Russian hackers caused power cuts in Ukraine by attacking critical infrastructure while missile strikes were taking place in the eastern European country, a new report has revealed.
In a stark illustration of the type of cyber-physical attacks that were expected to be commonplace during the war in Ukraine, researchers at security vendor Mandiant have uncovered a breach by the Sandworm hacking group, thought to have close links to Russia’s GRU security service.
Sandworm hackers cause Ukraine power cuts
The incident occurred in October 2022 and is thought to be the first time Ukraine has suffered power cuts linked to a cyberattack since 2017.
Researchers at Google-owned Mandiant say Sandworm gained access to the power network through hypervisor software that was already installed on systems. This is known as a “living off the land” attack.
Once inside the system, the criminals were able to move laterally around the network, and may have been there for up to three months before the attack, Mandiant’s research suggests. They were then able to execute malicious commands and switch off substations, causing power outages.
Days later, Sandworm accessed the system again to deploy CADDYWIPER malware, which covered its tracks, deleting files relating to the hack.
Sandworm has a long-standing focus on attacking targets in Ukraine, and Mandiant’s report says the use of living off the land techniques represents an evolution in its tactics. “Using tools that are more lightweight and generic than those observed in prior operational technology incidents, the actor likely decreased the time and resources required to conduct a cyber-physical attack,” the paper says.
Russia, Ukraine and cyber-kinetic warfare
Mandiant says the timing of the Sandworm breach coincided with a sustained period of missile strikes from Russia in Ukraine. Though it lacks the evidence to assess whether the two attacks are linked, it adds: “Sandworm potentially developed the disruptive capability as early as three weeks prior to the operational technology event, suggesting the attacker may have been waiting for a specific moment to deploy the capability.
“The eventual execution of the attack coincided with the start of a multi-day set of coordinated missile strikes on critical infrastructure across several Ukrainian cities, including the city in which the victim was located.”
Cyber-kinetic warfare, combining digital and physical attacks, was expected to play a major role in the war in Ukraine. Still, the scope of cyberattacks in the conflict has largely been limited largely to DDoS breaches that temporarily cripple websites of organisations based in Ukraine or allied countries. Ukraine’s supporters have struck back on several occasions with damaging DDoS attacks of their own on Russian targets.
But in April last year, Tech Monitor reported on a failed attempt to disrupt the power grid in Ukraine using the Indestroyer malware. It was thwarted by cyber defence specialists in Ukraine, but if successful would have cut off power for up to two million people.