The Ukrainian government is warning that the Russian military is planning a “massive” attack on the energy infrastructure of Ukraine and its allies that will utilize both cyber and physical attacks.
According to the intelligence branch of the Ukrainian Ministry of Defense, Moscow is preparing a multi-pronged offensive against Ukrainian enterprises as well as critical infrastructure of its allies. Officials believe this will include cyberattacks against energy facilities similar to the kind that Russian hacking group Sandworm undertook to disrupt and shut down power for hundreds of thousands of Ukrainian citizens in 2015 in and 2016.
“First of all, the blow will be aimed at enterprises of the energy sector. The experience of cyberattacks on Ukraine's energy systems in 2015 and 2016 will be used when conducting operations,” the ministry said, according to a translated statement.
The ministry also believes that the Russian military will supplement these cyberattacks with physical and kinetic strikes against electric facilities in regions of Ukraine that are within or near territory occupied by Russian troops.
“With this, the enemy will try to increase the effect of missile strikes on electricity supply facilities, primarily in the eastern and southern regions of Ukraine. The occupying command is convinced that this will slow down the offensive actions of the Ukrainian Defense Forces,” the statements said.
The ministry also claims that critical infrastructure entities in Poland as well as the Baltic states (which typically includes Estonia, Latvia and Lithuania) will face intensified denial of service attacks.
Ukrainian critical infrastructure targeted before in cyberattacks
It’s not clear whether the message represents a general warning or was prompted by new or recent intelligence. SC Media has reached out the Ukrainian Ministry of Defense for more details.
The attacks against the Ukrainian power grid in 2015 and 2016 are often held up by policymakers as a nightmare scenario underscoring the dangers of digital threats to a country’s critical infrastructure. It is one of a handful of world events that have pushed policymakers to develop or consider international agreement prohibiting or discouraging the intentional targeting of a country’s essential services in times of war and peace.
The attacks were attributed by multiple parties to Sandworm, an advanced persistent threat hacking group and a military unit of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, more commonly known as the GRU. In 2019, the U.S. Department of Justice indicted six Russian nationals, accusing them of being part of Sandworm and taking part in the 2015 and 2016 attacks that leveraged malware like BlackEnergy, KillDisk and Industroyer against Ukrainian government agencies and companies supporting their power grid.
While the U.S. and Western governments supporting Ukraine have long feared that cyberattacks used in the war could spill over and affect the IT or infrastructure of other countries, thus far the evidence for such impacts has been limited.
John Hultquist, vice president of intelligence at Mandiant, noted in a statement that “with a few exceptions we have not seen the scaled, serious attacks we expected even before the war began. However, recent setbacks by the Russian military and a steady supply of arms flowing into Ukraine from allies may prompt the Kremlin to consider more aggressive options.
“There is still significant room for Russia to escalate, especially with regards to Ukraine’s allies. So far Russian cyberattacks outside of Ukraine have been very restrained,” Hultquist said. “Russia is under enormous pressure and cyberattacks may give them a means to respond without risking serious military consequences."
Within the United States, the Cybersecurity and Infrastructure Security Agency has executed a nearly year-long messaging campaign to raise awareness among critical infrastructure and private businesses that Russian malware or destructive cyberattacks targeting Ukrainian assets in cyberspace could indirectly impact their IT assets. They also warned that Russia may at some point decide to directly target countries supporting Ukraine or levying sanctions against Russia.
Last week, CISA Chief of Staff Kiersten Todt told SC Media that Russia’s past behavior, both prior and during the most recent invasion, has put other nations in an indefinite defensive crouch as they deal with the uncertainty.
“Russia has targeted the power sector, telecommunications, financial sector, media companies, and these events have really put the entire world on urgent notice that protecting critical infrastructure has to be a top national security priority,” Todt said.