It’s not every day that someone turns off the electricity for more than half a million people just by sending an email. In fact, it had never happened until last month, when hackers tricked Ukrainian power plant employees into giving them access to industrial control systems, the equivalent of a switch that regulates electricity flow out of a power plant. Now the evidence increasingly points to Sandworm, a known group of Russian government-sponsored hackers, as the suspects holding the smoking gun.

Ukrainians living in the 700,000 homes that lost electricity for hours on Dec. 23 never could have known their blackout may have been the first ever caused by malicious software. BlackEnergy, a known form of malware that’s a Sandworm favorite, was found on the infected systems. Sandworm has previously targeted industrial control systems in Ukraine, the U.S. and NATO and has been identified as the likeliest perpetrator in this case.

"We believe that Sandworm was responsible," iSIGHT's director of espionage analysis, John Hultquist, told Reuters. "It is a Russian actor operating with alignment to the interest of the state. Whether or not it's freelance, we don't know."

An iSIGHT representative previously told International Business Times Sandworm was suspected from the start.

Many details are still unknown. The investigation into exactly what caused the outage involves the U.S. National Security Agency, CIA and Department of Homeland Security and is expected to last for months. If the probe continues on its current path, multiple sources suggested to International Business Times, the results could be enough to leave world leaders including President Barack Obama and Russian President Vladimir Putin no choice but to publicly address the findings.

Crimeware as a Military Weapon

The strongest evidence tying Sandworm to the breach is the use of BlackEnergy. It was first deployed in 2007 as a simple malware tool used by criminals to launch distributed denial-of-service attacks or steal banking credentials. A victim would open an email that appeared to be from a trusted source (a friend or their bank, for instance) and either input their username and password or download an infected email attachment, giving hackers access to their machine.

That changed a few years later, when BlackEnergy went from a tool used by common Internet burglars to an engine of international espionage. (Sandworm also goes by various names, including the BlackEnergy group.)

“In 2013 or 2014, Russian-based actors took components from the BlackEnergy malware and co-opted it into a government tool,” said Robert M. Lee, a former U.S. military cyberwarfare officer and the founder of Dragos Security, who has been involved in the Ukraine investigation. Those Russian-based actors were later dubbed Sandworm, and they launched at least two variants of BlackEnergy at U.S. energy and infrastructure companies. The U.S. government and private sector have not revealed which American companies were impacted, or how. 

In this case, researchers know that a strain of BlackEnergy was used to infect Ukrainian ICS networks and clean up the evidence after the hack. Exactly what caused the blackout remains unclear.

“It’s entirely speculation right now but the leading theory, and what we’re finding in our research, is that an adversary used BlackEnergy to get on the system, then did the impact and then used one of the components of BlackEnergy to clean up after themselves,” Lee said. “The entire community is still missing what the impact-causing component was. I am confident, though, that there’s a lot of technical evidence that key government agencies have, whether they be in the U.S. or Ukraine. We’ll see this analysis evolve over the next couple weeks.”

Sandworm's Beginnings 

The name Sandworm comes from the famous science-fiction book “Dune,” which features a race of desert-dwelling creatures that are worshipped as gods. Author Frank Herbert began publishing the series in 1965, and the hackers who wrote the BlackEnergy malware included a number of references hidden in the code.

The group began operating no later than 2010, though it’s possible they were active before, and have focused a limited number of attacks almost exclusively on international critical infrastructure targets.

Using BlackEnergy, Sandworm targeted industrial products from General Electric, Siemens and BroadWin Web Access going back to at least 2011, the Department of Homeland Security warned in 2014, meaning any of the thousands of major private companies using those products may have been infected.

Before that, Sandworm was blamed for exploiting a zero-day vulnerability (meaning no one is aware of the flaw except the hacker taking advantage of it) affecting all Microsoft users' operating Windows software released between 2008 and 2012. In that case, hackers sent malicious software disguised as a PowerPoint presentation to specific email accounts belonging to NATO officials, Ukrainian academics working with the U.S. and other leaders working on behalf of Ukraine throughout the Russian conflict.

Moscow Complicity Would Set a Precedent 

Because BlackEnergy was originally used as a crimeware tool, it’s possible that cybercriminals, not state-sponsored hackers, were behind these incidents. BlackEnergy malware is still available on underground hacking forums, after all, though Jonathan Wrolstad, a senior threat intelligence analyst at FireEye, said the company “never” sees BlackEnergy used in profit-motivated attacks anymore, though they were more common in the past. 

“I think it’s very consistent with state sponsorship,” he said. “The espionage is highly targeted, and against very specific entities. The ICS targeting is consistent with what some nations around the world do with their cyberwarfare programs, meaning there is a nation state purpose for deploying such malware whereas there really isn’t for cybercriminals.”

Sandworm isn’t operating in conjunction with either of the two most notorious Russian state-sponsored groups, advanced persistent threat groups 28 and 29. Operations conducted by APT 28, also known as Pawn Storm and the Sofacy group, show the group is primarily concerned with the events in Ukraine. Research around the group has suggested it employs hundreds of people, from hackers and malware designers to linguists and administrators, to help carry out major international activities.

Sandworm works toward similar goals, though any guesses to its size is speculation. The decentralized nature of BlackEnergy makes that task even more difficult.

“Hundreds of people certainly doesn’t sound impossible,” Artturi Lehtiö, an F-Secure researcher specializing in Russian threats, said via email. It’s possible “only a few people are involved in the actual hacking and they then pass on or simply sell the gathered intelligence to someone else. That someone may then possess the resources to actually analyze the intelligence or they may in turn broker the intelligence onwards until it eventually reaches someone who is able to benefit from it.”

Even in the highly technical world of cybersecurity, where analysts spend months examining various strains of malware and issuing regular status briefs, assigning blame often comes down to one question: Who would gain from this?

Cyberweapons were first developed by world powers so digital militias could attack and spy on each each other while maintaining plausible deniability. The U.S.-Israel joint operation known as Stuxnet, which resulted in physical damage to Iranian nuclear facilities, would have been an act of war if it hadn't been carried out as a cyberattack.

Vitali Kiev mayor Vitaly Klitschko was one of the targets of Russian-backed hacking group Sandworm. Photo: Reuters

The first-ever hack on a civilian power plant would make it clear that countries are now intent on doing more than sending a message. It could mean that devastating cyberattacks that do physical damage are no longer off-limits.

“I doubt that it will usher in an era in which other countries begin to make widespread use of malicious code to produce electrical outages,” said Patrik Maldre, a Research Fellow, Cyber Policy, International Center for Defense and Security, “but it could show that cyberthreat actors with connections to Russia are willing to do so.”

Should the U.S. Be Worried?

Sandworm has focused almost exclusively on Ukrainian entities, including Prime Minister Arseniy Yatsenyuk and Kiev mayor Vitali Klitschko, but is also suspected in a breach on a Polish energy firm and NATO targets. It’s conceivable the group would also deploy BlackEnergy malware against American politicians involved in the Ukrainian dispute, or U.S. companies seeking to serve Ukrainian critical infrastructure.

In that event, it’s likely American targets would be totally unprepared. Russian hackers, though not Sandworm, are known to have infiltrated the White House’s computer networks, unclassified State Department emails and the NASDAQ stock exchange. Private companies have fared even worse against other advanced persistent threats (just ask Sony or Anthem health insurance) that have exposed zero day flaws, inherently unstoppable because the target isn’t aware of the flaw’s existence.

That hasn’t stopped the U.S. from trying. The Department of Homeland Security issues regular updates on the threat landscape to the private sector via the Computer Emergency Readiness Team (the same group that tipped hardware makers to BlackEnergy in 2014, three years after the first infection). There’s also the SANS Institute, which advises government employees on the best cybersecurity practices.

“The best way to avoid the kind of spearphishing attacks like the one that hit Ukraine is to remove human error as much as possible,” said Rohyt Belani, CEO of PhishMe, citing research that shows over 90 percent of all attacks begin with a phishing attempt. “Hackers are no smarter than you and me, they just know where to look.”