On 16:10 on Friday 8^th April 2022 Russia attempted to repeat their 2016 cyberattack against the Ukrainian power grid – however this time they were foiled.

Security firm ESET and the Ukraine Computer Emergency Response Team CERT-UA report how they foiled the attack from the Russian Sandworm APT group which attempted to deploy malware targeting the high-voltage electrical substations of Ukraine.

The malware dubbed Industroyer2 was scheduled to execute at 16:10 on Friday 8^th April followed by the CaddyWiper data erasing malware at 16:20 (to remove the evidence of the attack).  However, both operations were prevented by Ukraine’s cyber defence team.

CaddyWiper was first spotted in Ukraine on 14^th March when it was deployed via a GPO update from the Windows Domain Controller of a major bank in Ukraine. This malware erases the partition and user data from storage drives attached to the system – rendering it inoperable and unrecoverable.

While Industroyer2 is targeted specifically at the industrial control systems that run Ukraine’s power grid, CaddyWiper is a more general tool.

The global NotPetya ransomware attack of 2017 started in Ukraine when the servers of Linkos, a small family-owned tax-software business, were compromised by hackers from the Russian military.  They added their own malware to the Linkos software which was then distributed to customers across the Ukraine.  The malware did nothing until June 27 2017 when it was used to distribute what has become known as the most destructive cyber-attack in history.

Security Managers should be alert to the risks of collateral damage from the actions of Russia releasing indiscriminate malware in its war with Ukraine.

The NCSC has further advice for UK organisations during times of heightened risk.