A Ukrainian energy supplier was targeted by a new variant of Industroyer malware named Industroyer2. The discovery was made by researchers from cybersecurity vendor ESET in collaboration with the Ukrainian Computer Emergency Response Team (CERT-UA).
The Industroyer malware was believed to have been used by the Sandworm APT group to cut power in Kiev, Ukraine, back in 2016.
In the latest incident, ESET claimed that Sandworm, which is linked to the Russian state security services, attempted to deploy the new version of Industroyer against high-voltage electrical substations in Ukraine, with the purpose of triggering power outages. The scheduled execution of the malware was April 8, 2022.
The researchers added that Sandworm used several other destructive malware in coordination with Industroyer2, including CaddyWiper, ORCSHRED, SOLOSHRED, and AWFULSHRED. The use of CaddyWiper, which was first discovered by ESET in March when it was deployed in the network of a Ukrainian bank, was designed to erase traces of Industroyer2. It is believed the attack had been planned for at least two weeks.
ESET and CERT-UA, who together managed to remediate the attack on the unnamed critical infrastructure network, said they are continuing to investigate the incident. Currently, there is no information on how the attackers were able to compromise the initial victim or how they moved from the IT network to the industrial control system network (ICS).
While Industroyer2 shares several characteristics with the original Industroyer malware, it also has some notable differences. These include holding a detailed configuration hardcoded in its body, driving the malware actions, whereas Industroyer stores configuration in a separate. INI file. The researchers said this new configuration format enables Industroyer2 to communicate with multiple devices at once.
In this new incident, it is believed the attackers attempted to get Industroyer2 to control specific ICS systems in order to cut power. Read more:https://bit.ly/3xIcAf1