The Computer Emergency Response Team of Ukraine (CERT-UA) has disrupted an attempt by Sandworm, a hacking group known to work for Russia’s military intelligence, to take down a Ukrainian energy provider.
The Russia-backed hacking group attempted to disconnect the unnamed provider’s electrical substations using a new version of the infamous Industroyer malware, CERT-UA said in a security advisory on Tuesday. Industroyer was used by the Sandworm APT group to cut power in Ukraine in 2016, which left hundreds of thousands of customers without electricity two days before Christmas.
Researchers at cybersecurity company ESET, which collaborated with CERT-UA to analyze and remediate the attack, said they assess “with high confidence” that the industrial control system (ICS) malware was built using the source code of the malware deployed in 2016, which it branded at the time as “the biggest threat to industrial control systems since Stuxnet“.
The new variant, dubbed “Industroyer2” by the researchers, was deployed by the hackers in an attempt to cause damage to high-voltage power substations. It was used alongside CaddyWiper — destructive wiper malware first observed targeting a Ukrainian bank in March — which was planted on systems running Windows in an attempt to erase traces of the attack. The attackers also targeted the organization’s Linux servers using other variants of wiper malware dubbed Orcshred, Soloshred and Awfulshred.
The attackers breached the energy provider’s network “no later than February 22,” according to the security advisory, and had planned to cut power in a Ukrainian region on April 8. However, CERT-UA says that “the implementation of [Sandworm’s] malicious plan has so far been prevented.” ESET said that it does not yet know how attackers compromised the victim, nor how they moved from the IT network to the ICS network.
“Ukraine is once again at the center of cyberattacks targeting its critical infrastructure (KRITIS). This new Industroyer campaign follows multiple waves of wipers targeting various sectors in Ukraine,” ESET said in its technical analysis of the attack. “We will continue to monitor the threat landscape to protect organizations from these types of destructive attacks.”
This successful disruption comes just days after the FBI disclosed that it carried out an operation in March to target a massive Sandworm-linked botnet control that targeted Asus and WatchGuard devices. The botnet, named Cyclops Blink, is believed to be the successor to VPNFilter, which infected thousands of home and small business routers and network devices worldwide.
The Sandworm hacking group has also been linked to the recent cyberattack targeting U.S. satellite communications provider Viasat, which triggered satellite service outages across central and eastern Europe.