BOSTON (AP) — Russian military hackers attempted to knock out power to millions of Ukrainians last week in a long-planned attack but were foiled, Ukrainian government officials said Tuesday.
The hackers were successful in compromising and disrupting a part of an industrial control system at one high-voltage power plant. However, people protecting the station were able prevent any electrical outages.
“The threat was serious, but it was prevented in a timely manner,” a top Ukrainian cybersecurity official, Victor Zhora, told reporters through an interpreter. “It looks that we were very lucky.”
The hackers from Russia’s GRU military intelligence agency used an upgraded version of malware first seen in its successful 2016 attack that caused blackouts in Kyiv, officials said, that was customized to target multiple substations. The malware they simultaneously distributed was designed to disable computer operating system and prevent recovery.
Authorities did not specify how many substations were targeted or their location, citing security concerns, but a deputy energy minister, Farid Safarov, said “2 million people would have been without electricity supply if it was successful.”
Zhora was the vice chair of State Service of Special Communications. He said the malware was designed to cut off power at the same time people return home from work, and then switch on news reports.
According to him, the attack on the power grid was done before Russia invaded in February. The attackers then uploaded Industroyer2 malware. The malware succeeded in disrupting one component of the impacted power station’s management systems, also known as SCADA systems.
Zhora did not provide any further detail or offer to explain the defeat of the attack or who may have been involved in its success. While acknowledging the importance of the international assistance Ukraine had received in identifying intrusions as well the difficulties involved in trying to eliminate attackers from government, power grids and telecommunications networks, Zhora did not deny the need for further details. U.S. Cybercommand keyboard warriors are among the helpers.
Cybercom was not available to answer a question about whether it had assisted with the emergency response.
Computer Emergency Response Team of Ukraine thanked Microsoft, and cybersecurity firm ESET, for their help in dealing with an attack on Ukraine’s power grid.
Officials said the destructive attacks had been planned at least since March 23, and Zhora speculated it was timed by Russia to “invigorate” its soldiers after they took heavy losses in a failed bid to capture Kyiv, the capital.
Zhora said that Russian cyberattacks hadn’t succeeded in taking out power from Ukraine since the invasion.
GRU hackers from a group that researchers call Sandworm twice successfully attacked Ukraine’s power grid — in the winters of 2015 and 2016. U.S. prosecutors indicted six GRU officials in 2020 for using a previous version of the Industroyer malware to attack Ukraine’s power grid by gaining control of electrical substation switches and circuit breakers.
Industroyer was the tool used by Sandworm hackers in 2016 to make circuit breakers turn on and off, according to Jean-Ian Boutin director of threat analysis at ESET.
“We know that Industroyer still has the capability to turn off circuit breakers,” he said.
ESET, in close collaboration with Ukrainian response teams, also discovered that disk-wiping malware was used to infect the networks of the target plants.
Successfully activating the malware would have rendered plant systems in operable, seriously hindering remediation and recovery and destroying the attackers’ digital footprints, Boutin said.
He said that one of the malware types used to attack the bank was CaddyWiper. It was discovered first by ESET mid-March.
Western prosecutors have accused Sandworm of being responsible for several high-profile cyberattacks. The most notable was the 2017 NotPetya wiper virus, which destroyed the data of entire networks of computers in companies operating in Ukraine.
Russia’s use of cyberattacks against Ukrainian infrastructure during its invasion has been limited compared with experts’ pre-war expectations. However, a Russian attack on Ukraine’s infrastructure in the first hours of war knocked off an important satellite communication link which was also affected by tens or thousands of Europeans from France, Poland, and other countries.
Hackers also took down Ukretelecom’s internet and mobile service, another major telecommunications firm that supports the military.
Zhora said “the potential of Russian (state-backed) hackers has been overestimated” and cited a number of reasons why he believes cyberattacks have not played a major role in the conflict:
— When the aggressor is pummeling civilian targets with bombs and rockets there is little need to hide behind covert cyberactivity.
— Ukraine has significantly upped its cyber defenses with the help of volunteers from sympathetic countries.
— Attacks as sophisticated as this effort to knock out power are complex and tend to require a lot of time.
“This is not an easy thing to do,” Zhora said.
For the last eight years Ukraine has suffered constant Russian cyberattacks. Zhora noted that attacks on Ukraine have increased by three times since the invasion, compared to the previous year.
Russia claimed that its invasion in Ukraine was necessary for civilian protection. The false claim, which the U.S. had predicted Russia would make to justify the invasion, has been disputed by Russia. Ukraine has called Russia’s assault a “war of aggression,” saying it “will defend itself and will win.”
Alan Suderman from Richmond (Virginia) contributed to the report.
Here are more must-read stories from TIME