Cyber attackers have used a new type of malware that attempted to stop an energy facility in Ukraine. According to the Governmental Computer Emergency Response Team of Ukraine (CERT-UA), “urgent measures” were taken when malicious hackers launched a malware attack with the intention to disconnect and decommission industrial equipment managing high-voltage electrical substations.
CERT-UA said that an attack aimed at decommissioning infrastructure was planned on Friday, April 8th. However, it was thwarted. According to cybersecurity specialists at ESET who assisted CERT-UA in repelling the attack, the effort has been connected to the hacker organization Sandworm.
Sandworm and other Sandworm campaigns have previously been attributed to the GRU (part of the Russian military) by cybersecurity agencies such as the Cybersecurity and Infrastructure Security Agency (CISA), the UK National Cyber Security Centre (NCSC), and the National Security Agency (NSA).
The cyberattack employs a modified variant of Industroyer, a kind of malware engaged in earlier Sandworm efforts, including the 2015 power outage in Ukraine. An examination of the Industroyer2 footprint, which is suited for industrial situations, reveals that an attack on the power systems had been planned for weeks.
It’s still unclear how the targeted power station was initially compromised or how the invaders migrated from the IT network to the Industrial Control System (ICS) network. According to CERT-UA, the attackers initially gained access to the network in February 2022.
In addition to Industroyer evidence on the network, the attackers installed a new version of the harmful malware CaddyWiper. Researchers think this was placed to delay the energy company’s recovery from the intended attack by preventing them from recovering control of the ICS consoles. CaddyWiper was also installed on the system infected with Industroyer2, most likely in an attempt to cover up an attack’s evidence.
“Ukraine is once again at the center of cyberattacks targeting their critical infrastructure. This new Industroyer campaign follows multiple waves of wipers that have been targeting various sectors in Ukraine,” said ESET researchers.
Cybersecurity experts discovered various types of malware employed in cyber-attacks on Ukrainian organizations before and during Russia’s attack on Ukraine.