The Computer Emergency Response Team of Ukraine (CERT-UA) announced Tuesday that it foiled a cyberattack by Sandworm, a hacking group affiliated with Russia’s military intelligence agency, to sabotage the operations of an unnamed utility in the country.
“The attackers attempted to disable multiple infrastructure components of their target, namely: electrical substations, Windows-powered computer systems, Linux-powered server equipment, [and] active network equipment,” the State Service for Special Communications and Information Protection of Ukraine (SSSCIP) said in a statement.
Slovakian cybersecurity firm ESET, which worked with CERT-UA to analyze the attack, said the attempted break-in involved the use of ICS-enabled malware and regular disk wipers, with the attacker unleashing an updated variant of the Industroyer malware that was the first to used in an attack on the electricity grid of Ukraine in 2016.
“The Sandworm attackers attempted to deploy the Industroyer2 malware against high-voltage substations in Ukraine,” ESET explained. “In addition to Industroyer2, Sandworm used several destructive malware families including CaddyWiper, OrcShred, SoloShred, and AwfulShred.”
The victim’s power grid is believed to have invaded in two waves, with the first compromise occurring no later than February 2022 and coinciding with the Russian invasion of Ukraine, and a subsequent infiltration in April that allowed the attackers to upload Industroyer2.
Also known as “CrashOverride” and dubbed the “biggest threat to industrial control systems since Stuxnet,” Industroyer is both modular and capable of directly controlling switches and circuit breakers in a substation.
The new version of the sophisticated and highly customizable malware, like its predecessor, uses an industrial communication protocol called IEC-104 to dominate industrial equipment such as protection relays used in substations.
Forensic analysis of the artifacts left behind by Industroyer2 has returned a compilation timestamp of March 23, 2022, indicating the attack had been planned for at least two weeks. However, it is still unclear how the power plant under attack was initially compromised or how the intruders moved from the IT network to the Industrial Control System (ICS) network.
ESET said the destructive actions against the company’s infrastructure were planned for April 8, 2022 but were ultimately foiled. A data wiper called CaddyWiper should then be run 10 minutes later on the same machine to wipe out traces of the Industroyer2 malware.
In addition to Industroyer2 and CaddyWiper, the network of the attacked energy supplier is also said to have been infected by a Linux worm called OrcShred, which then spreads two different wiper malware for Linux and Solaris systems – AwfulShred and SoloShred – rendering the machines inoperable.
The findings follow last week’s court-authorized takedown of Cyclops Blink, an advanced modular botnet controlled by threat actor Sandworm.
For its part, CERT-UA has also warned of a series of spear phishing campaigns by Armageddon, another Russia-based group with ties to the Federal Security Service (FSB), which has been targeting Ukrainian facilities since at least 2013.
“Ukraine is once again at the center of cyberattacks targeting its critical infrastructure,” ESET said. “This new Industroyer campaign follows multiple waves of wipers targeting different sectors in Ukraine.”