(Bloomberg) — A notorious hacking group linked to Russia’s military intelligence agency launched a cyberattack on Ukrainian energy facilities, according to Ukrainian cybersecurity officials.
The group, known as Sandworm, sought to damage high-voltage electrical substations, computers and networking equipment, according to a statement Tuesday from Ukraine’s Computer Emergency Response Team.
The hackers carried out two waves of attacks and had sought to take offline an unnamed energy company’s infrastructure on the evening of April 8, according to the cybersecurity agency, following an initial breach that occurred “no later than” February.
However, “the implementation of the malicious plan has so far been prevented,” the agency said in its statement.
The hacking campaign deployed malicious “wiper” software that can delete data stored on computers, rendering them inoperable, according to researchers at the cybersecurity firm Eset LLC. ESET and Microsoft Corp. assisted Ukraine with an investigation of the breach.
The hackers also deployed malicious software, known as Industroyer, which was capable of interacting with industrial control systems, according to Eset’s researchers. A previous version of the Industroyer malware was previously seen in an attack carried out by the Sandworm group on Ukraine’s power grid in 2016, the researchers said. That incident, also tied to the Sandworm group, resulted in an electrical blackout.
Victor Zhora, deputy chief of Ukraine’s information protection service, said in a briefing Tuesday that the hackers had targeted a regional energy distribution provider, known as an Oblenergo, in what was a “thoroughly planned and quite sophisticated” effort to cause electricity outages across Ukraine. Attackers caused damage to some computers and were able to access a command and control system, known as ICS Scada, but were stopped before they could cause significant damage, he said.
“We were able to identify it, fight it and destroy it,” Zhora said of the malware. “It looks like we have been very lucky we were able to respond to this attack in such a timely manner.”
The U.S. Department of Justice and the U.K.’s National Cyber Security Centre have previously alleged that the GRU, Russia’s military intelligence agency, is behind Sandworm.
The Russian government has denied involvement in the attacks.
According to British and American officials, the Sandworm group was in 2017 responsible for NotPetya, a disruptive hacking campaign that originated in Ukraine and later spread worldwide, causing billions of dollars of damage to some of the world’s largest companies.
(Updated to include additional details fro Victor Zhora’s statement in seventh and eighth paragraphs.)
More stories like this are available on bloomberg.com
©2022 Bloomberg L.P.