View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 9, 2023

Russia’s Sandworm hackers caused power cuts in Ukraine during missile strikes

Using flaws in existing software, the gang was able to switch off electrical substations to cause chaos as bombs fell.

By Matthew Gooding

Russian hackers caused power cuts in Ukraine by attacking critical infrastructure while missile strikes were taking place in the eastern European country, a new report has revealed.

A building in Kharkiv, Ukraine, was gutted by a Russian bombing raid in October 2022. At the same time, hackers were causing power cuts, a new report says. (Photo by Seneline/Shutterstock)

In a stark illustration of the type of cyber-physical attacks that were expected to be commonplace during the war in Ukraine, researchers at security vendor Mandiant have uncovered a breach by the Sandworm hacking group, thought to have close links to Russia’s GRU security service.

Sandworm hackers cause Ukraine power cuts

The incident occurred in October 2022 and is thought to be the first time Ukraine has suffered power cuts linked to a cyberattack since 2017.

Researchers at Google-owned Mandiant say Sandworm gained access to the power network through hypervisor software that was already installed on systems. This is known as a “living off the land” attack.

Once inside the system, the criminals were able to move laterally around the network, and may have been there for up to three months before the attack, Mandiant’s research suggests. They were then able to execute malicious commands and switch off substations, causing power outages.

Days later, Sandworm accessed the system again to deploy CADDYWIPER malware, which covered its tracks, deleting files relating to the hack.

Sandworm has a long-standing focus on attacking targets in Ukraine, and Mandiant’s report says the use of living off the land techniques represents an evolution in its tactics. “Using tools that are more lightweight and generic than those observed in prior operational technology incidents, the actor likely decreased the time and resources required to conduct a cyber-physical attack,” the paper says.

Content from our partners
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business
When it comes to AI, remember not every problem is a nail

Russia, Ukraine and cyber-kinetic warfare

Mandiant says the timing of the Sandworm breach coincided with a sustained period of missile strikes from Russia in Ukraine. Though it lacks the evidence to assess whether the two attacks are linked, it adds: “Sandworm potentially developed the disruptive capability as early as three weeks prior to the operational technology event, suggesting the attacker may have been waiting for a specific moment to deploy the capability.

“The eventual execution of the attack coincided with the start of a multi-day set of coordinated missile strikes on critical infrastructure across several Ukrainian cities, including the city in which the victim was located.”

Cyber-kinetic warfare, combining digital and physical attacks, was expected to play a major role in the war in Ukraine. Still, the scope of cyberattacks in the conflict has largely been limited largely to DDoS breaches that temporarily cripple websites of organisations based in Ukraine or allied countries. Ukraine’s supporters have struck back on several occasions with damaging DDoS attacks of their own on Russian targets.

But in April last year, Tech Monitor reported on a failed attempt to disrupt the power grid in Ukraine using the Indestroyer malware. It was thwarted by cyber defence specialists in Ukraine, but if successful would have cut off power for up to two million people.

Read more: Five Eyes nations issue warning on Chinese IP theft

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.