Ukraine energy facility hit by two waves of cyberattacks from Russia’s Sandworm group

Sandworm succeeded in planting a new version of the Industroyer malware to disrupt ICS infrastructure at multiple levels, but was thwarted from doing serious damage.

Ukraine's Governmental Computer Emergency Response Team (CERT-UA) announced that Russia's state-backed threat group Sandworm launched two waves of cyberattacks against an unnamed Ukrainian energy facility. The attackers tried to decommission several infrastructural components of the facility that span both IT and operational technology, including high-voltage substations, Windows computers, servers running Linux operating systems, and network equipment.

CERT-UA said that the initial compromise took place no later than February 2022, although it did not specify how the compromise occurred. Disconnection of electrical substations and decommissioning of the company's infrastructure were scheduled for Friday evening, April 8, 2022, but "the implementation of the malicious plan" was prevented.

The Ukrainian team received help from both Microsoft and ESET in deflecting any significant fallout from the attacks. ESET issued a report presenting its analysis of the attacks, saying its collaboration with CERT-UA resulted in its discovery of a new variant of Industroyer malware, the same malware that the Sandworm group used to take down the power grid in Ukraine in 2016.

Industroyer2 malware strikes both IT and OT systems

Industroyer2, as ESET and CERT-UA call it, was deployed as a single Windows executable named 108_100.exe and executed using a scheduled task on 2022-04-08 at 16:10:00 UTC. However, according to the PE timestamp, it was compiled on 2022-03-23, suggesting that the attackers had planned their attack for more than two weeks. Unlike Industroyer, Industroyer2 implements on only one industrial control system protocol, IEC-104, to communicate with industrial equipment.

ESET says that Industroyer2 can communicate with multiple devices simultaneously, with the analyzed sample containing eight different IP addresses of devices. The attackers deployed Industroyer2 in the ICS network at the same time they also deployed a new version of the CaddyWiper destructive malware conceivably to slow down the recovery process and prevent operators of the energy company from regaining control of the ICS consoles.

ESET first discovered CaddyWiper in Ukraine on March 14 when it was deployed in a bank's network. In addition, ESET also discovered Linux and Solaris destructive malware called ORCSHRED, SOLOSHRED, and AWFULSHRED on the network of the targeted energy company.

Andrii Bezverkhyi, CEO and founder of SOC Prime, is a Ukrainian who has been in Ukraine since the war began, along with a team of 15 people, offering pro bono cybersecurity help to organizations. The big difference between Industroyer and Industroyer2 is that "the capabilities have matured now. So instead of playing around on one of the ICS systems, they're striking it for levels," Bezverkhyi tells CSO. "The industrial control level systems themselves, the Windows machines, and the network equipment."

The striking similarities between the earlier and later Ukraine attacks leave Russia with virtually no room to deflect, deny or obfuscate their role as the attacker, as they have attempted to do in many other cyber incidents. "I think they don't care at all because Russia is already attacking Ukraine on the ground and in the sky," Bezverkhyi says. "What can we do to them if they attack it in cyberspace?"

Earlier TLP alert said nine substations were switched off

Although CERT-UA's official statement implied that the Sandworm attacks were unsuccessful, an earlier TLP Amber alert issued by CERT-UA to international partners suggested that at least two attacks were “successful”  even though the malicious cyber activity was thwarted. In addition, that alert said the attackers were able to temporarily switch off nine power grid substations in one of the regions.

It doesn't matter, Bezverkhyi says. "Nobody said that there was a power outage, including some colleagues who were today, this morning, in Kyiv. They said power was there. Nine substations could be significant or not. It could be that if they were in small villages, we would not have big media noise about it."

If Sandworm did knock out nine substations, it's a moot point, Chris Sistrunk, a technical manager in Mandiant's ICS/OT Consulting practice, tells CSO, because it takes a while to analyze this kind of situation, and the information may be incorrect. More importantly, though, “They're actually in a real hot war," Sistrunk says. "[The Russian soldiers] are rolling up to the nuclear plants and shooting the buildings there. They're tearing down transmission lines.

"I still think it's like a fog of war where you don't really know, and we've got to wait for that analysis," Sistrunk says. "Were nine substations hit, or were they not? It doesn't matter because some of them right now are being destroyed physically with bombs."

U.S. energy providers should pay attention

"Attention should be paid" to this attack by all energy providers, including those in the U.S., Bezverkhyi says. "Can they attack the U.S. or other countries' infrastructure? I would say yes because Ukraine did not exactly invent the ICS equipment for the power stations. We're using equipment manufactured in the United States and Europe. Russia has demonstrated for years, if not decades, all kinds of hacking competitions to break into the ICS equipment. "

"We've seen Sandworm do this before, and now that there's an actual war going on, it's just something else to make the lives of Ukrainian people worse," Sistrunk says. He thinks it's very plausible that the Industroyer2 malware could be recrafted to target different protocols aside from IEC-104, which is not extensively used in the U.S. But, "if you took the Industroyer2 malware and did nothing to it, it would not work on American or North American substations, unless by some chance that they're using IEC-104."

Moreover, big U.S. utilities have been on alert since the Cybersecurity and Infrastructure Security Agency (CISA) issued a "Shields Up" warning after the beginning of Russia's invasion of Ukraine. However, the primary concern is the smaller electric utilities, such as those owned by municipalities, Sistrunk says.

Ukraine has built up its cyber defenses

"These guys in the trenches defending the Ukrainian power grid are listening to bombs and missiles and bullets outside of their building while they're defending," Chris Grove, cyber strategist at Nozomi Networks, tells CSO. "They know if the grid goes down that they lose the war, the hospitals won't have power, etc. So, they're very focused.”

Since the earlier cyberattacks on the Ukrainian power grid, many companies have invested time to help Ukraine build up its cyber defense. "This attack being stopped in its track so early before it could do any damage is some of the fruit from those efforts. I believe that this could have been much worse, and we could have seen a 2016-type event where we had mass outages or the defenders didn't fully understand what was going on."

Grove thinks the U.S. power companies should be on alert for an Industroyer2 attack because the malware's modularity makes "it easy to plug in another protocol if that's not a direct match. So, it's definitely something that could be easily changed to work on other systems."

Overall, Grove says the U.S. is in good shape to tackle Russian cyber threats. "There’s always going to be room for improvement, but we’re getting there,” he says, pointing to the Operational Technology Cybersecurity Coalition (OT Cyber Coalition) Nozomi announced along with Claroty, Forescout, Honeywell, and Tenable.

Copyright © 2022 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022