Destructive payload unleashed on 10-year anniversary of Russia’s attack on Ukraine’s grid.
Credit:
Getty Images
Researchers on Friday said that Poland’s electric grid was targeted by wiper malware, likely unleashed by Russia state hackers, in an attempt to disrupt electricity delivery operations.
A cyberattack, Reuters reported, occurred during the last week of December. The news organization said it was aimed at disrupting communications between renewable installations and the power distribution operators but failed for reasons not explained.
Wipers R Us
On Friday, security firm ESET said the malware responsible was a wiper, a type of malware that permanently erases code and data stored on servers with the goal of destroying operations completely. After studying the tactics, techniques, and procedures (TTPs) used in the attack, company researchers said the wiper was likely the work of a Russian government hacker group tracked under the name Sandworm.
“Based on our analysis of the malware and associated TTPs, we attribute the attack to the Russia-aligned Sandworm APT with medium confidence due to a strong overlap with numerous previous Sandworm wiper activity we analyzed,” said ESET researchers. “We’re not aware of any successful disruption occurring as a result of this attack.”
Sandworm has a long history of destructive attacks waged on behalf of the Kremlin and aimed at adversaries. Most notable was one in Ukraine in December 2015. It left roughly 230,000 people without electricity for about six hours during one of the coldest months of the year. The hackers used general purpose malware known as BlackEnergy to penetrate power companies’ supervisory control and data acquisition systems and, from there, activate legitimate functionality to stop electricity distribution. The incident was the first known malware-facilitated blackout.
ESET said the attack targeting Poland occurred on the 10th anniversary of that event. The security firm provided few other details about the attack other than the malware used has been dubbed DynoWiper.
Custom Wipers have long been a preferred tool for Russian hackers. In 2022, government attackers used wiper malware dubbed AcidRain to knock out 270,000 satellite modems in Ukraine in an attempt to disrupt communications. At the time, it was the seventh wiper Russia had used against since invading the neighboring country. ESET said last year that Sandworm had unleashed multiple wipers on universities and critical infrastructure in Ukraine.
The best known case of Russia’s use of wipers came in 2017 with the release of NotPetya. The destructive worm was intended to target only Ukraine, but quickly spread around the world and wreaked havoc as it disrupted computer operations. The event is estimated to have cost governments and businesses $10 billion, making it likely the most expensive computer intrusion in history.
There is no indication how or why DynoWiper failed to take out power. It’s possible Russia planned it to do so in an attempt to send a message without provoking Polish allies. Another possibility is that cyber defenses prevented the wiper from working as intended.
