Russian cyber attack on UA electrical grid attack
Latest update on the cyberwar that “is not taking place.”
Russia has been attacking the Ukrainian power grid, just like they were supposed to based on the preconceived models everyone had. So that’s good for the pundits, I guess. They can come out from under their rocks and get back in the policy and norms discussions again.
A threat actor linked to Sandworm attacked the Ukrainian energy sector no later than February 2022. This attack, based on how I read the report, established a foothold that was exploited later for a second wave attack.
At some time after March 23, 2022, the threat actor installed wipers across the entire network, multiple substations. These wipers were programmed to activate and destroy computers on April 8th.
The Ukrainian cyber defense forces, assisted by Microsoft and ESET, were able to disable the wipers before the launch date. The full report is linked below, along with the report connecting them to Sandworm.
Cyberwar! In this economy?!
These are the salient points, I believe.
- Russia is doing the cyberwar that was “supposed” to happen, but so far hasn’t. They are trying to replicate their attacks of 2016, only more destructive this time. They planned and prepared a coordinated shutdown of the electrical grid. This is exactly what everyone was expecting as an opening salvo.
- It seems like planning for the electrical grid attack started after it became clear that the invasion plan had failed. This indicates that the reason the electrical grid was not part of the initial plan was a strategic decision, not because of Russian disregard for offensive cyber capacity.
- The Ukrainian defenses are stronger than expected. In the cyber domain as well as the physical.
The Russians targeted the power grid with cyber capabilities. Their attack failed due to swift coordinated remediation action by Ukrainian cyber defense forces.
- This might indicate that the Russian initial access attack was known for some time. That the blue (and yellow) team was monitoring to see what would develop which allowed them to step in a prevent the destructive attack. - More likely is that the installation of the malware for the destructive attack was detected, leading to incident response. The analysis revealed what was going on and the defense forces took action to prevent the scheduled attack.
Russian failure is likely due to a large delta between the installation of the malware and the date scheduled for the attack. This delta provided sufficient time for the defenders to coordinate and execute remediation action. After all these years the speed of cyber defense information dissemination must be very fast, having had plenty of time to be streamlined. Similarly, the ability to effectively remediate attacks is probably well developed. Again, from training and multiple opportunities to practice against real adversaries.
In a real sense, the Russians are trying to conduct a cyberwar and they are failing due to the ability of the Ukrainian defense forces. This mirrors the experience on the battlefield, where Ukrainian defense have exceeded expectations. It should not be surprising that the cyberwar is less impressive than many were expecting. The Russian offensive was less impressive than everyone was expecting.
In other news
Sandworm is linked to HermeticWiper and now this attempted attack on the electrical grid. It would appear that Sandworm is a key part of the Russian cyber order of battle.
* CIP has linked UAC-0082 with HermeticWiper * CERT-UA linked Sandworm to UAC-0082