According to the State Service of Special Communications and Information Protection of Ukraine (SSSCIP), Sandworm hacking group tried to disrupt the operations of an undisclosed energy provider by manipulating its ICS (industrial control systems).
The attackers tried to shut down several “infrastructure components” of the entity, including “Electrical substations, Windows-operated computing systems, Linux-operated server equipment, active network equipment,” SSSCIP stated.
Details of the Hack
Slovakian cybersecurity firm ESET collaborated with CERT-UA to investigate the cyberattack. Further probe revealed that the attackers used the ICS-capable malware with disk wipers and unleashed an updated version of the Industroyer malware, dubbed Industroyer 2.
It is worth noting that for years, “Industroyer” also known as “Crash Override,” has been effectively used by Russian hackers against Ukraine’s critical infrastructure. In 2017, ESET detailed how the malware functions and revealed that the massive outage of Ukraine’s power grid in December 2015 was also used by the same malware.
Sandworm’s Involvement in the Attack
Researchers have linked the cyberattack against Ukraine’s energy firm to the Sandworm threat group allegedly working for Russia’s GRU military intelligence agency. ESET explained that the primary objective behind the attack was targeting an energy facility with destructive actions and causing a power outage.
The attack reportedly occurred on April 8. Attackers deployed several pieces of malware in the company’s ICS network and systems running Linux and Solaris, one of which was Industroyer 2 and another was CaddyWiper, previously used in attacks against a government entity and a bank. They deployed the malware as a Windows executable. Researchers claim that the attack was planned at least two weeks ago.
“The Sandworm attackers made an attempt to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine. In addition to Industroyer2, Sandworm used several destructive malware families, including CaddyWiper, OrcShred, SoloShred, and AwfulShred.”
ESET
About Industroyer 2
Industroyer 2 is a variant of Industroyer, a malware first used in an assault against a Ukrainian power grid in 2016. Industroyer 2, a variant of Industroyer/Crachoverride malware, is designed using Industroyer source code.
ESET is currently assessing the component that controls the ICS system to shut down power. Industroyer 2 implements only the IEC-104 (also known as IEC 60870-5-104) protocol for communicating with industrial equipment, including protection relays used in electrical substations, which makes it different from the 2016 Industroyer.
It is yet unclear if Industroyer 2 exploits any vulnerability in the ICS system or if it only abuses legit functionalities.
More Security Topics
- 100s of Russian Building Controllers Can be Remotely Hacked
- Ukrainian military emails hacked to phish and steal refugee data
- Elon Musk warns of possible targeted attacks on Starlink in Ukraine
- Anonymous & its affiliates hacked 90% of Russian misconfigured databases
- Ukrainian News Channel Hacked to Run Deepfake video of President Zelensky