Russian hackers intended to shut down Ukrainian electrical substations using Industroyer2 malware

The CERT-UA Ukrainian Computer Emergency Response Team has taken a number of immediate steps to respond to an attempted cyberattack on a critical infrastructure facility using the Industroyer2 malware.

The purpose of the attack was to disable high-voltage electrical substations, computers, servers, network equipment and process control systems of the Ukrainian electric power company.

According to experts from CERT-UA and the security company ESET that helped to repel and analyse the attack, the attackers intended to disable power substations using Industroyer2 malware. According to them, the malicious actions were scheduled for April 8, 2022, but judging by the date the files were compiled, the attack was being prepared at least two weeks before that date.

In a new attack, cybercriminals attempted to deploy Industroyer2 malware at high-voltage electrical substations in Ukraine. In addition to Industroyer2, the Sandworm group used several families of data-destroying malware, including CaddyWiper, in the attack.ESET said.

According to ESET, malware called Industroyer was used to cut power in Kyiv in December 2016. The previous version of Industroyer was able to interface with industrial control systems commonly used in electrical systems such as IEC-101, IEC-104, IEC 61850 and OPC DA.

ESET also linked this attack attempt to Russian government hackers:

At that time, we said that “it seems very unlikely anyone could write and test such malware without access to the specialized equipment used in the specific, targeted industrial environment”. This was confirmed in 2020 by the United States government when six officers of the Russian Military Unit 74455 of the Main Intelligence Directorate (GRU), were indicted for their role in multiple cyberattacks including Industroyer and NotPetya – see the indictment on and our historical overview of Sandworm’s operations.

The recently discovered malware is a new variant of Industroyer, therefore, it has twas dubbed Industroyer2.

To attack computers, servers, and automated process control systems running Windows, the attackers planned to use the destructive malware (wiper) CaddyWiper, designed to delete all data from infected systems. As SecurityLab previously reported, CaddyWiper is one of four detected wipers used in attacks on Ukraine since the beginning of this year.

Servers running Linux, the hackers intended to attack using malicious destructor scripts ORCSHRED, SOLOSHRED and AWFULSHRED.

It is known that the victim organization was subjected to two waves of attacks. The initial compromise occurred no later than February 2022. Shutdown of electrical substations and disruption of the infrastructure of the enterprise was scheduled for the evening of Friday, April 8, 2022. However, the implementation of the malicious plan has been prevented so far.CERT-UA reported.

Let me remind you that we also wrote about US authorities imposing sanctions on a Russian institution associated with Triton malware.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button