After foiled Sandworm attack, US critical infrastructure should stand guard

Amid the ongoing war in Ukraine, Russian attackers turned online this month to continue their onslaught and attempted to disable a Ukrainian energy company. The hackers tried to disconnect several high-voltage substations from a section of the country’s electric grid but were foiled by Ukraine's computer emergency response team (CERT-UA) with the help of researchers from ESET and Microsoft.

Russia’s hacker group known as Sandworm, a division of the GRU, the intelligence arm of the Russian military, is thought to be behind the attempted attack.  The consensus among industry thought leaders is that the thwarted incident is a victory for Ukraine.

"Russia's GRU hacking unit, Sandworm, infected a Ukrainian energy company with destructive malware," tweeted Nicole Perlroth, a former New York Times reporter covering cybersecurity and current advisor to the Cybersecurity and Infrastructure Security Agency (CISA). "The attack was scheduled for last Friday but was caught in time. Bravo ESET and Ukraine CERT."

"Cannot be overstated what an incredible feat it was to catch this before they shut off power," she later added.

"Those Sandworm a**hats got shut down this time," tweeted infosec influencer @z3r0trust.

The attackers attempted to use the Industroyer malware, a tool used in the past by Sandworm and designed to automatically trigger power disruptions. It was first used in a 2016 attack that lead to a temporary power outage in the Ukrainian capital Kyiv. While successful in the past, some security influencers questioned if the Sandworm group had run out of steam in recent months and if the failed attempt was a question of capabilities in a dying unit.

"Correct me if wrong, but seems the Moscow/St Pete tech/hackers may’ve fled RU while they could," said Nancy Bowman, a diversity recruitment specialist (@BowmanNancy). "Wonder if Putin still has a cyber team up to the task post exodus?"

Others noted the latest attack attempted signaled that the war in Ukraine may increasingly develop digitally.

"An important development: the discovery of a destructive malware campaign by Sandworm against Ukrainian energy company," said Lauren Zabierek, Executive Director with the Cyber Project at Harvard Kennedy School's Belfer Center, who tweets under the handle @lzxdc. "The Russian war against Ukraine is far from over, and events in the cyber domain will continue to unfold."

US removes malware in preemptive move

The power supply attack is yet another move to stop malicious cyber activity at Russian hands as  earlier this month United States officials announced they had secretly removed malware from computer networks around the world preemptively. In that instance, officials allege Sandworm had implanted a specific type of malware known as Cyclops Blink on thousands of WatchGuard Technologies' Firebox devices, which are security appliances often used in home office environments and in small to midsize businesses.

"US says it secretly took down Russian GRU-run malware operation. Aim unclear: Intelligence? Something disruptive? Disabled before it became operational," tweeted security researcher John Scott-Railton.

Sandworm, according to an FBI statement, had constructed a botnet that would allow attackers to launch malware or to orchestrate distributed denial of service attacks. Officials are unsure of the exact intent of the malware, but similar tactics have already been used by the same group to attack Ukraine in the past.

The GRU's Sandworm team "has a long history of outrageous, destructive attacks: The disruption of the Ukrainian electric grid in 2015, attacks against the Winter Olympics and the Paralympics in 2018, a series of disruptive attacks against the nation of Georgia in 2019, and, in 2017, the NotPetya attack that devastated Ukraine but also ended up hitting systems here in the U.S., throughout Europe, and elsewhere, causing more than 10 billion dollars in damages---one of the most damaging cyberattacks in the history of cyberattacks," the FBI statement said.

Attacks on US next?

While speculation about Russian attacks targeting American infrastructure have swirled for weeks, CISA is now warning of the very real potential for attacks on critical infrastructure. The agency is urging critical infrastructure organizations, especially energy sector organizations, to implement recommendations provided in a CISA alert.

"Today the US Government announced a new ICS malware that has been designed to disrupt industrial operations. CISA/FBI/NSA put out a great advisory," tweeted Dragos CEO and Co-founder Robert M Lee. "We call the malware PIPEDREAM."

Perlroth tweeted that the warning warrants immediate attention: "Here we go. New unnamed state hackers are infecting U.S. critical infrastructure--like grid operators--with custom tools capable of worst-case scenario attacks. There's no soft peddling it. This is very serious. Read @CISAgov's advisory in full. And do everything they say. Now."