Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Energy Provider in Ukraine Targeted With Industroyer2 ICS Malware

An energy provider in Ukraine was recently targeted with a new piece of malware designed to cause damage by manipulating industrial control systems (ICS).

An energy provider in Ukraine was recently targeted with a new piece of malware designed to cause damage by manipulating industrial control systems (ICS).

The attack, which targeted high-voltage electrical substations and reportedly failed, has been analyzed by Ukraine’s Computer Emergency Response Team (CERT-UA), cybersecurity firm ESET, and Microsoft.

The operation has been linked to Sandworm, a threat group believed to operate on behalf of Russia’s GRU military intelligence agency.

According to ESET, the attack, whose likely goal was to carry out destructive actions in the targeted energy facility and cause power outages on April 8, involved the deployment of several pieces of malware, in both the ICS network and systems running Solaris and Linux. 

Industroyer2 attack on Ukraine energy company

One of the pieces of malware deployed on the ICS network has been named Industroyer2 and it has been described as a new variant of Industroyer (CRASHOVERRIDE), which hackers used in December 2016 in an attack aimed at an electrical substation in Ukraine. That attack did cause a power outage, the same as an attack launched one year earlier. 

Industroyer2, which ESET researchers believe was built using the Industroyer source code, was deployed as a Windows executable that the attackers were hoping to run on April 8 using a scheduled task. The sample was compiled on March 23, indicating that the attack had been planned for at least two weeks in advance.

“Industroyer2 only implements the IEC-104 (aka IEC 60870-5-104) protocol to communicate with industrial equipment,” ESET explained. “This includes protection relays, used in electrical substations. This is a slight change from the 2016 Industroyer that is a fully-modular platform with payloads for multiple ICS protocols.”

Learn More About Industrial Malware at SecurityWeek’s ICS Cyber Security Conference

Advertisement. Scroll to continue reading.

Unlike the first Industroyer malware, which used a separate file to store its configuration data, the new version’s configuration is hardcoded in its body, which means each sample has to be tailored to the victim’s environment. However, the researchers pointed out that this should not be a problem for the Sandworm group, particularly since the malware appears to have only been used in very few attacks.

It’s unclear if the attack involves exploitation of any vulnerability in ICS systems or if the malware is simply designed to abuse legitimate functionality. ESET says it’s still analyzing the component that appears to be able to control ICS systems in order to shut down power.

Also on the ICS network, the attackers deployed CaddyWiper, one of the several destructive wipers used in attacks against Ukraine since the conflict between Russia and Ukraine escalated.

CaddyWiper was previously used in attacks against a bank and a government organization. In the Industroyer2 attack, its goal was to remove traces of the ICS malware from compromised systems.

On Linux and Solaris systems hosted by the targeted energy company, the hackers deployed three pieces of malware tracked by ESET as ORCSHRED, SOLOSHRED and AWFULSHRED. The first is a Linux worm and the other two are wipers designed to target Solaris and Linux systems, respectively. The goal of these malicious tools was likely to make it more difficult for the operator to regain control of hacked systems.

“Sandworm is an apex predator, capable of serious operations, but they aren’t infallible,” John Hultquist, VP of Intelligence Analysis at Mandiant, told SecurityWeek. “The best part of this story is the work by Ukraine CERT and ESET to stop these attacks, which would have probably only worsened Ukrainian suffering. It’s increasingly clear that one of the reasons attacks in Ukraine have been moderated is because defenders there are very aggressive and very good at confronting Russian actors.”

ESET and CERT-UA have made available indicators of compromise (IoC) for all the malware and other malicious components used in the attack. ESET has also released technical details on each malware.

Related: Thousands of Industrial Firms Targeted in Attacks Leveraging Short-Lived Malware

Related: BlackCat Ransomware Targets Industrial Companies

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...