Critical Infrastructure Security, Threat Management

Ukraine warns Russia planning multi-pronged attack against energy sector

A Ukrainian soldier patrols empty streets
The Ukrainian government warned that the Russian military is planning a “massive” attack on the energy infrastructure of Ukraine and its allies that will utilize both cyber and physical attacks. Pictured: A Kraken Special Forces soldier patrols Kupiansk, Ukraine, on Sept. 24 as fighting continues. (Photo by Paula Bronstein /Getty Images)

The Ukrainian government is warning that the Russian military is planning a “massive” attack on the energy infrastructure of Ukraine and its allies that will utilize both cyber and physical attacks.

According to the intelligence branch of the Ukrainian Ministry of Defense, Moscow is preparing a multi-pronged offensive against Ukrainian enterprises as well as critical infrastructure of its allies. Officials believe this will include cyberattacks against energy facilities similar to the kind that Russian hacking group Sandworm undertook to disrupt and shut down power for hundreds of thousands of Ukrainian citizens in 2015 in and 2016.

“First of all, the blow will be aimed at enterprises of the energy sector. The experience of cyberattacks on Ukraine's energy systems in 2015 and 2016 will be used when conducting operations,” the ministry said, according to a translated statement.

The ministry also believes that the Russian military will supplement these cyberattacks with physical and kinetic strikes against electric facilities in regions of Ukraine that are within or near territory occupied by Russian troops.  

“With this, the enemy will try to increase the effect of missile strikes on electricity supply facilities, primarily in the eastern and southern regions of Ukraine. The occupying command is convinced that this will slow down the offensive actions of the Ukrainian Defense Forces,” the statements said.

The ministry also claims that critical infrastructure entities in Poland as well as the Baltic states (which typically includes Estonia, Latvia and Lithuania) will face intensified denial of service attacks.

Ukrainian critical infrastructure targeted before in cyberattacks

It’s not clear whether the message represents a general warning or was prompted by new or recent intelligence. SC Media has reached out the Ukrainian Ministry of Defense for more details.

The attacks against the Ukrainian power grid in 2015 and 2016 are often held up by policymakers as a nightmare scenario underscoring the dangers of digital threats to a country’s critical infrastructure. It is one of a handful of world events that have pushed policymakers to develop or consider international agreement prohibiting or discouraging the intentional targeting of a country’s essential services in times of war and peace.

The attacks were attributed by multiple parties to Sandworm, an advanced persistent threat hacking group and a military unit of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, more commonly known as the GRU. In 2019, the U.S. Department of Justice indicted six Russian nationals, accusing them of being part of Sandworm and taking part in the 2015 and 2016 attacks that leveraged malware like BlackEnergy, KillDisk and Industroyer against Ukrainian government agencies and companies supporting their power grid.

While the U.S. and Western governments supporting Ukraine have long feared that cyberattacks used in the war could spill over and affect the IT or infrastructure of other countries, thus far the evidence for such impacts has been limited.

John Hultquist, vice president of intelligence at Mandiant, noted in a statement that “with a few exceptions we have not seen the scaled, serious attacks we expected even before the war began. However, recent setbacks by the Russian military and a steady supply of arms flowing into Ukraine from allies may prompt the Kremlin to consider more aggressive options.   

“There is still significant room for Russia to escalate, especially with regards to Ukraine’s allies. So far Russian cyberattacks outside of Ukraine have been very restrained,” Hultquist said. “Russia is under enormous pressure and cyberattacks may give them a means to respond without risking serious military consequences."

Within the United States, the Cybersecurity and Infrastructure Security Agency has executed a nearly year-long messaging campaign to raise awareness among critical infrastructure and private businesses that Russian malware or destructive cyberattacks targeting Ukrainian assets in cyberspace could indirectly impact their IT assets. They also warned that Russia may at some point decide to directly target countries supporting Ukraine or levying sanctions against Russia.

Last week, CISA Chief of Staff Kiersten Todt told SC Media that Russia’s past behavior, both prior and during the most recent invasion, has put other nations in an indefinite defensive crouch as they deal with the uncertainty.

“Russia has targeted the power sector, telecommunications, financial sector, media companies, and these events have really put the entire world on urgent notice that protecting critical infrastructure has to be a top national security priority,” Todt said.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.