Russian cyberattack takes Ukraine power plant offline
Attack carried out same day as series of missile strikes on Ukrainian energy infrastructure.
On November 9, 2023, the Mandiant cybersecurity firm revealed that Russia led a successful cyberattack against a Ukrainian power plant on October 10, 2022. The same day, the Russian army carried out a massive bombing (84 rockets and 24 drones) of Ukrainian cities, targeting energy infrastructure.
In June 2023, Sandworm, a cybercriminal group with ties to the GRU (Russian military intelligence), infected the computer systems of a power plant in one of the bombed cities. In order to do so, they carried out an LotL (Living off the Land) attack, which uses a device’s legitimate apps and protocols to gain fraudulent access.
On the day of the bombing, Sandworm swung into action and hijacked the plant’s MicroSCADA, immediately causing it to shut down. Two days later, the cybercriminals deployed a new version of their data-destroying CaddyWiper malware on the plant’s computer systems, this time without targeting the OT. According to Mandiant, Sandworm may be attempting to disrupt the staff’s remedial efforts, or erase traces of its attack.
The cyber incident worries researchers because it could easily be replicated in Ukraine or elsewhere. “We are going to have to ask ourselves tough questions about our ability to defend against this kind of attack,” fears John Hultquist, lead analyst at Mandiant.