Russian Cyberattack against Ukrainian Power Grid Prevented

A Russian cyberweapon, similar to the one used in 2016, was detected and removed before it could be used.

Key points:

  • ESET researchers collaborated with CERT-UA to analyze the attack against the Ukrainian energy company
  • The destructive actions were scheduled for 2022-04-08 but artifacts suggest that the attack had been planned for at least two weeks
  • The attack used ICS-capable malware and regular disk wipers for Windows, Linux and Solaris operating systems
  • We assess with high confidence that the attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine
  • We assess with high confidence that the APT group Sandworm is responsible for this new attack

News article.

EDITED TO ADD: Better news coverage from Wired.

Posted on April 13, 2022 at 6:32 AM12 Comments


j April 13, 2022 7:28 AM

Ho Hum….

Aren’t connected computers wonderful.

How about a read only image on a different web machine.


Winter April 13, 2022 8:16 AM

“Aren’t connected computers wonderful.”

Taking the power grids offline (sounds odd, doesn’t it) is less easy than it sounds. However, work is being done to get on with it.

One thing we should remember is that power grids now are very efficient with power generators all over, e.g., Europe responding to demand an supply of power from anywhere. Such intelligent management of power requires communication. Just taking away the internet will not cut it.

Preventing a Blackout by Taking the Power Grid Offline

Ted April 13, 2022 9:47 AM

Amazing that the attack was prevented. I wonder if it was any more detectable because Industroyer2 had similar source code to the original Industroyer malware used in the Ukrainian electric grid attack in 2016.

I have to wonder how careful Russia is trying to be here, if at all, to prevent the spread of malware. They didn’t seem to have the Chornobyl situation well-choreographed. NotPetya was a mess. Maybe the industrial control systems are more specialized targets? These excerpts are from ESET:

Thus, attackers need to recompile Industroyer2 for each new victim or environment…

Once it finds a reachable SSH server, it tries credentials from a list provided with the malicious script.

Do these cyberweapons become less useful once they’ve been discovered and analyzed?

Clive Robinson April 13, 2022 12:32 PM

@ Ted,

Do these cyberweapons become less useful once they’ve been discovered and analyzed?

Do not think of them as cyber-weapons, in fact do not think of them as weapons, because they are not.

All they are is,

1, A list of instructions.
2, A delivery mechaniam, which is also a list of instructions.

Once the lists of instructions become known they become vulnerable at some point.

So they have a very very short life time.

Probably too short for anything other than an “out of the blue” illegal first strike…

I suspect one of the lessons to come out of the Russian Attack on the Ukraine is a reassesment of the worth of cyber-weapons, followed by,

1, A toughening of infrastructure.
2, An increase in communications security.
3, A down wards reassesment of military usage of cyber-weapons.

Remember if your enemy can not see your systems then they can not directly send their lists of instructions to them.

A logical series of security events and mitigations follow that reasoning.

JMN April 13, 2022 1:53 PM

What a load of crap… why would the Russians need a malware to down Ukraine’s grid as they could do it kinetically and they chose not to since 49 days now…

I’d like to remind you that at the hottest point of this war, Marioupol, the Ukrainians soldiers and foreign volunteers can still make international phone calls. And now we’re supposed to believe the Russians want to down the grid with a malware? Come on!

The Ukrainian disinformation is tuned to 11 and the medias drink it all up (I’m not saying the Russians don’t lie here, just that 90% of Ukrainians claims are outlandish).

Ted April 13, 2022 3:17 PM


I suspect one of the lessons to come out of the Russian Attack on the Ukraine is a reassesment of the worth of cyber-weapons

Good thought. Yes, China seems to have put “cyberweapons” to a more effective use – the long-term, furtive acquisition of intellectual property.

Russia’s tolerance of ransomware and their cyber attacks on critical infrastructure seem less fruitful in comparison. Maybe they had some short-term success with disinformation campaigns. Still, I think their playbook could use a few extra pages.

RealFakeNews April 13, 2022 4:34 PM

I call BS. It would be the first “serious” cyber attack to have been stopped before it started.

I doubt it even happened, and is just more pro-Ukrainian propaganda.

I’m surprised Bruce even posts this stuff.

Ted April 13, 2022 5:23 PM


It would be the first “serious” cyber attack to have been stopped before it started.

Would it now? Someone’d better redo the Cybersecurity Framework and change “Identify, Protect, Detect, Respond, and Recover” to just “Recover.” 😉

If you’re interested in the detailed discovery of this group and their prior attacks, you might enjoy the book Sandworm.

Ismar April 13, 2022 10:21 PM

Cyber attacks can still be preferable to the kinetic ones due to
1. Less cost per power station (grid) taken out
2. Harder attributions
3. Less collateral damage- not that the Russian Army seem to care much about this one
4. Easier to re-enable the grid later if the same goes under Russian control (resetting software systems easier then physically rebuilding the grid )

Gert-Jan Strik April 14, 2022 5:54 AM


It would be the first “serious” cyber attack to have been stopped before it started.

Let’s start by saying, that you can’t prove a negative. If some cyber defence effectively stops a cyber attack, then the attacker is not going to tell you that.

Now let’s take a step back. Let’s imagine. If Putin had a button that he could use to disable (and later re-enable) the Ukranian power grid, without any collateral damage. Would he use it? If your answer is “NO”, then you can stop reading.

Next, look at the reality. Has the power grid been blacked out as a result of cyber operations? Not as far as I’ve heard.

I’ll leave it up to you to theorize why this hasn’t happened.

AlexT April 15, 2022 6:15 AM

Regardless of what actually happened here I find it interresting that the cyber aspect of this conflict has apparently remained fairly tame.

Clive Robinson April 15, 2022 9:04 AM

@ AlexT, ALL,

I find it interresting that the cyber aspect of this conflict has apparently remained fairly tame.

In part it is due to,

“Forewarned is forearmed”

And that cyber-weapons have a series of major failings.

In essence a cyber weapon is two lists of instructions,

1, The vunarability exploit.
2, The payload functionality.

Those instruction lists are ephemeral and have no agency, or physicality.

That is unless the machines being attacked read in and follow the instructions, they have no weapons capability, just at best a nusance capability.

One of the things that had annoyed me for years about cyber warfare is this rather daft “offense is everything” attitude. It’s actually the wrong way around, defence is everything.

Because as an attacker,

1, If they can not code up a vulnarability list of instructions, they have nothing.

2, If they can not get the vulnarability list of instructions to your computers, they have nothing.

3, If your computers reject the attackers vulnerability list of instructions, they have nothing.

The same applies to the payload list of instructions.

Cyber-weapons are actually unbelievably fragile and have so many hurdles to cross that they should not be able to get to a computer and be executed.

The reason they do is a compleate failing of an entire industry…

That of the “Software Industry”. Cyber warfare is only possible due to their gross failings…

See things for what they are not as others want you to think they are. Then plan and mitigate accordingly.

Unfortunately, due to the behaviours of the software industry, not only do you have to defend against external attackers, but internal workers as well who represent the biggest problem of all currently “insider threats” many of whom are “senior managers”.

Unfortunately the “insider threat” problem makes the Aegean Stables look like a minor sanitation job you might call “Quicky-Fix” to send a lad and a van around to fix, not a half God Hero.

I could go on to point out that the bulk of the “insider threat” is almost entierly due to neo-con mantras, and free-market thinking which it undoubtedly is, but to many have been inducted into that cult that their level of cognative bias is close to unassailable. I had hoped that Covid would help them put two and two together and come up with a sensible result… But apparently not, most have just leaped back into the comfort of the downward spiral of following those neo-con mantras…

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.