Cyber attackers try to shut off power for 2 million people in Ukraine

BY KERRY TOMLINSON, AMPERE NEWS

APRIL 13, 2022

While bombs rain down on Ukraine's cities, the country’s computer systems are under constant attack as well.

Hackers managed to get inside one of Ukraine's biggest energy companies and launched a cyberattack on Friday, April 8, Ukrainian officials said at a press conference on Tuesday. But Ukraine's cyber teams said they were able to stop the attackers before they cut off power.

"If they had been successful and they had inflicted critical damage, that would have meant two million people without electricity supply," said Farid Safarov, Ukraine's Deputy Minister of Energy for Digital Development, Digital Transformation and Digitization.

They are not naming the location and the energy company nor providing many details of the attack for strategic reasons, but they pin the siege on Russian attackers, likely a group of hackers called Sandworm who work for the Russian government.

Two Stages

The attack came in two waves, according to officials. The first part was launched likely near the time of Russia's invasion into Ukraine on February 24, officials said. In that stage, the hackers found a way inside the private energy company's computer systems.

The second stage occurred on April 8, when the attackers used a malware called Industroyer2 to try to take over the company's power system and shut down the electricity supply, according to Ukraine's Computer Emergency Response Team, or CERT-UA.

The malware was set to cut off power at 4:58 pm when many people would be coming home from work.

"It was supposed to inflict serious damages and consequences both for the staff of the facility who were renovating and renewing the electricity supplies at the facility and for the ordinary customers coming back home. Perhaps they were looking [at] television to know what was going [on] in the country the news from the front line and other news," said Victor Zhora, Ukraine's Deputy Head of the State Special Service for Digital Development, Digital Transformations and Digitization.

"This is what the malefactors were intending,” he added.

Heads-Up

The Ukrainian government received word that the attack might happen, according to officials. Response teams checked the systems of the energy company and discovered the malware in time, before it caused an outage.

"We were able to identify, fight it and destroy it," said Zhora.

However, the attack did cause some damage.

"The malware code has been successful in getting into the management technological system, the so-called ICS SCADA [industrial control systems supervisory control and data acquisition)," said Zhora. "We also saw the attempts to break down the hardware and partially they were successful. And there were some disruptions at one of the components in this system, but we detected it immediately. And in an emergency way, we fixed it, so there were no disruptions in the electricity supply."

Not the First Time

Russia has attacked Ukraine's energy system in the past. In both 2015 and 2016, cyber attackers shut off power for people in Ukraine in December during cold weather.

In 2016, the attackers used malware called Industroyer to carry out their plans. This latest attack appears to have used a newer version of that malware, according to cybersecurity company ESET.

The hackers also used several different kinds of malware called wipers that can destroy files. One of the most infamous is known as CaddyWiper.

"We believe it was intended to slow down the recovery process and prevent operators of the energy company from regaining control of the ICS [industrial control systems] consoles. It was also deployed on the machine where Industroyer2 was executed, likely to cover their tracks," ESET said in a report.

ESET said CaddyWiper was also used against a Ukrainian bank on March 14 and a Ukrainian government agency on April 1.

"It is self-evident that the aggressors’ team, the malefactors, had enough time to get prepared very thoroughly and they planned the execution on a quite a sophisticated, high-quality level," Zhora said.

Wave of Attacks

This is not the only attack on energy organizations in Ukraine since the war began, said Safarov. Attackers have launched 50 distributed denial-of-service or DDoS attacks, where they bombard a system with so much Internet traffic that it can't operate.

Last year, Ukraine's energy organizations received only two of the DDoS attacks. The total number of cyberattacks since the war began is 200,000.

Some attacks are easy to carry out, but not the latest attempt to cut off power. That takes much more time, Zhora said.

"This is a result of the military failure of the Putin soldiers near Kyiv who have failed at the Kyiv's gate, and he regrouped his army to conquer the east of Ukraine," Zhora said. "Very likely, such actions of his and his lieutenants in the cyber sphere were to buttress and invigorate the hostilities of his soldiers who keep killing the civilian population in our country."