The terrible Industrial malware is back. Created by hackers from the Sandworm group, an offshoot of the Russian military intelligence service (GRU), this sabotage software caused an hour-long power cut in the Ukrainian capital in December 2016. More than five years later, a A variant of this malware has just reappeared and targeted a high-voltage electrical substation in the country. It was detected and analyzed by Eset security researchers, who believe ” with high confidence » that it was created from the source code of Industroyer. That’s why the experts simply named it “Industroyer2”.
Also see video:
The attack was carried out on April 8, about two weeks after the malware was compiled. The hackers first infected the electricity supplier’s Windows and Linux machines with software called CaddyWiper, capable of destroying data. It is unknown when Industroyer2 was deployed in the Industrial Control System (ICS), but it was scheduled to run minutes after CaddyWiper was deployed.
A little over an hour later, Industroyer2 is running on Windows machines in the ICS network, apparently with the intention of creating a blackout. For this, the malware relies on commands sent by a specialized protocol (IEC-104). Ten minutes later, different CaddyWiper instances are running in turn, including machines infected with Industroyer2. The hackers probably wanted to make sure that traces of this malware would be eliminated.
Multiple attacks
Along with this industrial sabotage operation, the hackers used a worm to infect Linux and Solaris machines located in another network of the electricity supplier. This worm spread by trying to connect to computers using the SSH protocol, and relying on a list of identifiers. If successful, data destruction software was run.
The consequences of this attack, however, are unclear. In a technical note, the CERT-UA incident response center explains that the attack was completely parried. But, according to Wired, a previous memo indicated otherwise, resulting in severe power outages. The targeted substation supplies more than 2 million people. With the attack on the ViaSat satellite services, this is the second major computer attack launched in the context of this war led by Russia against Ukraine.