Russian hackers targeted the Ukrainian power grid and attempted to cause a blackout that would have hit 2 million people, according to Ukrainian government officials and the Slovakian cybersecurity firm ESET.
The hackers attempted to destroy computers at a Ukrainian energy company using a wiper, malware specifically designed to destroy targeted systems by erasing key data and rendering them useless.
The impact remains unclear. Ukrainian officials say they thwarted the attack, which they say was intended to support Russian military operations in eastern Ukraine. If successful, the hack would have caused the biggest cyber-induced blackout ever.
To support MIT Technology Review’s journalism, please consider becoming a subscriber.
But according to a Ukrainian government document that was shared with international partners in recent weeks, Russian hackers did recently break into a Ukrainian power company and temporarily shut down nine electric substations. The document, which has not been made public, was shared with MIT Technology Review. Ukrainian officials have not responded to a request for comment and have not confirmed whether the two events are linked.
The document, which was written by the state-run Ukrainian Computer Emergency Response Team (CERT), describes “at least two successful attack attempts,” one of which began on March 19, just days after Ukraine joined Europe’s power grid in a bid to end dependence on Russia.
After publication, Victor Zhora, Ukraine’s deputy head of the State Special Service for Digital Development, described the private report as “preliminary” to Wired and called it a “mistake.”
Whether they were successful or not, the cyberattacks on the Ukrainian power grid represent a dangerous continuation in Russia’s aggression against Ukraine through a hacking group known as Sandworm, which the United States has identified as Unit 74455 of Russia’s military intelligence agency.
Hackers believed to be working for Russian intelligence previously disrupted the power system in Ukraine in both 2015 and 2016. While the 2015 attack was largely manual, the 2016 incident was an automated attack carried out using malware known as Industroyer. The malware that investigators found in the 2022 attacks has been dubbed Industroyer2 for its similarity.
“We are dealing with an opponent who has been drilling us for eight years in cyberspace,” Zhora told reporters on Tuesday. “The fact that we were able to prevent it shows that we are stronger and more prepared [than last time].”
Analysts at ESET dissected the code of Industroyer2 to map its capabilities and goals. The hackers tried not only to turn off the power but to destroy computers that the Ukrainians use to control their grid. That would have cut off the ability to bring power back online swiftly using the power company’s computers.
In previous cyberattacks, Ukrainians were able to quickly regain control within hours by reverting to manual operations, but the war has made that extremely difficult. It’s not as easy to send a truck out to a substation when enemy tanks and soldiers could be nearby and the computers have been sabotaged.
“When they are openly waging a war against our country, pummeling Ukrainian hospitals and schools, it doesn’t make sense to hide,” Zhora said. “Once you hit Ukrainian houses with rockets, there is no need to hide.”
Given Moscow’s successful track record of aggressive cyberattacks against Ukraine and around the world, experts have been anticipating that the country’s hackers would show up and cause damage. United States officials have spent months warning about escalation from Russia as it struggles in the ground war with Ukraine.
During the course of the war, Ukraine and the United States have both blamed Russian hackers for using multiple wipers. Financial and government systems have been hit. Kyiv has also been the target of denial of service attacks, which have rendered government websites useless at key moments.
However, the Industroyer2 attack marks the most serious known cyberattack in the war so far. Ukrainian cybersecurity officials are working with Microsoft and ESET to investigate and respond.
It is one of only a handful of incidents publicly known in which government-backed hackers have targeted industrial systems.
The first came to light in 2010, when it was revealed that malware known as Stuxnet had been crafted—reportedly by the United States and Israel—to sabotage Iran’s nuclear program. Russia-backed hackers have also reportedly launched multiple such campaigns against industrial targets in Ukraine, the United States, and Saudi Arabia.
The article was updated to note that a Ukrainian official described the earlier UA-CERT report as “preliminary” and a “mistake.”