After half a decade spent trying to cause a third blackout of Ukraine, the Russian hacker group Sandworm has come back. This hacking group was responsible for the blackout of northern Kyiv’s electric transmission station in 2016 just before Christmas.
Sandworm Hacker Group Attempts to Blackout Ukraine
According to Wired’s story, hackers created a unique piece of code that allowed them to communicate directly with the station’s circuit breakers. They were able to turn off a small fraction of Ukraine’s capital lights.
Sandworm is once more being used by hackers to attack Ukraine. The Ukrainian Computer Emergency Response Team CERT-UA confirmed that Sandware was trying to attack high-voltage electrical substations using the Industroyer and Crash Override malware.
CERT-UA Confirms that Sandworm is Russia’s GRU Unit 74455
The CERT-UA confirmed that Sandworm was Russia’s GRU Unit 74455. The Industroyer2 was the new Sandworm malware. It can interact directly with electrical utilities and equipment in order to send commands and control power flow to substation devices.
Wired describes the latest attack as the Russian cyberattack team trying to cause the third blackout of Ukraine. Only one of the most successful cyberattacks against Ukraine’s power grid was confirmed to have been caused by hackers in 2015 and 2016.
Malware was planted as early as February
According to CERT-UA, and the Slovakian cybersecurity company known as ESET the malware was directly installed on the targets systems of a regional Ukrainian energy firm. Fortunately, CERT-UA states that the attempted attacks failed.
According to CERT-UA they were able detect attempted attacks in-process and stop them before an actual blackout could occur. The hacking group also penetrated the electric utility to install the Industroyer, which was done in February.
You can also read Qbotbotnet deploys malware payloads through malicious Windows Installers
Cyberattacks on Ukraine are increasing
Hackers also used multiple forms of “wiper malice” to try and destroy utility computers’ data. CERT-UA stated that they had caught the wiper malware well before it was used.
TechCrunch reported that ESET provided a technical analysis of the attack. It stated that Ukraine was again the “center for cyberattacks with hackers trying destroy critical infrastructure.” According to the cybersecurity firm, the Industroyer campaign is following a series of attacks using wiper malware to target various sectors in Ukraine.
ESET stated that they will continue to monitor and protect organizations from these “types of destructive attack”. This disruption occurred just a few weeks after the FBI attempted to target a Sandworm linked botnet that targeted WatchGuard and Asus devices.