Critical Infrastructure Security, Governance, Risk and Compliance

‘The criminals are guided by the Russian Federation’: Ukraine responds to Industroyer2

LUKASHIVKA, UKRAINE – APRIL 10: A rocket sits in a field near grazing cows on April 10, 2022 in Lukashivka village, Ukraine. The Russian retreat from Ukrainian towns and cities has revealed scores of civilian deaths and the full extent of devastation since the beginning of the Russian invasion. (Photo by Anastasia Vlasova/Getty Images)

Ukrainian government officials filled in new detail an attack against the country's electric supply it attributed to Russia.

Earlier in the day, ESET and Ukrainian CERT announced that the group Sandworm that the United States has formally linked to Russia had used a bevy of attacks to try and interrupt electric transformers. Those included an updated version of Industroyer (dubbed Industroyer2), CaddyWiper, a new Linux worm and new Linux and Solaris wipers.

"We know that the criminals are guided by the Russian Federation, the aggressor country that was trying to stand in our way to get engaged into the Pan European electrical grid," Deputy Minister of Energy for Digital Development, Digital Transformation and Digitization Farid Safarov said at an online press conference Tuesday morning.

Until the invasion began, Ukraine had been attached to the Russian electric grid. The war accelerated a plan to connect to the European grid originally scheduled for next year.

Safarov said that Ukraine has seen a massive uptick in cyberattacks over the past few weeks, recording 50 DDoS attacks in a period they saw only two last year. Energy has been the most common target, he said.

ESET had noted that Industroyer2 was set to deploy on April 8 had defenders not disabled it in time. At the press conference, Ukrainian officials added that the initial breach appears to have been in late February with the malware constructed no later than March 23.

Industroyer2 was set to disrupt systems at 4:58, the end of the workday, as people filed home from work.

"If they had been successful, if they had inflicted critical damage, that would have meant 2 million people without electricity supply," Safarov said, referring to civilians, let alone commercial enterprises that are stationed in this region.

Victor Zhora, deputy head of the State Special Service for Digital Development, Digital Transformations and Digitization, emphasized that the attack was intended to harm civilian targets.

"It was supposed to start working in a way to cause electricity outages and a number of areas in Ukraine that [would] deprive the civil population of electricity and I stress the point that this civil infrastructure was targeted to disrupt electricity supply," he said.

Safarov said that Ukrainian cyber defense officials had generally done a good job assisting utilities in defending against Russian attacks. The recent attack slipped through the cracks, he said, because not all utilities use smart infrastructure that could accept Ukraine's sensors to monitor for attacks.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.