Sandworm introduces Industroyer2 malware against Ukraine
A new variant of the Industroyer malware, used to great effect against Ukraine’s energy sector by the Russian Sandworm or Voodoo Bear Advanced Persistent Threat (APT) group in 2016, has been identified by researchers from ESET working with the National Computer Emergency Response of Ukraine work together team, CERT-UA.
Dubbed Industroyer2, as expected, it was used in an attempted cyberattack on a Ukraine-based energy company on the evening of April 8, 2022. The attack used ICS-enabled malware and disk wipers against Windows, Linux, and Solaris operating systems on the target of high-voltage electrical substations.
The Industroyer2 malware was compiled on March 23, suggesting the attack had been planned for some time, and the first compromise took place in February, according to CERT-UA.
Sandworm also used a range of other destructive malware in its attack, including the recently identified CaddyWiper, Orcshred, Soloshred, and Awfulshred.
“Ukraine is once again at the center of cyberattacks targeting its critical infrastructure,” ESET’s research team said in a disclosure statement. “This new Industroyer campaign follows multiple waves of wipers targeting different sectors in Ukraine. ESET researchers will continue to monitor the threat landscape to better protect organizations from these types of destructive attacks.”
ESET said it was unable to determine how the victim was compromised, nor how Sandworm, which is part of the Russian GRU Intelligence Service’s (GTsST) Main Center for Special Technologies, sideways from the victim’s IT network into the separate ICS network has been moved.
Industroyer2 differs from its predecessor because it uses only a single protocol – IEC-104 – to communicate with industrial equipment and contains detailed, hard-coded configuration to control its actions, making it highly specific and meaning that it is managed by its operators must be recompiled for each new victim or environment they wish to attack.
However, it shares several code similarities with the previous Industroyer payload, allowing analysts to judge with high confidence that both malware come from the same source code.
More details on how the malware works, as well as new information on the CaddyWiper malware used in parallel, are available from ESET.
A parallel cyber war
Industroyer2 is the latest in a series of new malware deployed by Russia in its parallel cyber war against Ukraine, many of which were also detected by ESET.
Moscow’s campaign of destructive data-erasing attacks began the month before Ukraine’s first kinetic invasion by deploying the new WhisperGate malware against government targets in Kyiv.
As the invasion began, these initial attacks were followed by the deployment of other new wipers, including HermeticWiper, IsaacWiper, and CaddyWiper in mid-March.
In addition to using destructive wiper malware, Russia also used new Cyclops Blink malware to access target networks through vulnerable firewall devices and co-opt them into a botnet — although this was neutralized by American and German authorities in early April.
Meanwhile, an actor linked to Russia’s European puppet state of Belarus targeted organizations supporting Ukrainian refugees with malware called SunSeed.