A Russian attack against a Ukrainian energy company has been stopped by security researchers from ESET spol sro and Microsoft Corp. in conjunction with Ukraine’s Governmental Computer Emergency Response Team.
The attack, linked to the Russian government “Sandworm” hacking group, used a new variant of the Industroyer malware dubbed Industroyer2. Industroyer is an infamous malware that was first used in 2015 to target Ukraine’s power supply.
Industryoer2 was used to target high-voltage electrical substations in the country but was not the only form of malware used by Sandworm in its campaign. The hacking gang also used CaddyWiper, Orchshred, Soloshred and Awfulshred malware to try to take down the electricity company. CaddyWiper had been previously used in March to target a Ukrainian bank.
The researchers note that they do not know how the attacks compromised the initial victim nor how they moved from the information technology network to the industrial control system network. The attackers were able to move laterally between different network segments “by creating chains of SSH tunnels.”
The Sandworm hacking group, also known as APT28 and Fancy Bear, has been linked to various hacking incidents, including those that targeted the Pyeongchang Winter Olympics, the 2017 French elections and the NotPetya ransomware attacks. Six members of the gang were indicated by the US Department of Justice in October 2020. The indictment stated that all six were members of Unit 74455 of the Russian Main Intelligence Directorate, a military intelligence agency of the General Staff of the Armed Forces.
Authorities in the US and UK warned in July that Sandworm was conducting a campaign of brute-force attacks to gain access to networks and steal data.
“The reported cyberattack on the electricity grid only serves to highlight a long-standing reality – organizations that have substantial gaps in their cyber defense capabilities are operating at risk,” Lorri Janssen-Anessi, director of external cybersecurity assessments at cloud-based cyber defense company BlueVoyant LLC and former senior analyst at the Department of Defense, told SiliconANGLE. “And when the threat landscape changes, as it has now, we become more aware of the vulnerabilities that we have carried for some time.”
The attack highlights that when threat actors attack critical sectors infrastructure, the results could be actual damage and human harm, she added. “Cyber attacks with physical effects are unfortunately becoming a tool in the war arsenal,” she said.
Noting that energy and critical infrastructure have faced attacks in the past, such as the Colonial Pipeline Co. ransomware attack, Janssen-Anessi explained that the energy sector has specific vulnerabilities, such as a complex infrastructure that often involves physical and cyber infrastructure across many countries, suppliers and distributors, the need to run at all times with no downtime and the reality of being a high-profile target.
“The energy industry is already on alert, but must use the current climate to once again take a hard look at its internal and external attack surface,” she warned.