Russia’s ‘Infamous Sandworm’ Hackers Tried to Attack Ukraine’s Energy Company

The infamous Russian government hacking group known as Sandworm targeted a Ukrainian energy company with destructive malware, according to security researchers and Ukraine’s government. ;

The attack used a piece of malware designed to target “high-voltage electrical substations in Ukraine,” according to cybersecurity firm ESET, which published a report on the attack on Tuesday. Ukraine’s Governmental Computer Emergency Response Team or CERT-UA, also published a statement regarding the attack, saying it had taken “urgent measures” to respond to it.

“The implementation of the malicious plan has so far been prevented,” according to an online translation of CERT-UA’s announcement. 

Researchers called the malware Industroyer2, in reference to malware that was used in late 2016 by the same hacking group against Ukraine’s energy grid. At the time, the attacks caused power outages in the country using malware that researchers called Industroyer or Crash Override. 

In this recent operation, Sandworm also used “several destructive malware families” designed to wipe computer systems. Some of this malware had already been deployed against a Ukrainian bank last week, according to ESET. 

Since the beginning of Russia’s invasion into Ukraine, researchers at several cybersecurity companies said that Russian hackers have used several wipers against different targets in Ukraine. 

“Ukraine is once again at the center of cyberattacks targeting their critical infrastructure. This new Industroyer campaign follows multiple waves of wipers that have been targeting various sectors in Ukraine,” ESET wrote in its report. 

Industroyer2 was specifically designed to target the industrial control system, or ICS, of a Ukrainian energy company, which was not named by ESET nor CERT-UA. The malware was capable of cutting the power, according to ESET. 

ESET’s report said that Sandworm launched Industroyer2 on April 8, and later on the same day they executed the wiper malware CaddyWiper “to erase Industroyer2 traces.” 

Sandworm, which was profiled in Andy Greenberg’s book Sandworm, is widely believed to be a group of hackers working for Russia’s Main Intelligence Directorate (GRU), according to multiple cybersecurity firms, as well as the US government. In October of 2020, the Department of Justice charged six GRU officers accusing them of a series of prominent cyberattacks, such as the destructive malware NotPetya, which spread across the world reportedly causing more than $10 billion in damages, the hack before the French elections, and an attack on computer systems used in the 2018 PyeongChang Winter Olympic Games. 

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.