Russian hackers were responsible for a 2022 attack that disabled power grids in Ukraine, Google’s cybersecurity subsidiary Mandiant discovered.
Recorded in October, the incident is the third known assault from Moscow that disrupted Ukrainian energy systems.
The breach, in addition to instances in 2015 and 2016, was linked to the Russian Main Intelligence Directorate, connected to the agency’s digital warfare unit Sandworm.
According to Mandiant, the “novel attack” caused a series of blackouts across Ukraine. This required Kyiv to temporarily halt power exports and left four regions without electricity.
The power outage between October 10 and 12 coincided with several missile strikes on Ukraine’s vital infrastructure.
The paper noted that the attack was facilitated in two phases. The first leveraged Ukraine’s own operational technology (OT) to trip the country’s circuit breakers.
The second involved malware called CaddyWiper, which erases Sandworm’s footprint as well as the victim’s data on a system.
Russia’s Digital Capability
Mandiant said that Moscow’s assault on Ukraine’s power grid implies it has an evolved, offensive cyber arsenal to identify various threat types, develop new cyber capabilities, and leverage various OT infrastructure to conduct attacks.
“The actor likely decreased the time and resources required to conduct its cyber physical attack,” Mandiant said.
“While Mandiant was unable to determine the initial intrusion point, our analysis suggests the OT component of this attack may have been developed in as little as two months.”
“This indicates that the threat actor is likely capable of quickly developing similar capabilities against other OT systems from different original equipment manufacturers leveraged across the world.”
Growing Warfare ‘Trend’
Ukraine confirmed the attacks, saying in a Reuters report that it “was likely carried out to maximize the impact of Russian missile strikes.”
Ukrainian Cyber Defense Agency Head Victor Zhora added that the incident demonstrated Russia’s competence to execute simultaneous cyber and kinetic assaults on the same target.
“They focus on the energy sector, on critical infrastructure. They strike it with cruise missiles, and they will continuously attempt to hit with cyber tools,” Zhora stated in an NBC interview.
“That’s the trend, that they are focusing on civilian targets. That case was a signal for all of us that we should work harder and improve the situation immediately because it can cause real issues for all of us.”
“I hope that we use this year to become more prepared, to expect attacks during this autumn and winter.”