Ukraine, December 2015. In the power distribution center ofIvano Frankvist, the technicians see on their screen the mouse pointer move by itself and cut off the various electricity delivery points. Very quickly, several hundred thousand Ukrainians were without power. It is a targeted hack and, to stop the breakage, the method is radical. Technicians unplug computers.
Since the electrical system dated back to Soviet times, it took technicians less than a day to manually reprime the distribution points. With an automated system, this re-commissioning would have been more complicated and time-consuming. It was then no doubt an experiment on the part of the pirate affiliates to the GRU, the Russian military intelligence services. This type of attack also happened again in 2016.
This week, a new cyberattack large-scale attack, also targeting Ukrainian electricity infrastructure, was foiled according to the country’s authorities. There again, while the territory is at war, she could have cut off the electricity to two million people.
cyber weapons of war
The discovery of the pests was carried out in duo by the researchers of the cybersecurity company Eset and Cert-UA, Ukraine’s cybersecurity agency. Experts were able to see that the attack was more sophisticated than previous ones, but the payload was an identical version of the 2015-2016 malware, namely Industroyer.
With it, experts identified a complex chain of malware, showing that Russia had planned the attack for several weeks in order to achieve maximum damage to hinder the restoration of the electrical network. With Industroyer2, we also found, CaddyWiper, that is to say a malware designed to remove all data from the systems to make it more difficult to get the power grid back up and running. It was backed up by other destructive malware, like Orcshred, Soloshred, and Awfulshred.
According to the researchers, Industroyer2 was run using a scheduled task on April 8 at 4:10 p.m. (UTC) to shut down multiple electrical substations. However, the malware was successfully neutralized. The two organizations, however, do not indicate how they discovered the intruder and blocked it. In addition, they do not yet know how the attackers entered the computer network, then how they were able to access the network of industrial control systems (ICS). On the other hand, they were able to attribute the cyberattack to the APT Sandworm hacker group which is linked to the Russian GRU, as the method and tools are similar to previous attacks.
Produced in parallel with the fighting, the digital weapon is used extensively by Russia to target critical infrastructure (management of water, food, electricity, telephone network, etc.) in the country in order to hinder communications and empty the cities of their population in order to facilitate their capture.
Interested in what you just read?