As Russia’s ground war stalls, hackers attempted to cause a blackout for two million people.

Russian hackers targeted the Ukrainian power grid and attempted to cause a blackout that would have hit 2 million people, according to Ukrainian government officials and the Slovakian cybersecurity firm ESET.

The hackers attempted to destroy computers at a Ukrainian energy company using a wiper, malware specifically designed to destroy targeted systems by erasing key data and rendering them useless. 

The impact remains unclear. Ukrainian officials say they thwarted the attack, which they say was intended to support Russian military operations in eastern Ukraine. If successful, the hack would have caused the biggest cyber-induced blackout ever.

But according to a Ukrainian government document that was shared with international partners in recent weeks, Russian hackers did recently break into a Ukrainian power company and temporarily shut down nine electric substations. The document, which has not been made public, was shared with MIT Technology Review. Ukrainian officials have not responded to a request for comment and have not confirmed whether the two events are linked.

The nation is pushing to rapidly integrate its grid with the European Union, to keep electricity flowing if other major plants are taken down.

The document, which was written by the state-run Ukrainian Computer Emergency Response Team (CERT), describes “at least two successful attack attempts,” one of which began on March 19, just days after Ukraine joined Europe’s power grid in a bid to end dependence on Russia.

After publication, Victor Zhora, Ukraine’s deputy head of the State Special Service for Digital Development, described the private report as “preliminary” to Wired and called it a “mistake.”

Whether they were successful or not, the cyberattacks on the Ukrainian power grid represent a dangerous continuation in Russia’s aggression against Ukraine through a hacking group known as Sandworm, which the United States has identified as Unit 74455 of Russia’s military intelligence agency.

Hackers believed to be working for Russian intelligence previously disrupted the power system in Ukraine in both 2015 and 2016. While the 2015 attack was largely manual, the 2016 incident was an automated attack carried out using malware known as Industroyer. The malware that investigators found in the 2022 attacks has been dubbed Industroyer2 for its similarity. 

“We are dealing with an opponent who has been drilling us for eight years in cyberspace,” Zhora told reporters on Tuesday. “The fact that we were able to prevent it shows that we are stronger and more prepared [than last time].”

Analysts at ESET dissected the code of Industroyer2 to map its capabilities and goals. The hackers tried not only to turn off the power but to destroy computers that the Ukrainians use to control their grid. That would have cut off the ability to bring power back online swiftly using the power company’s computers.

In previous cyberattacks, Ukrainians were able to quickly regain control within hours by reverting to manual operations, but the war has made that extremely difficult. It’s not as easy to send a truck out to a substation when enemy tanks and soldiers could be nearby and the computers have been sabotaged.  

“When they are openly waging a war against our country, pummeling Ukrainian hospitals and schools, it doesn’t make sense to hide,” Zhora said. “Once you hit Ukrainian houses with rockets, there is no need to hide.”

Given Moscow’s successful track record of aggressive cyberattacks against Ukraine and around the world, experts have been anticipating that the country’s hackers would show up and cause damage. United States officials have spent months warning about escalation from Russia as it struggles in the ground war with Ukraine. 

During the course of the war, Ukraine and the United States have both blamed Russian hackers for using multiple wipers. Financial and government systems have been hit. Kyiv has also been the target of denial of service attacks, which have rendered government websites useless at key moments.

However, the Industroyer2 attack marks the most serious known cyberattack in the war so far. Ukrainian cybersecurity officials are working with Microsoft and ESET to investigate and respond.

It is one of only a handful of incidents publicly known in which government-backed hackers have targeted industrial systems.

The first came to light in 2010, when it was revealed that malware known as Stuxnet had been crafted—reportedly by the United States and Israel—to sabotage Iran’s nuclear program.  Russia-backed hackers have also reportedly launched multiple such campaigns against industrial targets in Ukraine, the United States, and Saudi Arabia.

The article was updated to note that a Ukrainian official described the earlier UA-CERT report as "preliminary" and a "mistake."

Open-source code runs on every computer on the planet—and keeps America’s critical infrastructure going. DARPA is worried about how well it can be trusted

The arrests of several top semiconductor fund executives could force the government to rethink how it invests in the sector.

But even if NSO Group is no more, there are plenty of rivals who will rush in to take its place. And the same old problems haven’t gone away.

Companies are pushing more server farms into the hearts of population centers.

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.

Our in-depth reporting reveals what’s going on now to prepare you for what’s coming next.

Subscribe to support our journalism.