Sandworm Linked to Cyberattack That Disrupted Ukraine’s Power Grid
Ukrainian electric utilities suffered a coordinated cyberattack that caused power outages for civilians, marking one of the clearest cases of a cyber operation producing a real-world disruption of critical infrastructure. Reporting from iSIGHT Partners and SANS ICS assessed with high confidence that the outage was intentional and attributed the intrusion to Sandworm Team, citing the presence of BlackEnergy 3 malware in affected environments and the use of the destructive component KillDisk during the operation.
U.S. government industrial control system alerts later documented the incident as a cyberattack against Ukrainian critical infrastructure and tied it to a broader, ongoing malware campaign targeting ICS environments. The reporting said KillDisk may have been used less to trigger the outage than to hinder restoration and operator visibility after the attack, while flooding utility call centers with phone traffic likely complicated response efforts; the incident also fit Sandworm’s wider pattern of targeting Ukrainian entities, regional power organizations, and other government and media networks while showing sustained interest in SCADA and industrial control systems.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
CISA republishes Update E on ongoing sophisticated ICS malware campaign
CISA republished Update E of its alert on an ongoing sophisticated malware campaign compromising industrial control systems, preserving related historical reporting in its archive. The referenced campaign provides context for Sandworm's earlier ICS-focused activity.
CISA republishes archived alert on Ukrainian critical infrastructure attack
CISA republished the historical incident response alert covering the cyberattack against Ukrainian critical infrastructure as part of its advisory archive. This was a republication of earlier government reporting rather than a new incident.
US-CERT publishes alert on cyberattack against Ukrainian critical infrastructure
US-CERT/CISA published an incident response alert documenting the cyberattack against Ukrainian critical infrastructure. The alert formalized U.S. government reporting on the incident.
iSIGHT and SANS assess outage was a deliberate cyberattack by Sandworm
iSIGHT Partners and SANS ICS assessed with high confidence that the 2015 Ukrainian power outages were caused by a coordinated cyberattack and attributed the incident to Sandworm Team. The assessment framed the event as a milestone in cyber operations affecting civilian critical infrastructure.
BlackEnergy 3 and KillDisk found in affected Ukrainian environments
Investigators found BlackEnergy 3 malware and related KillDisk destructive malware in environments affected by the Ukrainian power outage. Analysts assessed KillDisk may have been used to hinder restoration or operator visibility rather than directly cause the outage.
Coordinated cyberattack disrupts electric power in Ukraine
In 2015, Ukrainian power utilities suffered a coordinated, intentional cyberattack that caused power outages affecting civilians. The incident also involved phone flooding against utility support lines, which likely complicated response efforts.
Public reporting links Sandworm to CVE-2014-4114 exploitation
Public reporting identified Sandworm Team's use of CVE-2014-4114 and highlighted the group's interest in industrial control systems. These findings became part of the attribution context for later attacks on Ukrainian critical infrastructure.
Sandworm begins broader targeting of Ukrainian and regional entities
Before the 2015 outage, Sandworm Team had already been reported targeting Ukrainian organizations as well as EU, NATO, media, and regional power entities, including reconnaissance against SCADA and other critical infrastructure systems. This activity established the broader campaign context later tied to the power-sector incident.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Ongoing Sophisticated Malware Campaign Compromising ICS (Update E) | CISA
us-cert.cisa.gov
Open sourceOngoing Sophisticated Malware Campaign Compromising ICS (Update E) | CISA
ics-cert.us-cert.gov
Open sourceCyber-Attack Against Ukrainian Critical Infrastructure | CISA
cisa.gov
Open sourceICS Focused Malware (Update A) | CISA
ics-cert.us-cert.gov
Open sourceBlackEnergy malware activity spiked in runup to Ukraine power grid takedown
theregister.co.uk
Open sourceSandworm Team and the Ukrainian Power Authority Attacks
web.archive.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Sandworm-Linked DynoWiper Used in Failed Attack on Poland’s Energy Infrastructure
Polish officials reported a **failed late-December cyberattack** targeting the country’s energy infrastructure, described by Energy Minister Milosz Motyka as the “strongest attack” on the sector in years. The activity on December 29–30 targeted **two combined heat and power (CHP) plants** and attempted to disrupt systems and communications supporting electricity management from **renewable sources** (including wind and photovoltaic installations) and their links to power distribution operators; local reporting indicated the impact could have been significant if successful. Security firm **ESET** said the attempted disruptive operation involved a previously undocumented **wiper** malware it named **DynoWiper**, designed to irreversibly destroy data and render systems inoperable. ESET attributed the activity with **medium confidence** to **Sandworm** (a GRU-linked threat actor) based on overlaps with prior Sandworm-associated destructive campaigns, particularly against Ukraine’s energy sector; Polish leadership publicly blamed Russia-linked groups and indicated additional safeguards and cybersecurity legislation were being prepared to strengthen IT/OT risk management and incident response. Both reporting noted the timing was close to the **10-year anniversary** of Sandworm’s 2015 attacks on Ukraine’s power grid.
Feb 6, 2026
Sandworm Accused of Cyberattack on Poland’s Power Grid
Polish authorities and reporting tied to **ESET research** attributed a disruptive cyber incident affecting Poland’s electricity grid to **Russia-linked threat actors**, with **Sandworm** named as the likely operator behind the operation in late 2025. The incident was characterized as a targeted attack on critical infrastructure, reinforcing ongoing concerns about state-aligned activity against European energy networks. A separate malware-newsletter roundup recirculated the attribution as one of many items, while an unrelated CSO Online feature focused on forward-looking **CISO predictions for 2026** and did not provide incident-specific details. Executive teams should treat the Poland grid activity as part of the broader pattern of **Russian state-linked** operations against OT/ICS environments, with emphasis on validating segmentation, monitoring for lateral movement into OT, and ensuring incident response playbooks cover grid/industrial disruption scenarios.
Mar 21, 2026
BlackEnergy and KillDisk Linked to Cyberattack on Ukraine’s Power Grid
Ukrainian authorities reported that attackers used the **BlackEnergy** malware family and the destructive **KillDisk** component during a coordinated intrusion into electric power distribution networks, leading to a temporary disruption of electricity supply. The operation reportedly involved unauthorized remote access to operator environments, interaction with **SCADA/RTU** infrastructure, and actions that interfered with control and communications systems, causing outages that lasted roughly **1 to 3.5 hours** and affected a small share of total annual electricity delivery. The incident was described as a multi-stage compromise of critical infrastructure rather than an isolated malware infection, with the attackers moving from IT environments into operational technology systems used to manage power distribution. In response, **CERT-UA** and Ukrainian officials highlighted defensive measures including stronger network segmentation, limiting direct Internet exposure, improving monitoring and detection, and hardening protections around critical infrastructure networks to reduce the risk of similar grid-disruption attacks.
May 29, 2026