Russian hackers intended to shut down Ukrainian electrical substations using Industroyer2 malware

The CERT-UA Ukrainian Computer Emergency Response Team has taken a number of immediate steps to respond to an attempted cyberattack on a critical infrastructure facility using the Industroyer2 malware.

According to experts from CERT-UA and the security company ESET that helped to repel and analyse the attack, the attackers intended to disable power substations using Industroyer2 malware. According to them, the malicious actions were scheduled for April 8, 2022, but judging by the date the files were compiled, the attack was being prepared at least two weeks before that date.

According to ESET, malware called Industroyer was used to cut power in Kyiv in December 2016. The previous version of Industroyer was able to interface with industrial control systems commonly used in electrical systems such as IEC-101, IEC-104, IEC 61850 and OPC DA.

ESET also linked this attack attempt to Russian government hackers:

To attack computers, servers, and automated process control systems running Windows, the attackers planned to use the destructive malware (wiper) CaddyWiper, designed to delete all data from infected systems. As SecurityLab previously reported, CaddyWiper is one of four detected wipers used in attacks on Ukraine since the beginning of this year.

Servers running Linux, the hackers intended to attack using malicious destructor scripts ORCSHRED, SOLOSHRED and AWFULSHRED.

Let me remind you that we also wrote about US authorities imposing sanctions on a Russian institution associated with Triton malware.