CEA
All cases

Industroyer2 – Ukraine Grid Attack Attempt

April 2022

SabotagePeak: DisruptionAttribution: ConfirmedEnergyCritical Infrastructure
Year
2022
Actor country
Russia
Target regions
Ukraine
Unpeace score
7

Executive Summary

Sandworm deployed Industroyer2, an updated variant of the 2016 Industroyer malware, against a Ukrainian regional energy company during Russia's ongoing invasion. The attack aimed to de-energize electrical substations using IEC 104 protocol commands. CERT-UA and ESET detected and neutralized the attack before it could cause a sustained outage, marking a successful wartime cyber defense.

Why This Matters

Industroyer2 confirmed that grid-targeting ICS malware is now a recurring feature of armed conflict, while its successful mitigation showed that coordinated cyber defense can work under wartime conditions.

Escalation Profile

7-Dimension Profile

Escalation Ladder

Probing
Intrusion
Disruption
Degradation
Destruction
Strategic

Phases

2022-02
Intrusion

Pre-positioning in energy network

Sandworm established access to a Ukrainian energy company's OT network weeks before the planned attack.

2022-04-08
Disruption

Industroyer2 deployment attempt

Industroyer2 configured to issue IEC 104 commands to open breakers at targeted substations; CaddyWiper deployed on IT systems to hinder forensics.

Threshold Crossings

  • First known use of purpose-built ICS malware during an active conventional war
  • Confirmed that Sandworm maintained and updated its grid-attack toolkit across six years

Restraint Factors

  • Attack was detected and mitigated before causing sustained outage
  • Narrower scope than the 2016 Industroyer attack

Attribution Assessment

ConfirmedSandworm Team, attributed by Ukraine's CERT-UA and corroborated by ESET and allied governments to Russia's GRU
Russia
SandwormVoodoo BearIRIDIUM
1. Technical

Threat actor mapped to Russia based on infrastructure analysis, malware attribution, and operational patterns.

Evidence: ESET: Industroyer2 — Sandworm Targets Ukraine's Power Grid Again

2. Political / Legal
Public Attribution
  • CERT-UA public disclosure with ESET technical analysis (Apr 2022)
  • Cited in allied governments' ongoing documentation of Russian cyber operations in Ukraine
  • Reinforced NATO and EU cyber assistance to Ukraine

Sources: CERT-UA Alert #4435: Industroyer2 and CaddyWiper

3. Open Source

No dedicated journalistic sources in dataset. See sources section for full references.

Confirmed” reflects available public evidence. All assessments carry inherent uncertainty and should be read alongside source material.

Unpeace Position

7

Unpeace Score

Composite severity rating on the peace–conflict spectrum

Stable
Contested
Escalatory
03060100

Contributing Dimensions

Escalation peak3/6
Threshold crossings2/4
Governance flags3/8
Sectors affected2/6
Entanglement4/10
Country scope1/6

Coercive Function

Sabotage

Physical or functional disruption of systems — coercive value through demonstrating capability to cause real-world harm.

Observed coercive effects

  • First known use of purpose-built ICS malware during an active conventional war
  • Confirmed that Sandworm maintained and updated its grid-attack toolkit across six years

Entanglement Risk

Entanglement score4

Sectors affected

EnergyCritical Infrastructure

Countries / regions

Ukraine

Impact summary

Attack neutralized before sustained outage; demonstrated continued ICS threat capability during wartime.

Infrastructure Meaning

Malware / tooling

Industroyer2CaddyWiper

Capability profile

Attack neutralized before sustained outage; demonstrated continued ICS threat capability during wartime.

3 ATT&CK techniques mapped — see ATT&CK mapping below.

Governance Analysis

Governance Flags

!Norm Violation
APublic Attribution
SSanctions Imposed
IIndictment
UUN Discussion
RRegulatory Change
CInternational Cooperation
DDeterrence Signal

Norms invoked

  • IHL prohibition on attacking civilian objects (electric grid serving civilians)
  • UN GGE 2015 norm against damaging critical infrastructure

Policy responses

  • CERT-UA public disclosure with ESET technical analysis (Apr 2022)
  • Cited in allied governments' ongoing documentation of Russian cyber operations in Ukraine
  • Reinforced NATO and EU cyber assistance to Ukraine

Regulatory changes

  • Strengthened international support for Ukrainian energy-sector cyber defense
  • Informed EU NIS2 Directive risk scenarios for energy operators

Governance impact assessment

Demonstrated both the persistent threat of ICS-targeted malware in armed conflict and the effectiveness of international cyber defense cooperation in neutralizing it.

Sources

V

ESET: Industroyer2 — Sandworm Targets Ukraine's Power Grid Again

Vendor Report2022-04-12
G

CERT-UA Alert #4435: Industroyer2 and CaddyWiper

Government2022-04-12

Sources listed reflect publicly available materials used to construct this case entry. Inclusion does not imply endorsement. Where no URL is provided, the source may be found via its title and date.

Related Cases

Ukraine Grid I

December 2015 · Russia

8

Ukraine 2015 was the first confirmed cyber-caused power outage, turning a theoretical risk into an operational reality that reshaped how governments defend energy grids.

SabotageDegradation

Ukraine Grid II

December 2016 · Russia

8

Industroyer represented a generational leap in ICS malware sophistication — a modular, protocol-aware weapon that signaled the industrialization of grid-targeted cyber capabilities.

SabotageDegradation

Stuxnet

circa 2007 – 2010 · United States / Israel

9

Stuxnet proved that software alone can destroy physical infrastructure, fundamentally changing how states, lawyers, and strategists think about the threshold between cyber operations and armed conflict.

SabotageDestruction

Oldsmar Water

February 2021 · Unknown

6

Oldsmar made water-system cyber risk tangible for policymakers and the public, revealing how small utilities with minimal security budgets can become targets with public-health consequences.

SabotageDisruption