Ukraine's Governmental Computer Emergency Response Team (CERT-UA) has announced that Russia's state-backed threat group Sandworm launched two waves of cyber attacks against an unnamed Ukrainian energy facility.
The attackers tried to decommission several infrastructural components of the facility that span both IT and operational technology, including high-voltage substations, Windows computers, servers running Linux operating systems, and network equipment.
CERT-UA said that the initial compromise took place no later than February 2022, although it did not specify how the compromise occurred. Disconnection of electrical substations and decommissioning of the company's infrastructure were scheduled for Friday evening, April 8, 2022, but "the implementation of the malicious plan" was prevented.
The Ukrainian team received help from both Microsoft and ESET in deflecting any significant fallout from the attacks. ESET issued a report presenting its analysis of the attacks, saying its collaboration with CERT-UA resulted in its discovery of a new variant of Industroyer malware, the same malware that the Sandworm group used to take down the power grid in Ukraine in 2016.
Industroyer2 malware strikes both IT and OT systems
Industroyer2, as ESET and CERT-UA call it, was deployed as a single Windows executable named 108_100.exe and executed using a scheduled task on 2022-04-08 at 16:10:00 UTC.
However, according to the PE timestamp, it was compiled on 2022-03-23, suggesting that the attackers had planned their attack for more than two weeks. Unlike Industroyer, Industroyer2 implements on only one industrial control system protocol, IEC-104, to communicate with industrial equipment.
ESET says that Industroyer2 can communicate with multiple devices simultaneously, with the analysed sample containing eight different IP addresses of devices.
The attackers deployed Industroyer2 in the ICS network at the same time they also deployed a new version of the CaddyWiper destructive malware conceivably to slow down the recovery process and prevent operators of the energy company from regaining control of the ICS consoles.
ESET first discovered CaddyWiper in Ukraine on March 14 when it was deployed in a bank's network. In addition, ESET also discovered Linux and Solaris destructive malware called ORCSHRED, SOLOSHRED, and AWFULSHRED on the network of the targeted energy company.
Andrii Bezverkhyi, CEO and founder of SOC Prime, is a Ukrainian who has been in Ukraine since the war began, along with a team of 15 people, offering pro bono cyber security help to organisations.
The big difference between Industroyer and Industroyer2 is that "the capabilities have matured now. So instead of playing around on one of the ICS systems, they're striking it for levels," Bezverkhyi tells CSO. "The industrial control level systems themselves, the Windows machines, and the network equipment."
The striking similarities between the earlier and later Ukraine attacks leave Russia with virtually no room to deflect, deny or obfuscate their role as the attacker, as they have attempted to do in many other cyber incidents. "I think they don't care at all because Russia is already attacking Ukraine on the ground and in the sky," Bezverkhyi says. "What can we do to them if they attack it in cyber space?"
Earlier TLP alert said nine substations were switched off
Although CERT-UA's official statement implied that the Sandworm attacks were unsuccessful, an earlier TLP Amber alert issued by CERT-UA to international partners suggested that at least two attacks were “successful” even though the malicious cyber activity was thwarted.
In addition, that alert said the attackers were able to temporarily switch off nine power grid substations in one of the regions.
It doesn't matter, Bezverkhyi says. "Nobody said that there was a power outage, including some colleagues who were today, this morning, in Kyiv. They said power was there. Nine substations could be significant or not. It could be that if they were in small villages, we would not have big media noise about it."
If Sandworm did knock out nine substations, it's a moot point, Chris Sistrunk, a technical manager in Mandiant's ICS/OT Consulting practice, tells CSO, because it takes a while to analyse this kind of situation, and the information may be incorrect.
More importantly, though, “they're actually in a real hot war," Sistrunk says. "[The Russian soldiers] are rolling up to the nuclear plants and shooting the buildings there. They're tearing down transmission lines.
"I still think it's like a fog of war where you don't really know, and we've got to wait for that analysis," Sistrunk says. "Were nine substations hit, or were they not? It doesn't matter because some of them right now are being destroyed physically with bombs."
Ukraine has built up its cyber defences
"These guys in the trenches defending the Ukrainian power grid are listening to bombs and missiles and bullets outside of their building while they're defending," Chris Grove, cyber strategist at Nozomi Networks, tells CSO. "They know if the grid goes down that they lose the war, the hospitals won't have power, etc. So, they're very focused.”
Since the earlier cyber attacks on the Ukrainian power grid, many companies have invested time to help Ukraine build up its cyber defence.
"This attack being stopped in its track so early before it could do any damage is some of the fruit from those efforts. I believe that this could have been much worse, and we could have seen a 2016-type event where we had mass outages or the defenders didn't fully understand what was going on."
Grove thinks that power companies should be on alert for an Industroyer2 attack because the malware's modularity makes "it easy to plug in another protocol if that's not a direct match. So, it's definitely something that could be easily changed to work on other systems."