Industroyer” malware, with which Sandworm is said to have caused power outages in Kyiv in December 2016. comes to this conclusion the IT security company Eset in their technical analysis.

What is special about both “Industroyer” malware programs: they directly attack the industrial control systems that are used to control plants and machines. These control systems are structured differently than Windows or Linux computers, for example, and communicate with one another using special protocols. The development of such malware is therefore considered to be technically particularly demanding.

Attack massively restricted the internet supply

It is the first time that the Ukrainian authorities have disclosed the technical details of an attack on critical infrastructure. Two weeks ago, the country’s Internet supply was massively disrupted for several hours by a cyber attack on the telecom company Ukrtelecom. According to Ukrtelecom, the attackers were technically very sophisticated, which indicated a state-backed group from Russia.

At the beginning of the Russian invasion, a suspected Russian cyber attack also disrupted the satellite communications of the Ukrainian army and police. The attack caused collateral damage across Europe. Tens of thousands of devices communicating via the same KA-Sat satellite became inoperable.

The pattern of this attack would also fit the Russian military intelligence agency GRU or its unit Sandworm. The IT security company Sentinel One claims to have found certain similarities to other programs attributed to Sandworm in the malware used in the attack on satellite communications.

Russian groups are also active in the west

However, the state group Sandworm is not only active in Ukraine. Last week it was announced that the American Federal Police FBI in March against a so-called bot-net had proceeded. This is a web of thousands of infected network devices such as firewalls and routers that were under Sandworm’s control. The infected devices could have served as a gateway to penetrate the networks of potential victims.

One possible scenario is that Russia could use cyber attacks to avenge Western sanctions. US President Joe Biden warned of this at the end of March. However, Russian state groups are also likely to be active in the field of espionage or disinformation.