Hot Topics
Analytics & Intelligence AppSec Cloud Security Cyberlaw Cybersecurity Editorial Calendar Endpoint Featured Governance, Risk & Compliance Incident Response IoT & ICS Security Malware Most Read This Week Network Security News Popular Post Security Boulevard (Original) Spotlight Threat Intelligence Threats & Breaches Vulnerabilities 

Russia Tries to Kill Ukraine’s Power Grid—and FAILS

by Richi Jennings on April 13, 2022

Russia’s infamous Sandworm APT group is at it again: The scrotes have been trying to cut power to the Ukrainian capital, destroy the grid and wipe the computers used to control it.

This is Sandworm’s third attempt, but this time they failed. Ukraine’s white-hats detected the Industroyer2 malware and neutralized it.

Say your prayers, little one. In today’s SB Blogwatch, we don’t forget to include everyone.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Ragdoll.

Re-Enter Sandworm

What’s the craic? Jonathan Greig reports—“Researchers find new malware variant after stopping attack on Ukrainian energy provider”:

This is a military hacking team
Ukrainian officials said they stopped an attack on an energy facility [and] discovered a new variant of Industroyer, an infamous piece of malware that was used by the Sandworm APT group in 2016 to cut power in Ukraine. … The Cybersecurity and Infrastructure Security Agency … are working with CERT-UA … the Governmental Computer Emergency Response Team of Ukraine … on the attack.

Ukrainian government spokesperson Victor Zhora [said] “This is a military hacking team.” The attack was designed to “disable a number of facilities, including electricity substations,” and [he] attributed it to actors supporting the recent invasion of Ukraine by Russia.

What was the damage? Not a lot, according to James Pearson—“Ukraine says it thwarted Russian cyberattack on electricity grid”:

The hackers had struck in two waves
CERT-UA said in a statement the hackers had targeted computers controlling high voltage substations in Ukraine. … Ukraine managed to prevent the attack from taking place, and there was no damage to the grid.

Kyiv blamed the attack on a group dubbed “Sandworm” by researchers and previously tied to cyberattacks attributed to Russia. … Russian officials could not be immediately reached for comment. … Moscow has consistently denied accusations it has launched cyberattacks on Ukraine.

The hackers had struck in two waves, first compromising the power network no later than February, before the second attack, which included a plan to shut substations and harm infrastructure last Friday evening, it said.

So Russia failed? Andy Greenberg summarizes—“Sandworm Hackers Attempted a Third Blackout in Ukraine”:

Only mixed success
[Industroyer was] a unique, automated piece of code to interact directly with the station’s circuit breakers and turn off the lights to a fraction of Ukraine’s capital. That unprecedented specimen of industrial control system malware … also included a component to disable safety devices … a feature that appeared designed to cause potentially catastrophic physical damage to the targeted transmission station’s equipment when … operators turned the power back on.

The new malware, dubbed Industroyer2 … signals that Russia’s most aggressive cyberattack team attempted a third blackout in Ukraine, years after its historic cyberattacks on the Ukrainian power grid in 2015 and 2016. [It also] signals that Sandworm’s grid-hacking days are far from over—despite the group’s apparent transition during the past five years to other forms of disruptive attacks, such as its release in 2017 of the self-spreading NotPetya malware that caused $10 billion in damage worldwide, the Olympic Destroyer cyberattack on the 2018 Winter Olympics, and a mass-scale cyberattack on Georgian websites and TV stations in 2019.

Russia’s invasion of Ukraine has been accompanied by a new wave of cyberattacks on the country’s networks and critical infrastructure, though with only mixed success. For instance … waves of wiper malware infections targeting Ukrainian networks, have had far smaller impacts than previous disruptive hacking operations that have pummeled Ukraine since 2014.

Slovakian cousins ESET analyzed the malware—“Industroyer2: Industroyer reloaded”:

Military Unit 74455 of the … GRU
The attack had been planned for at least two weeks. [It] used ICS-capable malware and regular disk wipers for Windows, Linux and Solaris. … The attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine. … The APT group Sandworm is responsible for this new attack.

In addition to Industroyer2, Sandworm used several destructive malware families including CaddyWiper, ORCSHRED, SOLOSHRED and AWFULSHRED. We first discovered CaddyWiper on 2022-03-14 when it was used against a Ukrainian bank.

In 2017 … we said that “it seems very unlikely anyone could write and test [Industroyer] without access to the specialized equipment used in the specific, targeted industrial environment.” This was confirmed in 2020 by the United States government when six officers of the Russian Military Unit 74455 of the Main Intelligence Directorate (GRU), were indicted for their role in multiple cyberattacks—including Industroyer and NotPetya.

What to think? Gareth Corfield adds color:

This is a significant incident
Sandworm is the infosec industry nickname for GRU Unit 74455. Russian spies. … Sandworm was definitively attributed to the GRU by [the UK government] in 2020.

Most concerningly, the GRU appeared to have gained access to the electricity company’s ICSes. So far the precise lateral movement method … is unknown.

This is a significant incident. I believe it’s the first time Russia’s publicly known to have tried cyber-attacking Ukraine’s electricity grid since the invasion.

.RU FAIL? OldLadyJosie wants to believe:

Is it just me, or is Russia just getting worse and worse at this? Are they going to resort to crank calling next?

That’s nice. But Babel-17 reminds us of what’s at stake:

I guess that’s not as bad as “Plan B”—bomber groups instead of hacker groups. But any kind of escalation, expansion of operations, is cause for concern.

Those of us that get to live lives infinitely less strife-full feel tormented by mere spot shortages of goods, and disruptions of our internet connections. Even getting just brushed by a war, and not actually maimed or killed by it, is so much worse that few of us can easily remember having a hardship deserving of mention in the same breath.

What’s going on here? HistoryDave sounds slightly sarcastic:

They aren't really interested or capable
I’m sure nobody in the Russian government would ever exaggerate the offensive capabilities of their unit. … As far as groups [like] Fancy and Cozy Bear, maybe we already saw the limits of their capabilities … as opposed to ominous harbingers of much greater capabilities that could somehow be switched on in the event of a war.

My impression has been that … a fair chunk of Russia’s “electronic warfare assets” are semi-privatized groups operating basically as the modern equivalent of privateers. It’s conceivable that converting those groups into actual arms of foreign policy works about as well … as trying to take mercenary private security groups and put them at the front end of your military offensive in Ukraine—which is to say, not very—because they aren’t really interested or capable of more than opportunistic vandalism.


We still don’t know how they got in. Virtucon wonders where the air gaps were:

Stop connecting critical infrastructure to the Internet. … And do not let unauthorized technicians or media anywhere near … your SCADA infrastructure!

What next? CraigJ peers into his crystal ball:

The glorious return of the USSR
The way this is probably going to end up is Russia is going to say give us eastern Ukraine or else, and the West will agree to those new lines. But the Russians will be fighting a war of attrition and insurgency in Ukraine for many years to come, and weapons will continue to flow from the West. Europe will find new sources of energy, and Russia will permanently lose … that revenue.

Russia is going to exist behind an iron curtain of their construction and their economy is utterly ****ed, more or less permanently. … Putin has almost single handedly ****ed Russia’s economy and standing in the world for the foreseeable future.

He wanted the glorious return of the USSR. Well, he’s going to get it and all the isolation and downsides that come with it. Enjoy your Uncle Vanias, *******s.

Meanwhile, Bu11etmagnet makes the ob. Dune gag:

Sandworm hackers? Are they working for the Harkonnen?

And Finally:

u/quinnthecaptain’s masterpiece

Hat tip: jonbob

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce:
Rares ION (via Unsplash; leveled and cropped)

Recent Articles By Author
More from Richi Jennings
Richi Jennings , , , , , , , , , ,

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 605 posts and counting.See all posts by richi

Secure Guardrails