A Ukrainian energy supplier was targeted by a new variant of Industroyer malware named Industroyer2. The discovery was made by researchers from cybersecurity vendor ESET in collaboration with the Ukrainian Computer Emergency Response Team (CERT-UA).
The Industroyer malware was believed to have been used by the Sandworm APT group to cut power in Kiev, Ukraine, back in 2016.
In the latest incident, ESET claimed that Sandworm, which is linked to the Russian state security services, attempted to deploy the new version of Industroyer against high-voltage electrical substations in Ukraine, with the purpose of triggering power outages. The scheduled execution of the malware was April 8 2022.
The researchers added that Sandworm used several other destructive malware in coordination with Industroyer2, including CaddyWiper, ORCSHRED, SOLOSHRED and AWFULSHRED. The use of CaddyWiper, which was first discovered by ESET in March when it was deployed in the network of a Ukrainian bank, was designed to erase traces of Industroyer2. It is believed the attack had been planned for at least two weeks.
ESET and CERT-UA, who together managed to remediate the attack on the unnamed critical infrastructure network, said they are continuing to investigate the incident. Currently, there is no information on how the attackers were able to compromise the initial victim or how they moved from the IT network to the industrial control system network (ICS).
While Industroyer2 shares several characteristics with the original Industroyer malware, it also has some notable differences. These include holding a detailed configuration hardcoded in its body, driving the malware actions, whereas Industroyer stores configuration in a separate .INI file. The researchers said this new configuration format enables Industroyer2 to communicate with multiple devices at once.
In this new incident, it is believed the attackers attempted to get Industroyer2 to control specific ICS systems in order to cut power.
While there have been a surprisingly low number of cyber-incidents impacting Ukraine’s critical infrastructure since the Russian invasion began, there appears to be a ramping up of the targeting of these systems in recent weeks. “Ukraine is once again at the center of cyberattacks targeting their critical infrastructure. This new Industroyer campaign follows multiple waves of wipers that have been targeting various sectors in Ukraine,” wrote the ESET team.
In a statement, the State Service of Special Communication and Information Protection of Ukraine (SSSCIP), the nation’s technical security and intelligence service, said that had the attack succeeded, it would have caused a “black-out in a wide territory, leaving a massive number of civilians without energy.”
Commenting on the incident Viktor Zhora, deputy head of the SSSCIP, said: “Unfortunately, a part of the IT infrastructure had already been affected by the time we intervened. So, alongside prevention of the malware spreading, our specialists were working on its recovery so that the users wouldn’t experience any power outages. That’s exactly what happened. No signs of power outages were detected. It’s the result of a timely response of the company employees and CERT-UA specialists.”
Around two weeks ago, Ukraine’s national telecommunications provider was struck by a significant cyber-attack, leading to a loss of connectivity to large parts of the country.