Hacking group Sandworm, which is linked to Russia's military intelligence, attempted to disrupt the operations of an unnamed energy provider in Ukraine on Tuesday, according to the Computer Emergency Response Team of Ukraine (CERT-UA).
An attempt was made by attackers to take down various components of the target's infrastructure, including electrical substations, Windows-operated computers, Linux-operated server equipment, and active network equipment, according to a statement from Ukraine's State Service for Special Communications and Information Protection (SSSCIP).
It was discovered that ICS-capable malware and regular disk wipers were used in an attempt to infiltrate Ukraine's power grid in 2016, with an updated variant of the Industroyer malware unleashed by the adversary. Slovakian cybersecurity firm ESET worked with CERT-UA to investigate.
The Industroyer2 malware was allegedly used by Sandworm attackers to target Ukraine's high-voltage electrical substations. CaddyWiper, OrcShred, SoloShred, and AwfulShred were all used by Sandworm in addition to Industroyer2.
Initial intrusion occurred in February 2022, coinciding with Russia's invasion of Ukraine; a follow-up infiltration occurred in April that allowed the attackers to upload Industroyer2 into their victim's power grid network.
It's been called the "biggest threat to industrial control systems since Stuxnet" because Industroyer, also known as "CrashOverride," is both modular and capable of directly controlling switches and circuit breakers at an electricity distribution substation.
Using an industrial communication protocol called IEC-104, the new version of the sophisticated and highly customizable malware takes control of industrial equipment such as protection relays used in electrical substations.
On March 23, 2022, forensic analysis of Industroyer2's artifacts revealed that the attack had been planned for at least two weeks. While the exact method of intruders' progression from IT to ICS networks remains a mystery, it is clear that a power plant was breached.
As reported by ESET, the planned attack on the company's infrastructure on April 8, 2022 had been thwarted. A data wiper called CaddyWiper was scheduled to be run on the same machine 10 minutes later to remove all traces of the Industroyer2 malware.
With CaddyWiper and Industroyer2, the energy provider's network is also said to have been infected by OrcShred, which is then used to spread two different wiper malware aimed at Linux and Solaris systems, AwfulShred, and SoloShred.
Cyclops Blink, an advanced modular botnet controlled by Sandworm, was taken down by a court-authorized takedown last week.
Armageddon, another Russia-based group with ties to the Federal Security Service (FSB), has been conducting spear-phishing attacks against Ukrainian targets since at least 2013, according to CERT-UA.
According to ESET, "Ukraine is once again at the center of cyberattacks targeting their critical infrastructure," ESET said. There have been multiple waves of wipers targeting various sectors in Ukraine prior to the launch of this new Industroyer campaign.
Post a Comment
Your suggestions and comments are welcome