“We were very lucky. » At a press conference, the deputy director of the agency responsible for cybersecurity in Ukraine, Viktor Zhora, did not hide his relief. The Ukrainian authorities announced on Tuesday 12 April that they had thwarted a computer attack in recent days designed to deprive “millions” of Ukrainians.
The kyiv authorities have, in fact, discovered in the networks of the company responsible for supplying electricity to a Ukrainian region a malicious software programmed to cut off the power this Friday, April 8, shortly after 7 p.m.
Discovered in time and deactivated, the computer attack had no effect, according to the Ukrainian authorities. “But the planned disruption was enormous”, according to Mr. Zhora. A document published by the MIT Technology Reviewpresented as emanating from the Ukrainian government, undated and describing facts very close to those publicly mentioned by kyiv, specifies however that the attack succeeded in “temporarily shut down nine electrical substations”.
One of the most important regions of the country
The authorities did not want to specify which company was targeted, nor the region concerned – except that the latter was one of the largest in the country, according to Farid Safarov, the deputy energy minister.
It all started a few days ago with a warning received by the Ukrainian authorities from a ” partner “ – Kyiv did not want to specify who – about the potential compromise of part of the Ukrainian power grid.
Quickly, the Ukrainian experts discovered that a company in the sector had indeed been infected, and had been for several weeks at least. The infection first concerns its “classic” office network, on which so-called “wiper” software is discovered, designed to erase data and render computer systems inoperative. One of them, nicknamed “CaddyWiper”, had already been detected in the networks of a Ukrainian bank and government entity, without doing any noticeable damage.
Another, older virus, called “Industroyer”, (…) had deprived of electricity, in the middle of winter, several tens of thousands of Ukrainian homes in 2016
In addition to this office network, the one dedicated to controlling the electrical network was also targeted. The authorities discovered software there which, according to the Slovak company ESET, which is a reference in the digital security of industrial systems and which was able to directly analyze the attack, bears very clear resemblances to another, older virus, called “ Industrialize”. The latter was deployed in 2016 in the kyiv region and deprived tens of thousands of Ukrainian homes of electricity in the middle of winter. He hadn’t been talked about for five years.
Its successor, logically called “Industroyer2” by the Ukrainian authorities and the company ESET, marks a clear sophistication of computer attacks targeting Ukraine. Since the start of the Russian invasion, the low intensity of the (numerous) attacks had surprised many experts. In recent weeks, the Ukrainian authorities and specialized companies have regularly announced the discovery of malicious software, without the latter doing significant damage.
Russian military intelligence on the move
This attack seemed, on the contrary, designed to inflict maximum damage, in a sector “of critical importance to the life of this country”, in the words of Mr. Zhora. The study of the attack by ESET also reveals that the hackers had taken measures to erase all their traces, once the hostilities had started.
According to the company – but also the Ukrainian authorities – the authors of Industroyer2 are the same as those of its predecessor: unit 74 455 of the GRU, the Russian military intelligence service, several members of which have already been indicted by the courts. American, accused of having carried out large-scale attacks over the past ten years, in particular against Ukraine.
This discovery confirms the rise of the GRU, one of the main troublemakers in cyberspace, in the digital side of the Russian invasion of Ukraine. It also shows that the Russian security apparatus is far from having abandoned its attempts to attack the energy sector. Recently, American justice accused several individuals, members of the FSB, the Russian security services, of being behind a group of hackers who have targeted many companies in the sector in recent years.
This computer attack could prefigure others, as the Russian army prepares for the second phase of its invasion. For Mr. Zhora, the attack, which should have taken place only a few days ago, was supposed to “to reinforce the hostility of the soldiers who continue to kill the civilian population” and who now turn their weapons towards the Donbass.