Cyber experts say the malicious software used points to notorious military attackers.
Image source, Reuters
The Ukrainian government has revealed it narrowly averted a serious cyber-attack on the country’s power grid.
Hackers targeted one of its largest energy companies, trying to shut down sub-stations, which would have caused blackouts for two million people.
The malicious software used in the attack is similar to that used by Russian hackers who previous caused powercuts in Kyiv.
Researchers believe Russian military group Sandworm is responsible.
It is the most serious cyber-attack so far launched against Ukraine since the Russian invasion.
In a press conference on Tuesday, Viktor Zhora, deputy chairman of the State Service of Special Communications, said his team were alerted to a possible attack on energy grids at the beginning of the invasion of his country.
He said that despite a huge effort to secure the cyber defences of energy organisations in the country, hackers had been able to compromise an unnamed private company responsible for supplying power to two million residents.
“The hackers planned the electrical outages for 8 April, to strike on Friday evening, before the weekend,” Mr Zhora said.
“It looks like we have been extremely lucky to respond to this in a timely manner.”
Mr Zhora thanked researchers at cyber-security companies Eset and Microsoft for helping to identify and neutralise the malicious software used in the attack.
In a statement, Eset said it had worked closely with the Ukraine cyber authority “in order to remediate and protect this critical infrastructure network”.
It added: “The collaboration resulted in the discovery of a new variant of Industroyer malware, which we, together with [Ukrainian cyber authority] Cert-UA, named Industroyer2.”
Industroyer is the name given to the piece of malware that was used in 2016 to knock electricity substations in Kyiv offline for about an hour.
That attack was blamed on a Kremlin-backed hacking team known as Sandworm, allegedly a Russian cyber-military unit and part of its foreign military intelligence agency, the GRU.
Sandworm is also accused of causing blackouts which affected more than 200,000 homes in a number of towns and cities in Ukraine the year before.
Russia denies carrying out the cyber-attacks but both incidents have been blamed publicly by the US and EU on Sandworm, and some individual hacking suspects have been named by cyber authorities.
Image source, FBI
Researchers say that in this latest attack, Sandworm hackers made an attempt to deploy the Industroyer2 malware against high-voltage electrical sub-stations in Ukraine as well as deploying several destructive malware types, including CaddyWiper.
CaddyWiper is one of a number of pieces of wiper software being spread around Ukraine, designed to delete data on infected computer systems.
A wiper was also used to disrupt the US satellite communications provider Viasat on the first day of the Ukraine invasion.
Western officials believe this was almost certainly the work of Russia but have not yet assembled the evidence to make a public accusation.
The country has also been repeatedly bombarded with low-level cyber-attacks, and its government says there have been three times as many hacking attempts against its systems as before the war.
