Accessibility links

Breaking News

Russian Hacker Sandworm Blamed For Ukraine Power Outage

Experts have identified the Russian hacker group Sandworm as the likely culprit for causing a power outage in Ukraine in December.
Experts have identified the Russian hacker group Sandworm as the likely culprit for causing a power outage in Ukraine in December.

U.S. cyberintelligence firm iSight Partners said it is certain that a Russian hacking group known as Sandworm caused last month's unprecedented power outage in Ukraine.

"We believe that Sandworm was responsible," iSight's director of espionage analysis, John Hultquist, told Reuters.

ISight and other cybersecurity companies had been leaning toward blaming Sandworm, a nebulous, Moscow-based hacking group that has been strategically aligned with the Russian government, because of the Ukraine hackers' use of BlackEnergy malware associated with Sandworm.

U.S. security agencies have suspected that Russia was behind the Ukraine power outage as well as similar attacks in the United States and Europe, but have not publicly named any culprits to date.

Ukraine's state security service has blamed Russia for the blackout affecting 80,000 customers in western Ukraine on December 23.

ISight came to the conclusion it was Sandworm based on its analysis of BlackEnergy 3 and KillDisk malware used in the attack, and intelligence from "sensitive sources," Hultquist told Reuters.

Hultquist said it is not clear whether Sandworm is working directly for the Russian government. The group is named Sandworm because its malware is embedded with references to the "Dune" science-fiction series.

"It is a Russian actor operating with alignment to the interest of the state," Hultquist said. "Whether or not it's freelance, we don't know."

To date, Sandworm has primarily engaged in espionage, including a string of attacks in the United States using BlackEnergy that prompted a December 2014 alert from the Department of Homeland Security, according to iSight.

That alert said a sophisticated malware campaign had compromised some U.S. industrial control systems.

While no outages or physical destruction was reported as a result of those attacks in the United States and similar ones in Europe, some experts said that may be simply because the attackers did not want to go that far.

ISight said the earlier attacks outside Ukraine may have been experimental in nature.

“ISight believes the activity is Russian in origin and the intrusions they carried out against U.S. and European SCADA systems were reconnaissance for attack,” an iSight spokesperson told Infosecurity Magazine.

"It's not a major stretch to conclude the difference in the outcomes of the attacks in the Ukraine versus those in the U.S. were an issue of intent, not capability," Eric Cornelius, managing director of cybersecurity firm Cylance Inc. and a former U.S. homeland security official responsible for securing critical infrastructure, told Reuters.

ISight said Sandworm has been staging attacks against Ukrainian officials and media for some time. During Ukrainian elections last fall, for example, Sandworm's "malware of choice," BlackEnergy, was allegedly used in destructive attacks against Ukrainian media.

With reporting by Reuters, Daily Beast, and Infosecurity Magazine
  • 16x9 Image


    RFE/RL journalists report the news in 27 languages in 23 countries where a free press is banned by the government or not fully established. We provide what many people cannot get locally: uncensored news, responsible discussion, and open debate.

RFE/RL has been declared an "undesirable organization" by the Russian government.

If you are in Russia or the Russia-controlled parts of Ukraine and hold a Russian passport or are a stateless person residing permanently in Russia or the Russia-controlled parts of Ukraine, please note that you could face fines or imprisonment for sharing, liking, commenting on, or saving our content, or for contacting us.

To find out more, click here.