The Ukrainian government on Monday warned that the Kremlin is planning to carry out “massive cyberattacks” targeting power grids and other critical infrastructure in Ukraine and in the territories of its allies.
“By the cyberattacks, the enemy will try to increase the effect of missile strikes on electricity supply facilities, primarily in the eastern and southern regions of Ukraine,” an advisory warned. “The occupying command is convinced that this will slow down the offensive operations of the Ukrainian Defence Forces.”
Monday’s advisory alluded to two cyberattacks the Russian government carried out—first in 2015 and then almost exactly one year later—that deliberately left Ukrainians without power during one of the coldest months of the year. The attacks were seen as a proof-of-concept and test ground of sorts for disrupting Ukraine’s power supply.
The first attack repurposed a known piece of malware, called BlackEnergy, created by Kremlin-backed hackers. The attackers used this new BlackEnergy3 malware to break into the corporate networks of Ukrainian power companies and then further encroach into the supervisory control and data acquisition systems the companies used to generate and transmit electricity. The hack allowed the attackers to use legitimate functionality commonly found in power distribution and transmission to trigger a failure that caused more than 225,000 people to go without power for more than six hours.
The 2016 attack was more sophisticated. It used a new piece of malware written from scratch specifically designed for hacking electric grid systems. The new malware—which goes by the names Industroyer and Crash Override—was notable for its mastery of the arcane industrial processes used by Ukraine’s grid operators. Industroyer natively communicated with those systems to instruct them to de-energize and then re-energize substation lines.
“The experience of cyberattacks on Ukraine’s energy systems in 2015 and 2016 will be used when conducting operations,” the Ukrainian government said on Monday.
Monday’s advisory comes two weeks after Ukrainian forces recaptured vast swaths of territory in Kharkiv and other cities that had been under Russian control for months. Russian President Vladimir Putin last week called for the mobilization of 300,000 Russian citizens to bolster the country’s military invasion of Ukraine.
The move, which was the first time since World War II that Russia has done so, has prompted protests and a diaspora of mostly male Russians fleeing the country. A pivot to increased reliance on hacking by the country’s military could be seen as a way to achieve objectives without further straining the ongoing personnel shortage.
It’s hard to assess the chances of a successful hacking campaign against Ukraine’s power grids. Earlier this year, Ukraine’s CERT-UA said it successfully detected a new strain of Industroyer inside the network of a regional Ukrainian energy firm. Industroyer2 reportedly was able to temporarily switch off power to nine electrical substations but was stopped before a major blackout could be triggered.
“We don’t have any direct knowledge or data to make an assessment on Ukraine’s capability to defend its grid, but we do know that CERT-UA stopped the deployment of INDUSTROYER.V2 malware that targeted Ukraine’s electric substations earlier this year,” Chris Sistrunk, technical manager of Mandiant Industrial Control Systems Consulting, wrote in an email. “Based on that, and what we know about the Ukrainian people’s overall resolve, it’s increasingly clear that one of the reasons cyberattacks in Ukraine have been dampened is because its defenders are very aggressive and very good at confronting Russian actors.”
But researchers from Mandiant and elsewhere also note that Sandworm, the name for the Kremlin-backed group behind the power grid hacks, is among the most elite hacking groups in the world. They are known for stealth, persistence, and remaining hidden inside targeted organizations for months or even years before surfacing.
Besides an attack on electrical grids, Monday’s advisory also warned of other forms of disruptions the country expected Russia to ramp up.
“The Kremlin also intends to increase the intensity of DDoS attacks on the critical infrastructure of Ukraine’s closest allies, primarily Poland and the Baltic states,” the advisory stated. Since February, researchers have said pro-Russian threat actors have been behind a steady stream of distributed denial-of-service attacks targeting Ukraine and its allies.