Russian military hackers attempted to knock out power to millions of Ukrainians last week in a long-planned attack but were foiled, Ukrainian government officials said Tuesday.
"The
threat was serious, but it was prevented in a timely manner," a top
Ukrainian cybersecurity official, Victor Zhora, told reporters through an
interpreter. "It looks that we were very lucky."
The
hackers from Russia's GRU military intelligence agency used an upgraded, more
sophisticated version of malware first seen in its 2016 attempt to knock out
power in Kyiv, officials said, that was designed to target multiple
substations.
Authorities
did not specify how many substations were targeted or their location, citing
security concerns, but a deputy energy minister, Farid Safarov, said "2
million people would have been without electricity supply if it was
successful."
Zhora,
the deputy chair of the State Special Service of Special Communications, said
the malware was programmed to knock out power on Friday evening just as people
returned home from work and switched on news reports.
He
said that power grid networks were penetrated before the end of February, when
Russia invaded, and that the attackers later uploaded the malware, dubbed
Industroyer2. The malware succeeded in disrupting one component of the impacted
power station's management system.
Zhora
would not offer further details or explain how the attack was defeated or which
partners may have assisted directly. He did acknowledge the depth of
international assistance Ukraine has received in identifying intrusions and the
challenges of trying to rid government, power grid and telecommunications
networks of attackers.
The Computer Emergency Response Team of Ukraine thanked
Microsoft and the cybersecurity firm ESET for their assistance in dealing with
the power grid attack in a bulletin posted online. ESET said in a blog post
that the destructive attacks had been planned for at least two weeks.
GRU hackers twice successfully attacked Ukraine's power
grid, in the winters of 2015 and 2016. U.S. prosecutors indicted six GRU
officials in 2020 for using a previous version of the Industroyer malware to
attack Ukraine's power grid by gaining control of electrical substation
switches and circuit breakers.
Russia's use of cyberattacks against Ukrainian
infrastructure has been limited compared with experts' pre-war expectations. In
the early hours of the war, however, an attack Ukraine blames on Russia knocked
offline an important satellite communications link that also impacted tens of
thousands of Europeans from France to Poland.
In another serious cyberattack of the war, hackers knocked
offline the internet and cellular service of a major telecommunications company
that serves the military, Ukretelecom, for most of the day on March 28.
Zhora said "the potential of Russian (state-backed)
hackers has been overestimated" and cited a number of reasons why he
believes cyberattacks have not played a major role in the conflict:
- When the aggressor is pummeling civilian targets with
bombs and rockets there is little need to hide behind covert cyberactivity.
- Ukraine has significantly upped its cyber defenses with
the help of volunteers from sympathetic countries.
- Attacks as sophisticated as this effort to knock out power
are complex and tend to require a lot of time.
"This is not an easy thing to do," Zhora said.
Ukraine has been under steady Russian cyberattack for the
past eight years, with Zhora noting that the attacks have tripled since the
invasion when compared with the same period last year.
Russia has said its invasion was needed to protect civilians
in eastern Ukraine, a false claim the U.S. had predicted Russia would make as a
pretext for the invasion. Ukraine has called Russia's assault a "war of
aggression," saying it "will defend itself and will win."