ESET, CERT-UA respond to Sandworm attack on Ukrainian energy provider using Industroyer2 malware

ESET researchers have collaborated with CERT-UA to respond to a cyber incident affecting an energy provider in Ukraine. The Sandworm attackers are said to have attempted to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine. The attack used industrial control system (ICS)-capable malware and regular disk wipers for Windows, Linux, and Solaris operating systems.  

“The collaboration resulted in the discovery of a new variant of Industroyer malware, which we together with CERT-UA named Industroyer2,” the ESET researchers wrote in a blog post. “Industroyer is an infamous piece of malware that was used in 2016 by the Sandworm APT group to cut power in Ukraine. In this case, the Sandworm attackers made an attempt to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine,” they added.

The researchers said that the destructive actions were scheduled for Apr. 8 but artifacts suggest that the attack had been planned for at least two weeks. “We assess with high confidence that the attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine. We assess with high confidence that the APT group Sandworm is responsible for this new attack,” it added.

Apart from Industroyer2, the Sandworm hackers used several destructive malware families including CaddyWiper, ORCSHRED, SOLOSHRED, and AWFULSHRED, ESET said. Sandworm is a threat group believed to operate on behalf of Russia’s GRU military intelligence agency and has now targeted Ukraine’s high-voltage electrical substations.

“At this point, we don’t know how attackers compromised the initial victim nor how they moved from the IT network to the Industrial Control System (ICS) network,” according to the researchers.

The Industroyer2 was deployed as a single Windows executable named ‘108_100.exe’ and executed using a scheduled task on Apr. 8 at 16:10:00 UTC. It was compiled on 2022-03-23, according to the PE timestamp, suggesting that attackers had planned their attack for more than two weeks, ESET said. Industroyer2 only implements the IEC-104 protocol to communicate with industrial equipment. This includes protection relays, used in electrical substations. This is a slight change from the 2016 Industroyer variant, which is a fully-modular platform with payloads for multiple ICS protocols, it added.

Industroyer2 shares several code similarities with the payload 104.dll of Industroyer, the researchers said. “We assess with high confidence that the new variant was built using the same source code,” they added.

Industroyer2 is highly configurable and contains a detailed configuration hardcoded in its body, driving the malware actions, according to ESET. “This is different from Industroyer, stores configuration in a separate .INI file. Thus, attackers need to recompile Industroyer2 for each new victim or environment. However, given that the Industroyer* malware family has only been deployed twice, with a five year gap between each version, this is probably not a limitation for Sandworm operators,” it added.

The new configuration format is stored as a string which is then supplied to the IEC-104 communication routine of the malware, ESET said. Industroyer2 can communicate with multiple devices at once. Specifically, the analyzed sample contains eight different IP addresses of devices, it added.

Before connecting to the targeted devices, the malware terminates a legitimate process that is used in standard daily operations, ESET discovered. In addition to that, it renames this application by adding .MZ to the filename. It does so to prevent the automatic re-start of this legitimate process.

“The analysis is still ongoing in order to determine what are the exact actions taken for each device. We believe that this component is able to control specific ICS systems in order to cut power,” ESET researchers said.

ESET said that Industroyer2 can produce a log file or output its progress to the console window. However, instead of meaningful text messages as in the previous version, the malware writes various error codes. “We believe it is an obfuscation attempt by Sandworm developers to hamper analysis,” they added.

In February, the U.K.’s National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) identified that the Sandworm or Voodoo Bear hacker is using a new malware, referred to here as Cyclops Blink. The NCSC, CISA, and the FBI have previously attributed the Sandworm actor to the Russian General Staff Main Intelligence Directorate’s Russian (GRU’s) Main Centre for Special Technologies (GTsST).

In coordination with the deployment of Industroyer2 in the ICS network, the attackers deployed a new version of the CaddyWiper destructive malware, ESET said. “We believe it was intended to slow down the recovery process and prevent operators of the energy company from regaining control of the ICS consoles. It was also deployed on the machine where Industroyer2 was executed, likely to cover their tracks,” it added.

The first version of CaddyWiper was discovered by ESET researchers in Ukraine on Mar. 14 when it was deployed in the network of a bank. It was deployed via Group Policy Object (GPO), indicating the attackers had prior control of the target’s network beforehand. The wiper erases user data and partitions information from attached drives, making the system inoperable and unrecoverable.

ESET also said that additional destructive malware for systems running Linux and Solaris was also found on the network of the targeted energy company. “There are two main components to this attack: a worm and a wiper. The latter was found in two variants, one for each of the targeted operating system. All malware was implemented in Bash,” the researchers added.

Reacting to the Industroyer2 malware reveal, Robert M Lee, Dragos’ CEO and co-founder, wrote in a LinkedIn post that “With the news that Industroyer2 was found (great work by Ukraine CERT and ESET) targeting the electric system in Ukraine this marks the sixth ICS specific malware. It’s a busy time for ICS defenders. However the good news is none of what we’re seeing changes the guidance folks have been giving for years,” he added

Lee said that a robust security program, though it should be tailored for ICS is needed. He pointed toward an ICS-specific incident response plan, defensible architecture, ICS network monitoring/visibility, MFA (multi-factor authentication) for remote access, and vulnerability management program. “Those five controls put people into an amazing place,” he added.

“The focus on tactics, techniques, and procedures like those mapped out in MITRE ATT&CK for ICS also enable folks to move from reactionary to proactive,” Lee said. “These are heightened times but with preparation don’t need to be fire drills,” he added.

Earlier this month, Dragos assessed with high confidence that the biggest cybersecurity weaknesses European industrial infrastructure asset owners currently face are lack of asset visibility into their network and weak network authentication policies.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.