Russian-backed Group Attempts to Compromise Ukrainian Power Grid Using Industroyer2 Malware

As part of their ongoing military assault against neighboring Ukraine, Russian-backed hacker group Sandworm launched a series of cyber attacks that threaten the critical infrastructure of the beleaguered country. 

According to Slovak internet security company ESET, on April 8th, 2022 attackers attempted but failed to compromise the Kyiv electric grid using an updated version of the Industroyer malware which was used to attack Ukraine previously, in 2016. 

The First Industroyer Attack 

Industroyer first garnered attention in December, 2016 when attackers using the malware succeeded in cutting off power to a fifth of Kyiv, the Ukrainian capital city, for over an hour. 

Researchers at the time believed the incident was a preliminary test carried out by threat actors who were preparing to launch a much larger scale cyber attack. Industroyer was believed to be the first ever malware specifically designed to target a nation’s electrical grid. Researchers warned that it displayed very high-level technical knowledge of the workings of ICS protocols. The hacker group's method of attack was to penetrate deep into the network and gain direct control of switches in electrical substations. The 2016 attack was also carried out by the Sandworm group. 

 

Assessing The Industroyer2 Attack

According to a report issued by ESET and UA-CERT, on April 8th, 2022 threat actors succeeded in breaching the Ukrainian power distribution grid once again. However they failed in their ultimate goal to halt electricity distribution,  wipe/destroy all accessible computers, and delete all traces of the attack. This second goal, if successful, would have lengthened recovery time considerably.

Industroyer2, which shares source code with the original Industoyer, is a windows malware containing IEC-104 commands that aim to disrupt high-voltage electricity.

It was deployed under the file name 108_100.exe and contains hard coded IP addresses of the Ukrainians plant. This indicates the attack had been planned in advance.

Also, the binary was compiled two weeks prior to the attack, which means the attack was preceded by  a reconnaissance stage. It was intended to be launched via a scheduled task on April 8, 2022 at 4:10 pm local time. A second task scheduled for 4:20 pm would have wiped the attacking device and erased all traces of the malware. 

In addition to the Industoyer2 malware, researchers also found evidence of a new wiper variant, CaddyWiper. This aimed to encrypt ICS consoles, and slow down the plant’s recovery. CaddyWiper was intended to be spread via Group Policy, in order to wipe as many devices as possible.

There was a second wiper targeting Linux/Solaris hosts. In this case, a worm-style bash script sc.sh was written to iterate all accessible network devices via SSH via pre-supplied credentials. This would then, in turn, spread to other devices via the same techniques, and finally wipe all host’s data. There are two versions of the wiper, one for Solaris and the other for Linux based systems.

Read More: The Russia-Ukraine Conflict From An  Industrial Cybersecurity Perspective

The Aftermath Of The Industroyer2 Attack

While researchers have not yet determined the exact reason why Industroyer2 failed to complete its mission, they have made it clear that there is no immediate danger from the malware. The same exact build of Industroyer2 cannot be used against electricity plants other than the one it originally targeted, as it contains hard coded IP addresses, and uses only the IEC-104 protocol. 

Following the Industroyer2 attack, US government agencies CISA, DOE, the NSA and the FBI issued a joint Cybersecurity Advisory warning that “certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including

  • Schneider Electric programmable logic controllers (PLCs),
  • OMRON Sysmac NEX PLCs, and
  • Open Platform Communications Unified Architecture (OPC UA) servers."

This is a developing story, and this blog will be updated as new information becomes available.

How The SCADAfence Platform Protects Critical Infrastructure

The SCADAfence platform protects against the TTPs used by Industroyer2. 

A malware attack such as the one launched on April 8th, would have triggered a variety of critical alerts on the SCADAfence Platform. 

  • Affected machines with the wiper worm would trigger “Network Scanner” when scanning the /24 network to find targets to wipe. Additionally, the SFTP User Activity feature would show the propagation attempts by the attackers.
  • The “Scheduled Task - remote process execution” alert would be seen when Industroyer2 was triggered to run at a specific time.
  • An irregular connection to OT assets would immediately trigger a “New connection to industrial device” alert.
  • Any value changes sent via the IEC-104 protocol would be instantly detected.
  • Reconnaissance stage communications from compromised host to attacker C&C would also trigger an “Unauthorized outbound connection from IT related device” alert.

For additional information on how SCADAfence protects against industrial cyber attacks, and helps industrial organizations, read our previous article on The Russia-Ukraine Conflict from an Industrial Cybersecurity Perspective

Follow Best Practices to Protect your OT Assets

As always, the SCADAfence team recommends following accepted best practices, including
  • Employing network segmentation to separate sensitive applications (e.g. PCN) from other network parts via firewalls,
  • Always keeping secure offline backups up-to-date,
  • Encrypting sensitive data, and using MFA on OT assets.

For additional information about how SCADAfence can protect critical infrastructure, please contact us to request a demo today.