The Computer Emergency Response Team of Ukraine (CERT-UA), with the help of ESET and Microsoft security experts, has thwarted a cyber attack by the Sandworm hackers, who tried to shut down electrical substations run by an energy provider in Ukraine.
According to CERT-UA, the victim organization suffered two waves of attacks. The initial compromise took place no later than February 2022, and the final, destructive steps were scheduled for Friday evening, April 8, 2022. Luckily, it never came to that.
“The attack used ICS-capable malware and regular disk wipers for Windows, Linux and Solaris operating systems,” ESET researchers said. “We assess with high confidence that the attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine.”
How the cyber attack unfolded and was thwarted
The attack involved a wide variety of malware:
- A new version of Industroyer, i.e. Industroyer2
- CaddyWiper, AwfulShred and SoloShred data wipers
- The OrcShred Linux worm
- The ArguePatch loader
“Industroyer2 only implements the IEC-104 (aka IEC 60870-5-104) protocol to communicate with industrial equipment. This includes protection relays, used in electrical substations. This is a slight change from the 2016 Industroyer variant that is a fully-modular platform with payloads for multiple ICS protocols,” ESET researchers shared.
CERT-UA says that each Industroyer executable “contained a statically specified set of unique parameters for the respective substations.”
The CaddyWiper malware, which erases user data and partition information from attached drives, targets the Windows OS. This particular variant was aimed at user computers, servers, and ACS TP (automated control systems of technological processes) workstations. The malware can make target machines unbootable.
AwfulShred and SoloShred targeted server equipment running Linux and Solaris, with the aim to wipe them and render them inoperable. The OrcShred worm – part of those wipers – looks for any other reachable system and attempts to deploy the wipers far and wide.
“Centralized distribution and launch of CaddyWiper is implemented through the Group Policy Mechanism (GPO). The Powergap PowerShell script was used to add a Group Policy that downloads file destructor components from a domain controller and creates a scheduled task on a computer,” CERT-UA shared.
“The ability to move horizontally between segments of the local area network is provided by creating chains of SSH tunnels. Impacket is used for remote execution of commands.”
The only parts of the puzzle that are still unknown is how the attackers compromised the initial victim and how they moved from the IT network to the ICS network.
Sandworm and their prior attacks in Ukraine
“We assess with high confidence that the APT group Sandworm is responsible for this new attack,” ESET researchers stated.
The Sandworm is believed to be part of a Russian military unit, and among their many past attacks have been those aimed at Ukrainian companies in the energy, media, financial and other sectors.
It is also believed that the freshly disrupted Cyclops Blink botnet had been operated by the group.
This latest attempted attack against the Ukrainian energy grid was likely made to support the Russian military campaign in Ukraine.
“It seems like planning for the electrical grid attack started after it became clear that the invasion plan had failed. This indicates that the reason the electrical grid was not part of the initial plan was a strategic decision, not because of Russian disregard for offensive cyber capacity,” infosec researcher The Grugq opined.
“Russian failure is likely due to a large delta between the installation of the malware and the date scheduled for the attack. This delta provided sufficient time for the defenders to coordinate and execute remediation action. In a real sense, the Russians are trying to conduct a cyberwar and they are failing due to the ability of the Ukrainian defense forces. This mirrors the experience on the battlefield, where Ukrainian defense have exceeded expectations.”