Ukraine Says It Thwarted a Sophisticated Russian Cyberattack on Its Power Grid
WASHINGTON — Ukrainian officials said on Tuesday that they had thwarted a Russian cyberattack on Ukraine’s power grid that could have knocked out power to two million people, raising fears that Moscow will increase its use of digital weapons in a country already pummeled by war.
Ukraine’s power grid has been knocked offline twice before, in 2015 and 2016, causing widespread blackouts. Russia has long used online attacks alongside traditional warfare; just days before the Russian invasion began on Feb. 24, Ukraine said a cyberattack hit its Defense Ministry, its army and two of its banks.
But experts said the latest hacking — while unsuccessful — was among the most sophisticated cyberattacks they have seen in the war so far. It used a complex chain of malware, including some custom-built to control utility systems, suggesting that Russia had planned the attack over several weeks and intended to maximize the damage by sabotaging computer systems that would be needed to restore the electrical grid.
The attack was scheduled to begin on the evening of April 8 as civilians returned home from work, Ukrainian officials said, and could have made it impossible for them to go about their daily lives or gain access to information about the war. The breach targeted several electrical substations in the country, and had it been successful, it would have deprived roughly two million people of electricity and made it difficult to restore power.
In recent weeks, American officials have warned that Russia could try to expand its cyberwarfare — perhaps even by disrupting American pipelines and electric grids in retaliation for the sanctions that the United States has imposed on Moscow.
Hackers affiliated with the G.R.U., Russia’s military intelligence unit, were responsible for the attack, using malware similar to that deployed in the 2016 breach that plunged at least 100,000 people into darkness, Ukraine’s security and intelligence service said. That unusual malware can take over industrial control systems, essentially switching off the lights, and is rarely used. Cybersecurity researchers have not detected similar malware on computer systems outside the 2016 attack, which was attributed to the G.R.U.
“This is yet more evidence of Russia’s capability,” said John Hultquist, a vice president for threat analysis at the cybersecurity firm Mandiant. “The question is intent. Do they intend to do this outside of Ukraine?”
The hackers customized a version of the 2016 malware for the attack last week on the Ukrainian electrical company and also deployed so-called wiper malware, which is designed to erase data, on its computer systems in an apparent attempt to make it more difficult for the utility to restore service after a blackout began.
“Trying to cut the power is definitely something very significant,” said Jean-Ian Boutin, the director of threat research at the cybersecurity firm ESET, which helped Ukraine analyze the malware. “The fact that they have tools that allow them to do that is very concerning for the future, as well.”
The attackers may have broken into the electrical company’s systems as early as February, Ukrainian officials said, but they emphasized that some details of the attack, including how the intruders made their way into the company’s systems, were not yet known.
Officials declined to name the company that suffered the breach and the region its substations are in, citing fears of continuing cyberattacks.
“It is self-evident that the aggressor’s team, the malefactors, had enough time to get prepared very thoroughly and they planned the execution on a sophisticated, high-quality level,” said Victor Zhora, the deputy head of Ukraine’s cybersecurity agency, the State Service of Special Communications and Information Protection. “It looks that we have been very lucky that we were able to respond in a timely manner to this cyberattack.”
Ukrainian companies in finance, media and energy have been subject to regular cyberattacks since the war began, according to Mr. Zhora. His agency said that since Russia’s invasion began, it had recorded three times as many attacks as it had tracked in the previous year.
The use of wiper malware has become a persistent problem in Ukraine since the war began, with attacks hitting Ukrainian critical infrastructure, including government agencies responsible for food safety, finance and law enforcement, cybersecurity researchers said.
Russia-Ukraine War: Key Developments
Putin’s remarks. President Vladimir V. Putin of Russia insisted that his war in Ukraine would succeed and that peace talks had reached a “dead end.” Mr. Putin’s defiant comments came as Russia poured more military vehicles, artillery and troops into eastern Ukraine, presaging a bloody new chapter in the conflict.
Concerns of escalation. Ukraine is bracing for a Russian assault along its eastern front, and Ukrainian officials have warned civilians that time is running out to escape. After meeting with Mr. Putin, Austrian Chancellor Karl Nehammer said he fears that the Russian president intends to drastically intensify the brutality of the war.
More evidence of atrocities. Officials continued to document and expose atrocities committed by Russian forces around Kyiv, in what a growing number of Western officials claim are war crimes. Times reporters and photographers went to Bucha to uncover new details of the execution-style killings of civilians.
Hackers have also broken into communications systems, including satellite communication services and telecom companies. Investigations into those breaches are continuing, although cybersecurity analysts and U.S. officials believe Russia is responsible. Other hacking groups, including one affiliated with Belarus, have broken into media companies’ systems and social media accounts of high-profile military officials, trying to spread disinformation that claimed Ukraine planned to surrender.
“They are targeting critical infrastructure; however, these attempts were not so sophisticated as compared to today’s recent attack,” Mr. Zhora said of the recent hacking campaigns against Ukrainian companies.
The Justice Department said last week that it had disrupted another cyberattack orchestrated by the G.R.U. Russian hackers had infected networks of private computers with malicious software to create a botnet that could have been used for surveillance or destructive attacks, the department said.
But the Justice Department and the Federal Bureau of Investigation disconnected the networks from the G.R.U.’s own controllers before the botnet could be used in an attack. Using court orders, the F.B.I. gained access to corporate networks in the United States and removed the malware, sometimes without the company’s knowledge, U.S. officials said.
Some analysts believed that Russia would back up its ground invasion with crippling cyberattacks and were puzzled when widespread hacking campaigns did not materialize during the early days of the war. But cybersecurity experts said the complex attack on the electrical company was a sign that Russia was beginning to shift its tactics.
“We see a shift in what’s going on, on the ground, and we see a shift in what’s going on in the cyberrealm as well,” Mr. Boutin said. As Russia reorganizes its troops in Ukraine, it may also begin a new cybercampaign, he added.
“If the Russian advance has dissipated,” Mr. Hultquist said, “this may be another way for them to put pressure in Ukraine.”
Vivek Shankar contributed reporting.