Industroyer2, a new strain of the malware, was used to infect a Ukrainian energy provider. ESET and the Ukrainian Computer Emergency Response Team (CERT-UA) collaborated on the discovery of the threat.
Recently, Sandworm threat actor (which reportedly has links to the Russian state security services) was accused by ESET of deploying the new version of Industroyer against Ukraine’s high-voltage electrical substations in order to cause power disruptions. The malware was set to run on April 8th, 2022. In 2016, the Sandworm APT group allegedly used the Industroyer malware to shut down electricity in Kiev, Ukraine.
Security researchers from ESET and CERT-UA, who successfully remediated the attack on an undisclosed critical infrastructure network, have claimed that they are still investigating the issue. There is currently no information available about how the attackers first gained the initial access to the victim’s IT network and how they have moved to the industrial control system network.
Sandworm has also employed CaddyWiper, ORCSHRED, SOLOSHRED, and AWFULSHRED in conjunction with Industroyer2, according to the researchers. CaddyWiper, which ESET found deployed on a Ukrainian bank’s network in March, was meant to hide the traces of the Industroyer2 threat. The attack is believed to have been in the works for at least two weeks.
With a few noticeable changes, Industroyer2 shares many of the characteristics of the original Industroyer virus. This is because the malware has a precise configuration hardcoded in its body, which dictates the virus’s behavior, whereas Industroyer saves the settings in a separate.ini file. According to the researchers, Industroyer2 can now communicate with several devices simultaneously thanks to this new configuration style.
It is suspected that the attackers were trying to provide Industroyer2 with control over certain ICS systems so that electricity may be switched off in this latest stage of the attack campaign.
Ukraine’s State Service of Special Communication and Information Protection (SSSCIP) said in a statement that if the attack had been successful, a vast territory would have been blacked out, “leaving a massive number of civilians without energy”. Fortunately, thanks to the quick response from the company’s personnel and CERT-UA specialists, power outages had not been registered.
Two weeks ago, a cyber-attack caused widespread outage in Ukraine’s national telecoms provider, which resulted in widespread loss of service.
The frequency of cyber-incidents affecting Ukraine’s key infrastructure has been minimal since the Russian invasion began, but the targeting of these systems has increased in recent weeks, according to reports. According to the ESET team, Ukraine is in the heart of cyberattacks on their key infrastructure and this Industroyer campaign is the latest in a series of wiper campaigns aimed at different areas of the Ukrainian economy.