The Ukrainian Computer Emergency Response Team (CERT-UA), published a report on April 12 where she explains that she thwarted a very sharp attack against a regional electricity supplier. Authorities believe the culprit is the Sandworm group, affiliated with the GRU, Russian military intelligence.
An atypical but well-known cyberattack
In 2016, a week before the Christmas holidays, 100,000 Ukrainians living north of kyiv suddenly found themselves in the dark. They fell victim to a particularly advanced malware called Industroyer or Crash Override. No trace of this type of cyberattack has been reported worldwide until today, specifies Wired.
Axie Infinity: $625 million stolen in digital heist
CERT-UA and its parent authority, the State Service for Special Communications and Information Protection (SSSCIP) claim that an Industroyer 2 nearly starved two million Ukrainians on the evening of April 8, at which the software was supposed to come into action.
@_CERT_UA under the @dsszzi reported a #Sandworm (UAC-0082) #cyberattack on Ukraine’s energy infrastructure suing #Industroyer2 and #CaddyWiper malware.
The attackers attempted to take down several infrastructure components of their target, namely: (1/5) #cyberwar#WARINUKRAINE— SSSCIP Ukraine (@dsszzi) April 12, 2022
All the details are not yet known. In some cases because they ask for further investigations, for example to find out how the software was introduced, in other cases because of the will of the Ukrainian authorities, such as the affected company and region, for security reasons.
The intrusion likely dates to at least February 2022. It targeted high-voltage substations. It would have made it possible to send commands to the circuit breakers to cut off the electricity. Innovation compared to 2016, the attack was accompanied by “wiper”, malicious software that erases data from a targeted computer system. Obviously in order to complicate the restoration of service.
Victor Zhora, Deputy Director of SSSCIP, told reporters, “ It is evident that the team of the aggressor, the malefactors, had sufficient time to prepare thoroughly and planned the execution to a sophisticated and high quality level. ” he added, ” It seems that we were very lucky to have been able to respond to this cyberattack in a timely manner. “. According to information from the MIT Technology Reviewpower was still temporarily cut in 9 substations.
Ukraine is the site of “the first cyberwar in history”
For the past month Victor Zhora estimates that Ukraine has been the victim in one month of 198 major cyberattacks. Denial of service or wiper attacks against government sites, cyberattacks against Viasat or Ukrtelecom, the examples are beginning to accumulate, ” They target critical infrastructure, but those attempts weren’t as sophisticated as the attack today “says Victor Zhora.
The “they” unsurprisingly designate Russia or Belarus, even if investigations are still in progress. In the case of Industroyer, Sandworm’s responsibility is in little doubt, given the parentage and the rarity of the type of attack. The group has a large “track record”, it is accused of being behind NotPetya in 2017, the cyberattack behind the Macronleaks the same year, Olympic Destroyer against the Winter Olympics in 2018 or more recently behind the botnet Cyclops Blink.
In a recent interview with echoes Victor Zhora asserts that in Ukraine ” We are witnessing the first cyberwar in history “, but as in the field of conventional warfare, he affirms that the country is ready to face: “ Since 2014 [l’annexion de la Crimée par la Russie]we are subject to constant aggression, and our expertise is unique in how to repel these aggressions “.