Connect with us

Hi, what are you looking for?



Energy Provider in Ukraine Targeted With Industroyer2 ICS Malware

An energy provider in Ukraine was recently targeted with a new piece of malware designed to cause damage by manipulating industrial control systems (ICS).

An energy provider in Ukraine was recently targeted with a new piece of malware designed to cause damage by manipulating industrial control systems (ICS).

The attack, which targeted high-voltage electrical substations and reportedly failed, has been analyzed by Ukraine’s Computer Emergency Response Team (CERT-UA), cybersecurity firm ESET, and Microsoft.

The operation has been linked to Sandworm, a threat group believed to operate on behalf of Russia’s GRU military intelligence agency.

According to ESET, the attack, whose likely goal was to carry out destructive actions in the targeted energy facility and cause power outages on April 8, involved the deployment of several pieces of malware, in both the ICS network and systems running Solaris and Linux. 

Industroyer2 attack on Ukraine energy company

One of the pieces of malware deployed on the ICS network has been named Industroyer2 and it has been described as a new variant of Industroyer (CRASHOVERRIDE), which hackers used in December 2016 in an attack aimed at an electrical substation in Ukraine. That attack did cause a power outage, the same as an attack launched one year earlier. 

Industroyer2, which ESET researchers believe was built using the Industroyer source code, was deployed as a Windows executable that the attackers were hoping to run on April 8 using a scheduled task. The sample was compiled on March 23, indicating that the attack had been planned for at least two weeks in advance.

“Industroyer2 only implements the IEC-104 (aka IEC 60870-5-104) protocol to communicate with industrial equipment,” ESET explained. “This includes protection relays, used in electrical substations. This is a slight change from the 2016 Industroyer that is a fully-modular platform with payloads for multiple ICS protocols.”

Advertisement. Scroll to continue reading.

Learn More About Industrial Malware at SecurityWeek’s ICS Cyber Security Conference

Unlike the first Industroyer malware, which used a separate file to store its configuration data, the new version’s configuration is hardcoded in its body, which means each sample has to be tailored to the victim’s environment. However, the researchers pointed out that this should not be a problem for the Sandworm group, particularly since the malware appears to have only been used in very few attacks.

It’s unclear if the attack involves exploitation of any vulnerability in ICS systems or if the malware is simply designed to abuse legitimate functionality. ESET says it’s still analyzing the component that appears to be able to control ICS systems in order to shut down power.

Also on the ICS network, the attackers deployed CaddyWiper, one of the several destructive wipers used in attacks against Ukraine since the conflict between Russia and Ukraine escalated.

CaddyWiper was previously used in attacks against a bank and a government organization. In the Industroyer2 attack, its goal was to remove traces of the ICS malware from compromised systems.

On Linux and Solaris systems hosted by the targeted energy company, the hackers deployed three pieces of malware tracked by ESET as ORCSHRED, SOLOSHRED and AWFULSHRED. The first is a Linux worm and the other two are wipers designed to target Solaris and Linux systems, respectively. The goal of these malicious tools was likely to make it more difficult for the operator to regain control of hacked systems.

“Sandworm is an apex predator, capable of serious operations, but they aren’t infallible,” John Hultquist, VP of Intelligence Analysis at Mandiant, told SecurityWeek. “The best part of this story is the work by Ukraine CERT and ESET to stop these attacks, which would have probably only worsened Ukrainian suffering. It’s increasingly clear that one of the reasons attacks in Ukraine have been moderated is because defenders there are very aggressive and very good at confronting Russian actors.”

ESET and CERT-UA have made available indicators of compromise (IoC) for all the malware and other malicious components used in the attack. ESET has also released technical details on each malware.

Related: Thousands of Industrial Firms Targeted in Attacks Leveraging Short-Lived Malware

Related: BlackCat Ransomware Targets Industrial Companies

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.