Researchers at ESET, along with the Ukrainian Computer Emergency Response Team, worked together to remediate an attack against an energy provider carried out by the Sandworm threat group. On Friday, the group attempted to take down a large Ukrainian energy provider by disconnecting its electrical substations with a new variant of the Industroyer malware and the CaddyWiper data destruction malware. The version of Industroyer malware that was used was customized to target high-voltage electrical substations and then attempt to erase the traces of the attack by using CaddyWiper, along with other data-wiping malware families tracked as Orcshred, Soloshred, and Awfulshred for Linux and Solaris systems. Researchers are unclear of how the group managed to compromise the environment.
The version of Industroyer, also known as CrashOverride, was first analyzed by ESET in 2017. At that time, it was claimed to be the “biggest threat to industrial control systems.” The version used in this attack is believed to be an evolution of the malware used in the 2016 attack against the Ukrainian power grid.
Sandworm is known for an attack in 2016 in which they successfully targeted the Ukrainian power grid. Since then, the group has been involved in a number of different attacks, including targeting WatchGuard firewall appliances and Asus Routers using the Cyclops Blink botnet. The botnet was severely disrupted last week due to action of American law enforcement and cyber-intelligence agencies.
The Sandworm group is a large cyber-espionage group that is associated directly with the Russian Military unit 74455 of the Main Intelligence Directorate (GRU). The group is experienced and will target multiple countries and industries depending on what is in the best interest of Russia at the time. CERT-UA has shared indicators of compromise in an announcement posted here: https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/