A long-expected alignment of offensive cyber capabilities with kinetic attacks on the ground may be shaping into reality. Documented incidents against the Ukrainian and Polish power grids, and inferences made by the U.S. administration of attacks against the Venezuelan grid during the capture of President Nicolas Maduro add credence to the notion that offensive cyber tactics are now part-and-parcel of military strategies.
While these attacks targeted power grids in different regions, the threat is not limited to this critical infrastructure sector. Operators and asset owners in all 16 CI sectors should address the risk, especially around operational technology and other connected cyber-physical systems (CPS). A programmatic approach to CPS protection will be an essential component of cyber defense going forward, especially one that addresses known shortcomings such as legacy and unsecured technology, a lack of overall asset visibility, and the ability to add compensating controls to critical infrastructure as a mitigation.
This blog examines the ongoing alignment of cyber and kinetic attacks with a goal of connecting these actions in order to depict the shift in threat actors’ strategies and the urgent need for programmatic cyber-physical systems (CPS) protection across all sectors.
Recent Cyberattacks on Critical Infrastructure
Russia’s targeting of the Ukrainian power grid, dating as far back as 2015, is one of the few systematic offensive cyberattacks against a geopolitical adversary. Russian advanced persistent threat group Sandworm (also known as APT44) is alleged to be responsible for an ongoing campaign targeting Ukraine’s power infrastructure. Using sophisticated malware platforms such as Black Energy, Industroyer, NotPetya, CaddyWiper, and FrostyGoop, aggression against critical infrastructure continues on a dangerous trajectory. Let’s look at some recent incidents:
Caddywiper: Russia
Caddywiper is notable for its timing and demonstrates one of the first alignments of cyber and kinetic attacks. The destructive data-wiping malware was part of an extensive campaign used against Ukrainian electric facilities to cause unplanned power outages in the country that coincided with missile attacks in the country.
FrostyGoop: Russia
FrostyGoop was uncovered in 2024 and linked to Russian state actors. It is believed to be the first malware developed to abuse the Modbus communication protocol prevalent on operational technology (OT) networks in order to manipulate control systems and cause impact in the physical world. The malware impacted a municipal heating company in Lviv, Ukraine and disrupted heating systems for 600 civilian homes in January 2024, crossing supposed red lines in cyberspace and impacting civilian infrastructure.
The Typhoons: China
China’s Volt and Salt Typhoon are another well-documented APT that carried out offensive campaigns against American military and critical infrastructure networks.
The campaign, largely using living-off-the-land techniques, was widespread and effective in placing offensive capabilities on compromised networks. These weapons were not executed and largely sat dormant.
The working assumption is that they are showing their strength in case of future military action in Taiwan, while putting critical infrastructure at the center of a larger military plan. In an unexpected twist, China reportedly admitted to its role in the incidents to members of the Biden administration.
DynoWiper in Poland: Russia
Researchers at ESET recently published details of data-wiper attacks against an energy provider in Poland; ESET linked the attacks to Sandworm. Unlike Industroyer and its variant Industroyer 2, DynoWiper targeted the enterprise network and IT systems, and marked an escalation in the targeting of a NATO member state.
The attacks reportedly failed, ESET said in its report, noting the efforts of local cyber and operations teams that mitigated this attack. The impact could have been unprecedented because it occurred during a cold snap where the weather dropped to 5 degrees F, and represents an attack against the civilian population of a country not under an active banner of war.
Critical Infrastructure Attacks Create a New Battleground
The incidents detailed—from Sandworm's relentless campaign against the Ukrainian power grid to the shadow of VoltTyphoon over U.S. infrastructure, the direct targeting of NATO member Poland, and the alleged overt use of cyberattacks in the Venezuela operation—unambiguously confirm a new military doctrine: the union of cyber and kinetic attacks.
Cyberwarfare is no longer a peripheral, rumored capability but a decisive, integrated component of modern military strategy. Once isolated from the kinetic battleground, the chasm where OT is a primary, often civilian-facing target has been crossed.
Critical Infrastructure is not wholly defined by the electric system. CISA defines 16 critical infrastructure sectors, but only two have binding regulations with financial penalties for lax cybersecurity practices: electric utilities governed by NERC’s Critical Infrastructure Protection regulation, and oil and gas governed by TSA’s security directives.
Traditional IT security solutions are insufficient for OT environments where many legacy protocols are insecure by default, organizations lack adequate visibility into their connected assets, and often, vulnerable assets cannot be patched because of uptime demands.
Influential industry organizations such as SANS have developed guidelines for industrial control system cybersecurity controls. These best practices include:
A practiced and mature OT incident response plan
A defensible control system architecture that includes segmented zones
Adequate visibility and asset inventory that supports monitoring capabilities looking for anomalies
Secure remote access paths onto the OT network, including strong authentication and other best practices
Risk-based vulnerability and exposure management that prioritizes mitigation and remediation beyond criticality scores.
These are building blocks for a programmatic approach with a focus on risk reduction to defending OT and other CPS on critical infrastructure networks. This isn’t a situation where simply buying new tech solves the issue, though. To successfully protect CPS, it’s necessary to aim for three key outcomes:
CPS Risk Reduction
Reduce the attack surface and risk exposure across their enterprise, diminishing the likelihood of a cyber incident causing downtime and financial loss
Compliance
Meet and prove compliance within an increasingly complex regulatory landscape as these frameworks become more industry-specific and CPS-focused
Operational Integrity
Protect operational uptime, availability of equipment, and public safety while ensuring the delivery of critical services.
Reaching these outcomes largely depends on the provider your organization chooses to partner with. Ideally, that partner should use a combination of people, processes, and technology to reduce CPS risk, total cost of ownership (TCO), and mean time to repair (MTTR). Opting for a programmatic approach with Claroty can help your organization reach these goals faster. Get started by requesting a demo with one of our experts.
The incidents featured in this blog are not comprehensive, yet mark a watershed moment for the linkage between kinetic and cyber attacks. This alignment confirms a new military doctrine where offensive cyber intrusions against critical infrastructure, particularly on CPS systems, is an integrated component of modern military strategy. This shift demands urgent programmatic cyber-physical systems (CPS) protection across all sectors in order to adequately reduce risk in these critical environments.
