“We have been very lucky. † At a press conference, the deputy director of the agency responsible for cybersecurity in Ukraine, Viktor Zhora, made no secret of his relief. Ukrainian authorities announcedTuesday, April 12, after thwarting a computer attack intended to “millions” of Ukrainians.
In fact, the Kiev authorities have discovered malicious software in the networks of the company responsible for supplying electricity to a Ukrainian region, which was programmed to cut the power on Friday, April 8, shortly after 7 p.m.
Discovered and deactivated in time, the computer attack had no effect, according to the Ukrainian authorities. “But the planned disruption was huge”, according to Mr. Zhora. A document published by the MIT Technology Reviewpresented as coming from the Ukrainian government, undated and describing facts very close to those publicly cited by Kiev, however, specifies that the attack succeeded “temporarily shutting down nine electrical substations”.
One of the most important regions of the country
Authorities would not specify which company was targeted, nor which region, except that the latter was one of the largest in the country, said Farid Safarov, the deputy energy minister.
It all started a few days ago with a warning the Ukrainian authorities received from a “partner” – Kiev did not specify who – about the possible compromise of part of the Ukrainian electricity grid.
The Ukrainian experts soon discovered that a company in the sector had indeed been infected, at least for several weeks. The infection primarily concerns the “classic” office network on which so-called “wiper” software is discovered, designed to wipe data and shut down computer systems. One of them, nicknamed “CaddyWiper”, had already been detected in the networks of a Ukrainian bank and government agency, without causing any significant damage.
Another, older virus called “Industroyer” (…) had several tens of thousands of Ukrainian homes without electricity in the middle of winter in 2016.
In addition to this office network, the network for monitoring the electricity grid was also targeted. There, the authorities discover software that, according to the Slovak company ESET, is a reference in the digital security of industrial systems and who could directly analyze the attack?, bears very clear similarities to another, older virus, called “Industroyer”. This last one was deployed in 2016 in the Kiev region and had robbed tens of thousands of Ukrainian homes of electricity in the middle of winter. He hasn’t been talked about for five years.
Its successor, logically called “Industroyer2” by the Ukrainian authorities and the company ESET, marks a clear sophistication of computer attacks on Ukraine. Since the beginning of the Russian invasion, the low intensity of the (numerous) attacks had surprised many experts. The Ukrainian authorities and specialized companies have regularly announced the discovery of malicious software in recent weeks, without the latter doing any significant damage.
Russian military intelligence on the move
This attack, on the other hand, seemed intended to deal maximum damage in a sector “critical to the life of this country”, in the words of Mr. Zhora. ESET’s investigation into the attack also revealed that the hackers took steps to cover all their tracks once hostilities began.
According to the company – but also the Ukrainian authorities – the authors of Industrialer2 are the same as those of its predecessor: unit 74 455 of the GRU, the Russian military intelligence service, of which several members have already been sued by the US courtsaccused of committing large-scale attacks in the past ten years, notably against Ukraine.
this discovery confirms the rise of the GRU, one of the biggest troublemakers in cyberspace, on the digital side of the Russian invasion of Ukraine. It also shows that the Russian security apparatus is far from giving up its attempts to attack the energy sector. Not so long ago, the American justice system was sued several persons, members of the FSBthe Russian security services, to be behind a group of hackers that has targeted many companies in the sector in recent years.
This computer attack could be a harbinger of others as the Russian military prepares for the second phase of its invasion. For Mr. Zhora, the attack, which should have happened just a few days ago, had to… “to amplify the hostility of the soldiers who continue to kill the civilian population” and who are now pointing their weapons at the Donbass.