Gwen Goat | Getty Images
Ukraine’s government warned Monday that the Kremlin was planning “massive cyberattacks” targeting power grids and other critical infrastructure in Ukraine and its allies’ territories.
“Through cyber attacks, the enemy will try to increase the impact of missile attacks on power supply facilities, especially in the eastern and southern regions of Ukraine,” warned an expert opinion. “The occupation command is convinced that this will slow down the offensive operations of the Ukrainian Defense Forces.”
Monday’s recommendation alluded to two Russian government cyberattacks — first in 2015 and then almost exactly a year later — that deliberately left Ukrainians without power during one of the coldest months of the year. The attacks were seen as a proof-of-concept and a kind of testing ground for cutting off Ukraine’s power supply.
The first attack repurposed a well-known malware called BlackEnergy, created by Kremlin-backed hackers. The attackers used this new BlackEnergy3 malware to penetrate the corporate networks of Ukrainian energy companies and then further penetrate the surveillance control and data collection systems used by the companies to generate and transmit electricity. The hack allowed the attackers to use legitimate functions commonly found in power distribution and transmission to trigger a flaw that left more than 225,000 people without power for more than six hours.
The 2016 attack was more sophisticated. It used a new malware, written from scratch and specifically designed for hacking power grid systems. The new malware — known by the names Industroyer and Crash Override — was notable for its mastery of the mysterious industrial processes used by Ukraine’s network operators. Industroyer natively communicated with these systems to instruct them to turn off the substation lines and then turn them back on.
“The experience of cyber attacks on Ukraine’s power systems in 2015 and 2016 will be used when conducting operations,” the Ukrainian government said on Monday.
advertisement
Monday’s recommendation comes two weeks after Ukrainian forces retook large parts of territory in Kharkiv and other cities that have been under Russian control for months. Russian President Vladimir Putin last week called for the mobilization of 300,000 Russian citizens to support the country’s military invasion of Ukraine.
The move, which marked the first time Russia had done so since World War II, has prompted protests and a diaspora of mostly male Russians fleeing the country. A shift toward greater reliance on hackers by the country’s military could be seen as a way to meet goals without further straining ongoing staff shortages.
The chances of a successful hacking campaign against the power grids of Ukraine are difficult to assess. Earlier this year, Ukraine’s CERT-UA announced that it had successfully discovered a new strain of Industroyer in the network of a regional Ukrainian energy company. Industroyer2 was reportedly able to temporarily shut off power to nine substations but was stopped before a major power outage could be initiated.
“We have no direct knowledge or data to assess Ukraine’s ability to defend its power grid, but we do know that CERT-UA stopped the deployment of INDUSTROYER.V2 malware that targeted Ukrainian substations earlier this year,” Chris Sistrunk, technical director of Mandiant Industrial Control Systems Consulting, wrote in an email. “Based on that and what we know about the general determination of the Ukrainian people, it is becoming increasingly clear that one of the reasons why cyber attacks in Ukraine have been muted is that their defenders are very aggressive and very good at confronting Russian actors .”
But researchers at Mandiant and elsewhere also note that Sandworm, the name for the Kremlin-backed group behind the power grid hacks, is among the most elite hacking groups in the world. They are known for stealth, persistence, and remain hidden within targeted organizations for months or even years before emerging.
In addition to an attack on power grids, Monday’s council also warned of other forms of disruption the country expects Russia to ramp up.
“The Kremlin also intends to increase the intensity of DDoS attacks on the critical infrastructure of Ukraine’s closest allies, primarily Poland and the Baltic states,” the report said. Since February, researchers say pro-Russian threat actors are behind a steady stream of distributed denial-of-service attacks targeting Ukraine and its allies.