An energy provider in Ukraine was recently targeted with a new piece of malware designed to cause damage by manipulating industrial control systems (ICS).
The attack, which targeted high-voltage electrical substations and reportedly failed, has been analyzed by Ukraine’s Computer Emergency Response Team (CERT-UA), cybersecurity firm ESET, and Microsoft.
The operation has been linked to Sandworm, a threat group believed to operate on behalf of Russia’s GRU military intelligence agency.
According to ESET, the attack, whose likely goal was to carry out destructive actions in the targeted energy facility and cause power outages on April 8, involved the deployment of several pieces of malware, in both the ICS network and systems running Solaris and Linux.
One of the pieces of malware deployed on the ICS network has been named Industroyer2 and it has been described as a new variant of Industroyer (CRASHOVERRIDE), which hackers used in December 2016 in an attack aimed at an electrical substation in Ukraine. That attack did cause a power outage, the same as an attack launched one year earlier.
Industroyer2, which ESET researchers believe was built using the Industroyer source code, was deployed as a Windows executable that the attackers were hoping to run on April 8 using a scheduled task. The sample was compiled on March 23, indicating that the attack had been planned for at least two weeks in advance.
“Industroyer2 only implements the IEC-104 (aka IEC 60870-5-104) protocol to communicate with industrial equipment,” ESET explained. “This includes protection relays, used in electrical substations. This is a slight change from the 2016 Industroyer that is a fully-modular platform with payloads for multiple ICS protocols.”
Learn More About Industrial Malware at SecurityWeek’s ICS Cyber Security Conference
Unlike the first Industroyer malware, which used a separate file to store its configuration data, the new version’s configuration is hardcoded in its body, which means each sample has to be tailored to the victim’s environment. However, the researchers pointed out that this should not be a problem for the Sandworm group, particularly since the malware appears to have only been used in very few attacks.
It’s unclear if the attack involves exploitation of any vulnerability in ICS systems or if the malware is simply designed to abuse legitimate functionality. ESET says it’s still analyzing the component that appears to be able to control ICS systems in order to shut down power.
Also on the ICS network, the attackers deployed CaddyWiper, one of the several destructive wipers used in attacks against Ukraine since the conflict between Russia and Ukraine escalated.
CaddyWiper was previously used in attacks against a bank and a government organization. In the Industroyer2 attack, its goal was to remove traces of the ICS malware from compromised systems.
On Linux and Solaris systems hosted by the targeted energy company, the hackers deployed three pieces of malware tracked by ESET as ORCSHRED, SOLOSHRED and AWFULSHRED. The first is a Linux worm and the other two are wipers designed to target Solaris and Linux systems, respectively. The goal of these malicious tools was likely to make it more difficult for the operator to regain control of hacked systems.
“Sandworm is an apex predator, capable of serious operations, but they aren’t infallible,” John Hultquist, VP of Intelligence Analysis at Mandiant, told SecurityWeek. “The best part of this story is the work by Ukraine CERT and ESET to stop these attacks, which would have probably only worsened Ukrainian suffering. It’s increasingly clear that one of the reasons attacks in Ukraine have been moderated is because defenders there are very aggressive and very good at confronting Russian actors.”
ESET and CERT-UA have made available indicators of compromise (IoC) for all the malware and other malicious components used in the attack. ESET has also released technical details on each malware.
Related: Thousands of Industrial Firms Targeted in Attacks Leveraging Short-Lived Malware