A Russian military-linked hacking group has attempted to infiltrate Ukrainian power substations and deploy malicious code capable of cutting electricity, Ukrainian government officials and private investigators said Tuesday.
The cyberattack appears to have been thwarted, and the Ukrainian government Computer Emergency Response Team said it had prevented the attackers from “carrying out [their] malicious intent.” Victor Zhora, a senior Ukrainian cybersecurity official, told CNN that the hack attempt did not affect the provision of electricity at the power company.
Ukrainian officials declined to name the electric utility targeted by the hackers. But Farid Safarov, a deputy minister at Ukraine’s energy ministry, told reporters that about 2 million people could have lost power had the cyberattack been successful.
The US Cybersecurity and Infrastructure Security Agency was working closely with Ukrainian officials to understand the incident and share any relevant information to protect US infrastructure, CISA Director Jen Easterly tweeted Tuesday.
The hackers blamed for the incident – a group known as Sandworm that the US Justice Department has attributed to Russia’s GRU military intelligence agency – are of top concern to cybersecurity researchers around the world because they cut power in parts of Ukraine in 2015 and 2016.
In the recent incident, the hackers tried to deploy malicious code “against high-voltage electrical substations in Ukraine” on April 8, and appeared to make preparations for the attack two weeks prior, according to cybersecurity firm ESET, which investigated the hack.
It’s the type of advanced cyberattack that many US officials and cybersecurity analysts predicted would accompany Russia’s invasion of Ukraine.
“A lot of people were expecting something like this to happen, with critical infrastructure targeted by really advanced malware,” Jean-Ian Boutin, ESET’s director of threat research, told CNN.
While this hack may have been thwarted, prior Sandworm hacks in Ukraine have been disruptive.
A 2015 cyberattack that US officials pinned on Sandworm cut power for about a quarter million people in Ukraine. A follow-up hack in 2016 on an electrical substation outside of Kyiv caused a smaller blackout and the malicious code used was more sophisticated, according to analysts.
The hacking tool used in the recent attempted cyberattack on the Ukrainian power company was a variation of the malicious software known as Industroyer that was used in the 2016 hack, ESET researchers said.
“It is something that we don’t see often. And the fact that Industroyer was used years ago … this is very significant,” Boutin said.
US officials have been closely monitoring suspected Russian cyberattacks against Ukrainian critical infrastructure before and after Russia’s invasion on February 24. The White House on February 18 blamed a separate hacking incident, which temporarily knocked Ukrainian government and bank websites offline, on the GRU.
A spokesperson for the Biden administration’s National Security Council said the attempted hack of the Ukrainian electric utility this month “clearly demonstrates that disruptive and destructive cyber-attacks against Ukraine continue, and we applaud the work of Ukraine’s network defenders in responding to it.”
The incident also serves as a “reminder about the need for the US cybersecurity community to continue taking steps to counter potential cyber threats to US critical infrastructure,” the NSC spokesperson said in an emailed statement.
This story has been updated with additional comment.