A Russian military-linked hacking group has attempted to infiltrate Ukrainian power substations and deploy malicious code capable of cutting electricity, Ukrainian government officials and private investigators said Tuesday.
The cyberattack appears to have been thwarted, and the Ukrainian government Computer Emergency Response Team said it had prevented the attackers from "carrying out [their] malicious intent." Victor Zhora, a senior Ukrainian cybersecurity official, told CNN that the hack attempt did not affect the provision of electricity at the power company.
Ukrainian officials declined to name the electric utility targeted by the hackers. But Farid Safarov, a deputy minister at Ukraine’s energy ministry, told reporters that about 2 million people could have lost power had the cyberattack been successful.
The US Cybersecurity and Infrastructure Security Agency was working closely with Ukrainian officials to understand the incident and share any relevant information to protect US infrastructure, CISA Director Jen Easterly tweeted Tuesday.
The hackers blamed for the incident — a group known as Sandworm that the US Justice Department has attributed to Russia’s GRU military intelligence agency — are of top concern to cybersecurity researchers around the world because they cut power in parts of Ukraine in 2015 and 2016.
In the recent incident, the hackers tried to deploy malicious code "against high-voltage electrical substations in Ukraine" on April 8, and appeared to make preparations for the attack two weeks prior, according to cybersecurity firm ESET, which investigated the hack.
It’s the type of advanced cyberattack that many US officials and cybersecurity analysts predicted would accompany Russia’s invasion of Ukraine.
"A lot of people were expecting something like this to happen, with critical infrastructure targeted by really advanced malware," Jean-Ian Boutin, ESET’s director of threat research, told CNN.
While this hack may have been thwarted, prior Sandworm hacks in Ukraine have been disruptive.
A 2015 cyberattack that US officials pinned on Sandworm cut power for about a quarter million people in Ukraine. A follow-up hack in 2016 on an electrical substation outside of Kyiv caused a smaller blackout and the malicious code used was more sophisticated, according to analysts.
The hacking tool used in the recent attempted cyberattack on the Ukrainian power company was a variation of the malicious software known as Industroyer that was used in the 2016 hack, ESET researchers said.
"It is something that we don’t see often. And the fact that Industroyer was used years ago … this is very significant," Boutin said.
US officials have been closely monitoring suspected Russian cyberattacks against Ukrainian critical infrastructure before and after Russia’s invasion on February 24. The White House on February 18 blamed a separate hacking incident, which temporarily knocked Ukrainian government and bank websites offline, on the GRU.
CNN has reached out the White House for comment on the alleged hacking attempt against the Ukrainian power company.
RELATED IMAGESview larger image
A woman walks with a power plant in the background, in Vxjmtzywinnytsia, Ukraine, March 16, 2022. Ukrainian officials say Russian military hackers tried to knock out power to millions of Ukrainians last week in a long-planned attack but were foiled. (AP Photo/Rodrigo Abd, File)