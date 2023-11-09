A new report shows how Russian attackers were able to sabotage Ukraine’s electricity supply much more quickly than before.

The Ukrainian power grid is the target of numerous Russian attacks: Workers repair high-voltage lines in Kherson in December 2022.

Chris Mcgrath / Getty

Attacks on Ukraine’s energy supply are part of Russia’s war tactics. However, the power outages have no direct military benefit. They are intended to wear down the population. Last fall, Russia carried out numerous attacks with missiles and drones.

On October 10, after months of relative calm, attacks on critical infrastructure began across Ukraine. The capital Kiev was under heavy fire. One goal was to damage the energy infrastructure – which succeeded. There were power outages in almost 4,000 towns and villages by the end of the week.

What was not previously known: In at least one case, a cyber attack caused a power outage on October 10th. This may seem negligible given the numerous rocket attacks. But what is remarkable is the attackers’ new approach. There are fears that cyber attacks on critical infrastructure will be carried out more quickly in the future – and will be more difficult to detect.

Attacks on critical infrastructure such as the power supply are considered complex and costly. The Sandworm group, which is attributed to the Russian military intelligence service GRU, had already triggered power outages in Ukraine in 2015 and 2016 using cyber attacks. At that time, very elaborately programmed malware was used, which required a long preparation period.

Such attacks are complex because the power or water supply systems with their generators, converters or pumps are controlled using special technology. This so-called OT (Operational Technology) is based on our own systems and protocols. Malware can be programmed for this purpose. But this is so complex that it currently only rarely happens. To date, only a handful of such malware are known worldwide.

Attackers could send an order to the substation

In the October 2022 attack, Sandworm therefore took a different approach. The group made use of existing tools, as the security company Mandiant writes in a new report. This enabled the attack to be carried out quickly.

By June 2022 at the latest, the Russian group gained access to one of the victim’s servers that was connected to the Internet. From there it accessed a computer for controlling substations and was able to import commands there. So the attackers probably opened the circuit breakers in the substations – and on the 1st. The power goes out in October. Two days later, the group used so-called wiper software to delete additional data on the IT systems, which caused further disruptions and destroyed traces of the attack.

The attack on the power supply was made possible by outdated control software from the manufacturer ABB, whose power grid division has now been merged into Hitachi Energy. The old software allowed direct commands to be sent to the substation via an interface. This feature has been disabled by default since a 2014 version. There was obviously no update from the affected electricity company.

It is not known in which region of Ukraine the Russian cyber attack took place. It is also not known how long the power outage lasted or how many people were affected. The Service for Special Communications and Information Security of Ukraine (SSSCIP) did not respond to a corresponding request.

The Ukrainian authorities reportedly decided against publicizing the incident in detail for security reasons. The fact that Mandiant is now doing this has surprised certain parts of Kiev. The IT security company Mandiant, which has been part of Google for a year, is heavily involved in defending against Russian cyber attacks in Ukraine. It also works with Ukrainian authorities, in the case of this report with the Ukrainian secret service SBU.

Whether Sandworm attacks targets in the West is a political question

Of the numerous Russian cyber units active in Ukraine since the invasion, Sandworm is the only one with a strong focus on sabotage operations. Between October and December 2022, it managed to penetrate the systems of Ukrainian energy companies in three notable cases, the cybersecurity agency SSSCIP wrote in March. This probably also includes the attack described by Mandiant.

What’s notable about this cyber attack is Sandworm’s new tactic. The attackers were probably able to carry out their act of sabotage in around two to three months, without having to invest a lot of effort in the technical development of tools. They simply used the existing technical capabilities of industrial control systems.

It is not new that attackers use programs that are already installed on the systems for certain steps. This tactic can sometimes be seen in criminal ransomware groups. It has the advantage that the attacks are less easy to detect. Because no external malware that does not belong to the system is introduced.

What is new is that state attackers are also using this approach in OT systems in industrial plants. Sandworm could easily attack other targets this way. The corresponding systems from ABB and Hitachi Energy are in use worldwide. Mandiant analyst Nathan Brubaker is convinced that with existing knowledge of OT, Sandworm could even attack systems from other manufacturers with relative ease.

However, according to Brubaker, it remains to be seen whether Russia even wants to attack critical infrastructure outside of Ukraine. This is more a question of political motivation than technical skills. Because one thing is clear: a Russian act of sabotage against Western infrastructure could lead to an escalation.

Share this: Facebook

X

