Researchers at ESET, along with the Ukrainian Computer Emergency Response Team, worked together to remediate an attack against an energy provider carried out by the Sandworm threat group. On Friday, the group attempted to take down a large Ukrainian energy provider by disconnecting its electrical substations with a new variant of the Industroyer malware and the CaddyWiper data destruction malware. The version of Industroyer malware that was used was customized to target high-voltage electrical substations and then attempt to erase the traces of the attack by using CaddyWiper, along with other data-wiping malware families tracked as Orcshred, Soloshred, and Awfulshred for Linux and Solaris systems. Researchers are unclear of how the group managed to compromise the environment.
The version of Industroyer, also known as CrashOverride, was first analyzed by ESET in 2017. At that time, it was claimed to be the “biggest threat to industrial control systems.” The version used in this attack is believed to be an evolution of the malware used in the 2016 attack against the Ukrainian power grid.