With a new variant of the Industroyer malware for industrial control systems (ICS) and a new version of the CaddyWiper data destruction malware, the Russian state-sponsored hacking group Sandworm attempted to take down a large Ukrainian energy provider by disconnecting its electrical substations on Friday.
The threat actor built a version of the Industroyer ICS malware for the target high-voltage electrical substations, then used CaddyWiper and other data-wiping malware families such as Orcshred, Soloshred, and Awfulshred for Linux and Solaris systems to try to wipe the attack’s traces.
Researchers from cybersecurity firm ESET, who are working with the Ukrainian Computer Emergency Response Team (CERT) to fix and defend the attacked network, say they have no idea how the attacker gained access to the network or how they moved from the IT to the ICS environment.
The threat actor’s goal, according to CERT-UA, was “the deactivation of several infrastructural elements.”
The ICS malware used in the attack is now known as Industroyer2, and ESET believes it was constructed using the source code of Industroyer, which was used to interrupt electricity in Ukraine in 2016 and was attributed to the state-sponsored Russian hacker outfit Sandworm.
Sandworm planned to launch the last stage of the attack on Friday, April 8 (at 14:58 UTC) by spreading malware on the following categories of systems, according to CERT-UA and ESET.
CaddyWiper malware was deployed on Windows computers and automated workstations, and it was encrypted, loaded, and executed using the ArgeuPatch and Tailjump tools (at 14:58 UTC)
High-voltage electrical substations employing the INDUSTROYER2 malware on Linux servers using the OrcShred, Soloshred, and AwfulShred scripts (at 14:58 UTC), each executable containing a set of unique settings given for its particular substation targets. Sandworm operators set a timer at 15:02:22 UTC to deploy the malware at 16:10 UTC and cut power to active network equipment in a Ukrainian region.
The adversary used CaddyWiper on the machines at 16:20 UTC to delete Industroyer2’s traces.
“The implementation of [Sandworm’s] malicious plan has so far been prevented,” according to CERT-UA, while “Sandworm attackers attempted to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine,” according to ESET in a technical report on the malware used in this attack.
According to ESET researchers, Industroyer2 is extremely flexible and includes hardcoded extensive configuration, necessitating recompilation for each new victim environment.
“However, given that the Industroyer virus family has only been deployed twice, with a five-year gap between each version, this is unlikely to be a problem for Sandworm operators.” – ESET Anti-Virus
According to the researchers, Industroyer2’s Portable Executable date shows that it was generated on March 23, implying that the attack was planned for at least two weeks.
The PowerGap PowerShell script, which was used to establish a Group Policy that downloads payloads and creates scheduled tasks, and Impacket, which was utilized for remote command execution, were also employed in the assault.
The worm component of this assault, sc.sh, checks for accessible networks (through ip route or ifconfig) and tries to connect to all available computers over SSHH (TCP port 22, 2468, 24687, 522) using credentials from a list provided by the adversary.
A new version of the Industroyer has been released.
Industroyer, also known as CrashOverride, was initially sampled and studied in 2017, and according to ESET, it is the “greatest danger to industrial control systems since Stuxnet.”
The new malware employed on a Ukrainian energy provider last week is a development of the original malware used in Ukraine’s 2016 power outage assaults.
Industroyer2 only communicates with industrial equipment using the IEC-104 protocol, although it previously supported numerous ICS protocols.
It’s more adjustable than the original strain, with settings like IOAs, timeouts, and ASDUs saved as a string and sent over the IEC-104 communication method.
The freshly studied sample, according to ESET’s investigation, communicated with eight devices at the same time.
The precise steps taken by Industroyer2 after connecting to the relays are still being investigated, but it has been proven that it terminates the legitimate activities carried out by industrial equipment in its normal operation.
Sandworm activity in the recent past
The recent attack on Friday looks to be a concurrent operation by Sandworm, which used the Cyclops Blink botnet to target WatchGuard firewall appliances and ASUS routers.
Due to coordinated operations by American law enforcement and cyber-intelligence organizations, the botnet was substantially crippled last week.
The first compromise was noticed by CERT-UA in February 2022, and two distinct attack waves were identified against the target company, resulting in several substation disconnections.
This coincided with Sandworm’s concurrent operation, which was the creation of the Cyclops Blink botnet, which targeted WatchGuard firewall appliances and later ASUS routers.
Sandworm is blamed by ANSSI, France’s national cyber-security agency, for a campaign that began in 2017 and targeted French IT providers that were using an outdated version of the Centreon network, system, and monitoring tool.
Sandworm is a well-known cyber-espionage threat group linked to the Russian Military Unit 74455 of the Main Intelligence Directorate (GRU).
To help prevent additional attacks from this threat actor, CERT-UA has supplied indicators of compromise (Yara rules, file hashes, hosts, and network).
