Russian hackers from the Sandworm group, consisting of General Intelligence Department officers, broke into the Vinnytsia Power Supply Company network. They tried to repeat their own successful attack in 2016, when the electricity disappeared in the north of Kyiv. This time, Ukrainian specialists managed to prevent power switch-off.
It became known about the hacker attack during a joint press conference of Viktor Zhora, the Deputy Head of the State Connection Service, and Farid Safarov, the Deputy Minister of Energy, the press service of the department informs.
They informed that the CERT-UA specialists responsible for computer emergencies received on April 7-8 the message from partners about the eventual virus in the IT systems of one of the regional power companies. The malware was supposed to operate at 7:10 p.m. on Friday, April 8, when most employees would go home. It was aimed to deprive the civilian population of electricity.
Mr. Zhora refused to inform who those partner and power company were. Analyzing the attack, CERT-UA thanked two partner companies - Microsoft and the Slovak ESET. The latter helped to protect and clean the network and then analyze virus samples. Mr. Zhora did not inform about the role of Microsoft.
According to Forbes, Vinnytsia Power Supply Company suffered from the attack. The company provides its services to 770 thousand of consumers, including 750 thousand households, 1380 industrial facilities and 1340 agricultural enterprises. According to Farid Safarov, the Deputy Energy Minister, up to 2 million people could be deprived of electricity.
When the CERT-UA specialists began operating, part of the infrastructure was already affected. They prevented the malware from spreading and restored the damaged part of the system manually. "No signals have been registered that the power supply has disappeared somewhere," Viktor Zhora said.
Specialists of the Slovak antivirus company ESET, who joined the analysis on April 8, found the evidence of Russian attack. "We compared the new model with Industroyer 2016, found a number of matches in the code and realized that it was the same malware," Jean-Ian Boutin, the ESET Threat Research Director said.
With the help of version of the virus in 2016, hackers from the Sandworm group of the General Intelligence Department of the Russian Federation were able to switch off the electricity at the substation in northern Kiev, depriving a part of the city of electricity.
It is unknown at this time how Sandworm managed to infiltrate in the network of the power company. The investigation is ongoing. Safarov said that the attacks on Vinnytsia Power Supply Company began in mid-February. The company managed to crush them.
The almost successful attack was more carefully prepared. The attackers got access to the company's network, studied it, identified specific equipment as a target. Its parameters were specified in the Industroyer2 code.
The virus appeared in the company's networks no later than March 23. That's when its code was compiled. Industroyer allows to send commands to the substation switches that control the power supply. In 2016, to restore the network, operators had to go to the substation and connect the switches manually.
The detailed investigation and communication with engineers from Vinnytsia Power Supply Company will show whether this would have helped this time to solve the same problem.