As a mysterious power outage hit neighborhoods just north of Kiev last week in what’s believed to be a sophisticated cyberattack, hackers were also simultaneously breaking into Ukrainian political organizations and financial institutions, John Hultquist, iSight’s director of espionage analysis, told CyberScoop based on digital forensic evidence.
The hackers were using unique tools previously linked to a pro-Russian group dubbed “Sandworm,” capable of quickly deleting mass quantities of data, Hultquist said.
While iSight has yet to uncover evidence that Sandworm is directly connected to last week’s power outage — when a unique hardware failure caused power substations in Ukraine to malfunction — a resurgence of the group’s macros and tools in other, geographically similar cyberattacks has raised flags at the private security firm. Sandworm appears to have ties to Russian intelligence, Hultquist said.
Between January and November 2016, Sandworm largely fell off the radar, said iSight analyst Sean McBride. Known indicators of the group’s activities were not setting off alarms, leading intelligence experts to estimate that the group had either drastically changed its tactics, tools and procedures or was simply less busy. While details remain scarce, the past six weeks clearly show a shift in related behavior.
The last flurry of similar activity came one year ago, in December 2015, amid an escalating conflict between Ukraine and Russia on the country’s eastern front. The analysts at iSight determined that Sandworm had hacked into three separate Ukrainian power companies, causing 80,000 customers to lose power for about six hours. That incident prompted the U.S. Homeland Security Department to send American investigators to the scene.
Beyond Ukraine, the clandestine hacking group is also believed to have been involved in expansive espionage campaigns that target geopolitical rivals of the Kremlin. In one particular case, a computer virus attributed to Sandworm — named Black Energy — infected a U.S.-based industrial control system, Reuters reported.
A spokesperson for the Department of Homeland Security declined to comment on last week’s suspicious power outage in Ukraine.
“While we cannot confirm the details of this case, the U.S. Government would view any malicious cyber activities that impaired the use of critical infrastructure particularly seriously, as it would potentially place the public at risk of physical harm,” a State Department official said.
Repeated attempts to contact the affected Ukrainian energy company Ukrenergo went unanswered. Ukrenergo acting director Vsevolod Kovalchuk told DefenseOne he was “99 percent” certain that a deliberate cyberattack caused the most recent blackout.