on Friday afternoon, April 8, hackers are said to have tried to cause a power outage in around two million Ukrainians.
At least that's what Farid Safarov, the country's deputy energy minister, reported on Tuesday at a press conference in which his government gave details of a hacker attack that had been foiled.
At 4:10 p.m. local time, the "Industroyer2" malware was supposed to break out and paralyze substations in Ukraine, writes the IT security company Eset.
She has investigated details of the attack in cooperation with the Ukrainian authorities and summarized them in a blog post.
The malware is therefore a new, previously unknown variant of the notorious "Industroyer" software.
Shortly before Christmas 2016, this caused a power failure in parts of Kyiv.
A reminder that Ukraine has been a battleground for so-called cyber warfare for years.
A buzzword that is often used hastily, which is quite appropriate in the case of the devastating attacks on the power grid, which were carried out on a large scale for the first time in Ukraine.
»Since 2014 we have faced continuous aggression.
We are dealing with an opponent who constantly challenges us," said Viktor Zhora, a high-ranking official of the Ukrainian IT security authority, on Tuesday at a press conference on the hacker attacks.
The authorities did not reveal which parts of the Ukrainian power grid the attackers were targeting this time.
Apparently, the attackers targeted substations, but also servers, network equipment and computers in the energy sector, according to the Ukrainian Cyber Security Agency.
According to this, the attackers had already infiltrated the systems at least two months ago.
The attackers are said to have made the malware, with which the substations were to be sabotaged, ready for use on March 23rd.
According to the information, the attackers did not only have a hacking tool in their luggage: According to the cyber security authority of Ukraine and the Eset analysts, the attack was flanked by other malware - including a so-called wiper, a software that tries to delete data on hard drives .
All of this apparently with the aim of covering up tracks and making it more difficult for the Ukrainian IT experts to defend themselves.
Old acquaintance
The complexity and the long preparation time alone indicate that the attackers are particularly technically adept.
In addition, the control systems used in the energy sector are complex.
Anyone who wants to sabotage them with hacking attacks needs access to such systems themselves in order to test their digital weapons on them.
But not only these indications point to a state actor behind the hacking attack.
After an initial analysis of the program code of "Industroyer2", the experts from Eset and the Ukrainian authorities are certain that the trail of the hackers leads to old friends: the hacker group "Sandworm".
According to US investigators and the unanimous assessments of various experts, this in turn is part of the Russian military intelligence service GRU.
There they are said to work under the name Unit 74455.
Because this term is not so catchy, IT experts years ago named the group after the powerful sandworm creatures from the sci-fi epic »Dune«.
The group is said to be responsible not only for the first hacking attacks on the Ukrainian power grid around six years ago.
She is also suspected of being behind attempted hacks on Emmanuel Macron's 2017 election campaign and the 2018 Winter Olympics.
It is also said to be responsible for the devastating NotPetya worm, which also targeted Ukraine five years ago.
Journalist Andy Greenberg, who wrote a recommended book about the group, calls Sandworm "Russia's most aggressive cyberattack team."
The Federal Office for the Protection of the Constitution classifies the hackers as a particularly dangerous group supported by the secret service.
In a quartet game created by the Office for the Protection of the Constitution to illustrate the danger posed by secret service hackers, the group is given a "pain factor" of 8 on a scale of 1 to 10.
Positive balance
The Ukrainian authorities also see something positive in the recent attack - namely that they were able to thwart the attack.
“We are stronger.
We are better prepared.
And of course we will win,” said Viktor Zhora.
The continuous hacker attacks on his country have also strengthened its defense capabilities.
When it comes to defending against hacking attacks, the country's authorities are not on their own.
In addition to the Slovakian IT security company Eset, which is well versed in state hacking groups, Microsoft also helped to defend against and analyze the attack in the current case.
The current attack with "Industroyer2" joins other cyber attacks that have hit Ukraine in recent weeks, while Russian troops invaded the country.
Before the current attack, IT experts counted seven wiper attacks on Ukrainian facilities aimed at deleting data and rendering systems unusable.
The Viasat satellite network used by the Ukrainian military was also specifically hacked in Eastern Europe on the morning of the Russian attack.
(Read more about it here.)
Our current Netzwelt reading tips for SPIEGEL.de
"Be afraid and expect the worst" (ten minutes reading time)
Even before the Russian invasion of Ukraine, colleagues Christian Esch, Marcel Rosenbach and Lina Verschwele from Kiev and Berlin reported on the Ukrainian path to a highly digitized state - and how the country defends itself against cyber attacks.
"When the invasion began, we launched a counterattack" (seven minutes read)
In an interview, Ukrainian Digital Minister Mykhailo Fedorov explains how his country uses the Internet for digital warfare.
»Facebook must delete copies of infringing comments« (five minutes reading time)
Last week, the Frankfurt Regional Court made a possibly groundbreaking judgment in the matter of hate speech and defamation on the Internet.
Green politician Renate Künast was able to get Facebook to delete copies of hurtful comments.
External links: three tips from other media
"How an Entire Nation Became Russia's Test Lab for Cyberwar" (English, forty-five minutes read)
The above-mentioned journalist Andy Greenberg writes for Wired in a comprehensive report on the hunt for the hacker group "Sandworm".
"Authorities are making millions with confiscated cryptocurrencies" (eleven minutes reading time)
"Hodln" or sell?: Not only Bitcoin enthusiasts have been regularly faced with the question of whether to hold or sell digital money in the event of price fluctuations in recent years.
German authorities, who confiscated money in cryptocurrencies after cybercrime investigations, are also faced with this question, as "Netzpolitik" reports.
»T-Mobile Secretly Bought Its Customer Data from Hackers to Stop Leak.
It Failed.« (One hour video)
The US subsidiary of Deutsche Telekom shows how to react suboptimal to hacking attacks.
According to this research by »Motherboard« reporter Joseph Cox, after personal customer data was stolen, the company apparently hired a company to buy the data back – and failed.
Have a good week.
Max Hoppenstedt
