LAS VEGAS — The Industroyer malware attack on Ukraine’s energy grid in 2016 caused a significant blackout and marked a turning point for cyber attacks against critical infrastructure.
But the Industroyer2 malware attack, which was more sophisticated than the original, failed to take down Ukraine’s energy grid in March, thanks in part to the lessons learned from the 2016 attack.
During a Black Hat 2022 session Wednesday, researchers from cybersecurity vendor ESET and Victor Zhora, deputy chairman of Ukraine’s State Service of Special Communications and Information Protection (SSSCIP), discussed the Industroyer2 malware and the response to the attack, which was unsuccessful.
The Industroyer2 attack was preceded by several wiper attacks on Ukraine networks, starting with HermeticWiper on Feb. 23 — a day before Russia’s invasion of Ukraine. “HermeticWiper was found on hundreds of systems in multiple organizations, and it was a pure act of cyber sabotage,” said Robert Lipovsky, principal threat intelligence researcher at ESET, during the presentation.
The situation escalated; on April 8, ESET was called in to analyze new malware discovered by CERT-UA, the national computer emergency response team for Ukraine, following an incident at an energy provider in the country. “Our analysis found that threat was bigger than expected,” Lipovsky said. “It was a new version of Industroyer, something which we hadn’t seen in the last five years.”
Unlike the original Industroyer malware, the second attempt failed to cause a blackout. But Lipovsky said that, had Industroyer2 been successful, it could have left more than 2 million people in Ukraine in the dark.
“The attack was thwarted thanks to a prompt response by the defenders at the targeted energy company and the work of CERT-UA and our assistance,” he said.
Zhora said many private-sector companies have provided invaluable cybersecurity support for Ukraine during Russia’s invasion but added that Microsoft and ESET have been especially crucial because the two vendors have the biggest presence on Ukraine networks and massive amounts of telemetry data.
That data proved to be extremely valuable in thwarting Industroyer2; Zhora said timely sharing of information by ESET and Microsoft tipped off Ukrainian authorities that an attack may be in progress. In addition, the quick response of CERT-UA to contact the target organization and detect the malware was key.
Zhora said investigators believe the initial compromise of the targeted energy company occurred on Feb. 17 and likely even earlier. Like the original Industroyer, the malware was specifically designed to disrupt industrial control systems at energy providers.
“It was a well-planned and technically sophisticated operation, with a lot of tools that we later discovered,” Zhora said.
Lipovsky said Industroyer2 had a lot of code similarities to the original Industroyer malware, though the new version was contained in a single executable rather than a framework.
And, like its predecessor, Industroyer2 was attributed to Sandworm, a state-sponsored group run by Russia’s Main Intelligence Directorate, more commonly known as the GRU. Lipovsky told the audience the threat group earned the name because its malware contained obvious references to Dune, Frank Herbert’s classic science fiction novel.
Anton Cherepanov, senior malware researcher at ESET, told the audience that Industroyer2 contained hardcoded configurations, which showed the attack was planned well in advance of the malware’s delivery. Industroyer2, he said, was specifically designed to disable circuit-breaker failure protections for the exact systems used in the targeted energy company’s network.
Cherepanov said Industroyer2 was just one part of an operation to take down a portion of Ukraine’s energy grid. Sandworm also deployed additional wiper malware known as CaddyWiper to make response and recovery more difficult and to erase any traces of the Industroyer2 malware.
Ultimately, the CaddyWiper attack caused more disruption than Industroyer2; Lipovsky said the malware’s authors made some mistakes that allowed defenders to mitigate the attack before it could successfully trigger a blackout. But he emphasized that, even though Sandworm’s latest attempt failed, “the threat shouldn’t be hyped but also should not be downplayed or underestimated,” he said. “These threats are serious, but they can be thwarted by proper security measures.”
Following the session, Zhora told SearchSecurity that the time period in between the 2016 blackout attack and Industroyer2 gave Ukraine and its private-sector partners time to prepare for the next attack. “Ukraine defenders were ready for this,” he said. “Industroyer1 was quite effective. It took us two hours to restore power.”
Zhora also said he isn’t sure when version 3 of Industroyer may arrive but that SSSCIP, CERT-UA and other organizations are expecting additional critical infrastructure attacks at some point in the future.
“These attacks are very dangerous and have a lot of potential to cause serious damage,” he said. “We have to monitor the situation 24 hours a day and prepare for escalation and further aggression.”
As Wi-Fi is now a critical component of enterprise network connectivity, Wi-Fi mapping helps teams evaluate their wireless …
Cloud-managed Wi-Fi provides IT groups with several benefits, including policy enforcement, network management and consistent AP …
As enterprises accelerate toward digitization of their complete IT stack, NaaS — which can lower costs, increase QoS and improve…
Project portfolio management software and tools in 2023 promote strategic management of projects and agile tactics. Read our PPM …
The California Age-Appropriate Design Code Act goes into effect in 2024, meaning businesses with users under the age of 18 should…
In this Q&A, Schneider Electric’s Michael Lofty discusses why and how organizations need to step up efforts to reduce CO2 …
Windows 11 administrators may encounter numerous desktops with varying performance issues. Follow these steps to identify the …
When Windows 11 administrators encounter an issue with a desktop without a clear fix, they should perform general troubleshooting…
PC prices are dropping as manufacturers lower prices to move inventory. Market saturation following the pandemic is a significant…
AI-powered automated inventory tracking systems aren’t perfect. However, retailers with high rates of lost sales from missing …
Explore scaling options in AKS, such as the horizontal pod and the cluster autoscaler. Then, follow a step-by-step tutorial on …
Looking to shift your organization’s workloads to the cloud? Understand the advantages and disadvantages of IaaS and PaaS options…
Chinese companies supplying network components, known as IoT modules, post a greater long-term threat to UK security than the now…
Gaps and limitations in how insurers respond to cyber risk need to be addressed, according to the Bank of England regulator, the …
With half of servers in the cloud, most backup and nearly all disaster recovery cloud-centric, the shift to the cloud is …
All Rights Reserved, Copyright 2000 – 2023, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell or Share My Personal Information