View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
April 13, 2022updated 14 Apr 2022 8:59am

Ukraine electricity grid cyberattack: More destructive attacks may follow

A failed cyberattack on Ukraine's electricity grid could indicate Russia's growing willingness to attack critical infrastructure.

By Claudia Glover

A botched malware attack on the Ukrainian electricity grid could have disrupted the energy supply for two million people, it emerged yesterday. The cyberattack, which used an updated version of the Industroyer malware that caused blackouts in Kyiv in 2016, may indicate a growing readiness by Russia to hit Ukraine’s critical national infrastructure with destructive cyberattacks as its war effort founders.

Ukrainian electricity grid attack
Russia’s use of destructive attacks on Ukraine’s critical infrastructure may intensify as it seeks an end to the conflict. (Photo by SOPA Images/Getty Images)

Malware capable of disrupting industrial control systems has been detected at electrical substations in Ukraine, the country’s Computer Emergency Response Team (CERT) and security provider ESET revealed yesterday. If successful, the attack could have cut off the electricity supply for two million people, Ukrainian officials said.

The attack incorporated a new variant of the Industroyer malware that was used in a successful destructive cyberattack on an electrical substation near Kyiv in 2016. ESET has attributed the attack to Russian APT Sandworm “with a high degree of confidence”.

Attackers succeeded in infecting computers at some electrical substations with the Industroyer2 malware in February, Ukraine’s digital transformation minister Victor Zhora said in a press conference yesterday, but the destructive phase of the attack did not take place.

What is Industroyer2?

The original Industroyer malware was first detected following a successful cyberattack on an electricity substation outside Kyiv in December 2016. The malware was programmed to disrupt control systems at a predetermined time, and did not require an internet connection to execute.

In 2017, ESET described Industroyer as the “biggest threat to industrial control systems since Stuxnet”, the malware that targeted Iranian nuclear power plants and revealed the insecurity on industrial systems. The malware is highly customisable, ESET said, meaning it can be tailored to attack a wide variety of control systems.

Industroyer2 is a more focused version of Industroyer, according to ESET’s latest analysis, targeting a specific protocol used to control power plants or substations remotely.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Unlike the original variant, which used a separate .INI file, Industroyer2’s configurations are hard-coded into the malware itself. “Thus, attackers need to recompile Industroyer2 for each new victim or environment,” ESET said. “However, given that the Industroyer* malware family has only been deployed twice, with a five-year gap between each version, this is probably not a limitation for Sandworm operators.”

The attack included various other technical components, including Sandworm’s Cyclops Blink botnet, “which Sandworm relies on for communication with Industroyer2 malware,” says Jon DiMaggio, chief security strategist at threat intelligence provider Analyst1. “The malware uses Cyclops Blink to obtain configuration parameters and other necessary information required for it to execute properly.”

Last week, the FBI took down the Cyclops Blink botnet as part of an ongoing crackdown on the infrastructure used by Russia’s APTs.

Cyberattacks on Ukraine’s critical infrastructure may increase

Russia had been expected to deploy destructive cyberattacks to bolster its invasion of Ukraine, but initial attacks were mostly superficial.

However, destructive attacks on critical national infrastructure may intensify as Russia becomes increasingly desperate to secure victory, says Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.

“As time draws on, Russia’s military efforts and scope of targeting may broaden through a desperation to find an end to the conflict,” he says. “It is highly likely that destructive malware will continue to be used throughout the conflict, particularly as the rate of attrition hits Russia’s military and sanctions continue to cause havoc for Russia’s economy.”

Read more: Microsoft disrupts ‘Russian nation-state’ cyberattacks on Ukraine

Topics in this article : , , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.