The notorious unit of Russia's GRU military intelligence agency known as Sandworm remains the only team of hackers to have ever triggered blackouts with their cyberattacks, turning off the lights for hundreds of thousands of Ukrainian civilians not once, but twice within the past decade. Now it appears that in the midst of Russia's full-scale war in Ukraine, the group has achieved another dubious distinction in the history of cyberwar: It targeted civilians with a blackout attack at the same time missile strikes hit their city, an unprecedented and brutal combination of digital and physical warfare.
Cybersecurity firm Mandiant today revealed that Sandworm, a cybersecurity industry name for Unit 74455 of Russia's GRU spy agency, carried out a third successful power grid attack targeting a Ukrainian electric utility in October of last year, causing a blackout for an unknown number of Ukrainian civilians. In this case, unlike any previous hacker-induced blackouts, Mandiant says the cyberattack coincided with the start of a series of missile strikes targeting Ukrainian critical infrastructure across the country, which included victims in the same city as the utility where Sandworm triggered its power outage. Two days after the blackout, the hackers also used a piece of data-destroying "wiper" malware to erase the contents of computers across the utility's network, perhaps in an attempt to destroy evidence that could be used to analyze their intrusion.
Mandiant, which has worked closely with the Ukrainian government on digital defense and investigations of network breaches since the start of the Russian invasion in February of 2022, declined to name the targeted electric utility or the city where it was located. Nor would it offer information like the length of the resulting power loss or the number of civilians affected.
Mandiant does note in its report on the incident that as early as two weeks before the blackout, Sandworm's hackers appear to have already possessed all the access and capabilities necessary to hijack the industrial control system software that oversees the flow of power at the utility's electrical substations. Yet it appears to have waited to carry out the cyberattack until the day of Russia's missile strikes. While that timing may be coincidental, it more likely suggests coordinated cyber and physical attacks, perhaps designed to sow chaos ahead of those air strikes, complicate any defense against them, or add to their psychological effect on civilians.
"The cyber incident exacerbates the impact of the physical attack," says John Hultquist, Mandiant's head of threat intelligence, who has tracked Sandworm for nearly a decade and named the group in 2014. "Without seeing their actual orders, it's really hard on our side to make a determination of whether or not that was on purpose. I will say that this was carried out by a military actor and coincided with another military attack. If it was a coincidence, it was a terribly interesting coincidence."
The Ukrainian government's cybersecurity agency, SSSCIP, declined to fully confirm Mandiant's findings in response to a request from WIRED, but it didn't dispute them. SSSCIP's deputy chair, Viktor Zhora, wrote in a statement that the agency responded to the breach last year, working with the victim to "minimize and localize the impact." In an investigation over the two days following the near-simultaneous blackout and missile strikes, he says, the agency confirmed that the hackers had found a "bridge" from the utility's IT network to its industrial control systems and planted malware there capable of manipulating the grid.
Mandiant's more detailed breakdown of the intrusion shows how the GRU's grid hacking has evolved over time to become far more stealthy and nimble. In this latest blackout attack, the group used a "living off the land" approach that has become more common among state-sponsored hackers seeking to avoid detection. Instead of deploying their own custom malware, they exploited the legitimate tools already present on the network to spread from machine to machine before finally running an automated script that used their access to the facility's industrial control system software, known as MicroSCADA, to cause the blackout.
In Sandworm's 2016 blackout that hit a transmission station north of the capital of Kyiv, by contrast, the hackers used a custom-built piece of malware known as Crash Override or Industroyer, capable of automatically sending commands over several protocols to open circuit-breakers. In another Sandworm power grid attack in 2022, which the Ukrainian government has described as a failed attempt to trigger a blackout, the group used a newer version of that malware known as Industroyer2.
Mandiant says Sandworm has since transitioned away from that highly customized malware, in part, because defenders' tools can more easily spot it to head off intrusions. "That increases the chance you're getting caught or exposed or you won't actually get to carry out your attack," says Nathan Brubaker, Mandiant's head of emerging threats and analytics.
Like the GRU's hackers as a whole, Sandworm's power grid hackers also appear to be accelerating the tempo of their utility attacks. Mandiant's analysts say that in contrast to the group's previous blackouts, in which they laid in wait inside Ukrainian utility networks for more than six months prior to launching a power-cutting payload, this latest case unfolded on a much shorter timeline: Sandworm appears to have gained access to the industrial control system side of the victim's network only three months prior to the blackout and developed their technique to cause that blackout around two months later.
This speed is a sign that the group's newer "living off the land" tactics may not just be stealthier than the carefully built custom malware used in the past, but nimbler too. "Especially during a time of war, you need to be agile and adjust based on your target," says Brubaker. "This gives them a much better ability to do that than having to prep for years ahead."
Around 48 hours after the blackout, according to Mandiant, Sandworm still retained enough access to the victim's machines to launch a piece of malware called CaddyWiper, the most common data-destroying tool deployed by the GRU since the start of Russia's invasion in February 2022, to erase the contents of computers across its IT network. While that appears to have been an attempt to complicate defenders' analysis of Sandworm's footprints, the hackers somehow didn't deploy that data-destroying tool on the industrial control side of the utility's network.
Both Mandiant and SSSCIP's Zhora emphasize that despite Sandworm's evolution, and as historically significant as any hacker-induced blackout may be, the October 2022 incident shouldn't be taken as a sign that Ukraine's digital defenses are failing. On the contrary, they say they've seen Russia's state-sponsored hackers launch dozens of failed attacks on Ukrainian critical infrastructure for every attack that, like this case, achieved a dramatic outcome. "It's an absolute testament to the Ukrainian defenders that this incident was so isolated," Hultquist says.
In fact, exactly what Sandworm's latest blackout—this time tied to a physical strike—actually accomplished for Russia's invasion force remains far from clear. Mandiant's Hultquist argues that, more than any tactical effect, such as disabling the ability to defend against the missile strike or warn civilians, the blackout was more likely intended as another opportunistic psychological blow, intended to compound victims' feeling of chaos and helplessness.
But he notes that a single blackout caused by a cyberattack may no longer move the psychological needle in a country that has been under constant bombardment for the better part of two years and whose citizens' resolve to fight the invading force has only been steeled by those relentless attacks. He adds that, rather than multiplying the effects of the missile strike it coincided with, it's just as possible that Sandworm's carefully executed blackout was overshadowed by the physical attacks that followed.
"This is another way to break the resolve of the civilian populace as part of a greater strategy to bring Ukrainians to heel," says Hultqulst. "That doesn't mean it's had any success. It's difficult to have a psychological cyber impact in a world where missiles are flying."
Update 10 am ET, November 9, 2023: The Sandworm blackout using the Crash Override malware took place in 2016, not 2017.