The Kremlin-controlled hacker group Sandworm has targeted nearly 20 energy facilities in Ukraine this spring, possibly to amplify the impact of intense Russian missile and drone strikes on critical infrastructure.

According to a report released last week by Ukraine’s computer emergency response team (CERT-UA), hackers deployed several new and previously known malware variants to infect energy, water, and heating suppliers in 10 regions of the country in March. The agency said they have confirmed the compromise of at least three "supply chains" by hackers. 

CERT-UA’s report came days after Google-owned security firm Mandiant released an analysis of Sandworm’s latest operations and tactics, finally designating the group as an advanced persistent threat actor — APT44.

Also known as BlackEnergy and Seashell Blizzard, Sandworm has been attributed to a unit within Russia’s Main Intelligence Directorate (GRU). It is responsible for cyberespionage, destructive operations, and influence campaigns in Ukraine and around the world, including North America, Europe, the Middle East, Central Asia and Latin America.

During the latest attacks on Ukrainian critical infrastructure, the group used a little-known backdoor known as Kapeka, which was detected in 2022. According to a recent report by Finnish cybersecurity company WithSecure, Kapeka was likely used by Sandworm-affiliated hackers in late 2022 to deploy Prestige ransomware in a series of attacks targeting the transportation and logistics sectors in Ukraine and Poland.

CERT-UA also identified new Linux-based variants of Kapeka developed by Sandworm — Loadgrip and Biasboat. They were installed on Ukrainian Linux devices designed to automate technological processes in critical facilities, researchers said.

On computers running the Windows operating system, the attackers also deployed Gossipflow malware, previously used by Sandworm during destructive attacks on water supply facilities in Ukraine.

Among the factors that led to these attacks, according to researchers, was a lack of isolation of servers from the suppliers’ software and the systems of the attacked organizations.

CERT-UA cited negligent software security practices on the part of suppliers as a possible reason.

Missile strikes vs cyberattacks

The latest cyberattacks by Sandworm on Ukrainian energy facilities coincided with massive Russian missile strikes on the country's critical infrastructure. In April, Ukraine Minister of Energy Herman Galushchenko said the country's energy system is experiencing "the largest attacks by Russia" and that their impact is much greater than in previous years.

According to Galushchenko, up to 80% of the country's thermal generation, half of its hydrogeneration, and a large number of substations were under attack.

Ukraine was forced to introduce scheduled power outages that lasted several hours a day last year following Russian attacks on critical infrastructure.

Ukrainian state officials previously said that Russia is coordinating its missile strikes with cyberattacks, including when targeting energy facilities. According to Mandiant’s report last week, Sandworm in particular has coordinated the timing of its cyberattacks with conventional military activity, such as kinetic strikes or other forms of sabotage.

However, considering a trend highlighted by Mandiant of Sandworm shifting from destructive attacks to intelligence gathering, it is possible that its latest cyberattacks on Ukrainian energy systems were not intended to cause a blackout in the country but to gather intelligence.

Serhii Prokopenko, who oversees operational activities at Ukraine’s National Cyber Security Coordination Center (NCSCC), told Recorded Future News in an interview earlier this month that one possible reason for such attacks is to collect information that will help the Kremlin assess the damage caused by Russian missile strikes on Ukrainian critical infrastructure. 

Propokenko’s remarks preceded the release of CERT-UA’s report and he didn’t identify a specific threat actor targeting critical infrastructure, though he specified most are affiliated with the GRU.

When hackers are inside the victim’s system, they can determine when the facility was hit and analyze reports, according to Prokopenko.

“Evaluating the consequences of the attacks is important for Russia because it could help them decide whether to strike the same target again," he added.