By Staff writer
A Kremlin-backed hacking team known as Sandworm has failed in its attempt to shut down electricity substations in Ukraine. Ukrainian authorities averted the attack after receiving assistance from Slovakian internet security company ESET and Microsoft.
On Tuesday, Viktor Zhora, Ukraine’s Deputy Chairman of the State Service of Special Communications, confirmed the cyberattack planned for last Friday evening was foiled. Had the Sandworm attack succeeded, around two million Ukrainians would have lost electricity.
This was the second cyberattack on Ukraine’s electricity grid in as many months. An initial breach occurred in February. It is unknown how Sandworm’s malware first gained access to the unnamed electricity company.
“We were able to identify it, fight it and destroy it,” Mr Zhora said. “It looks like we have been extremely lucky to respond to this in a timely manner.” Ukraine has been on high alert against cyberattacks since Russian hostilities began to ramp up and has a long history of countering cyberattacks out of Russia.
ESET says it identified a new variant of the Industroyer malware first used in 2016 to attack Ukrainian electrical grids. Cyber investigators later traced Industroyer back to Sandworm, a Russian cyber-military unit with close links to the GRU military intelligence agency. ESET and the Ukrainian Computer Emergency Response Team have named the new variant Industroyer2.
“We assess with high confidence that the attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine,” ESET says in a statement.
This time around, Sandworm again attempted to deploy the Industroyer2 malware against high-voltage electrical sub-stations, computers, and networking systems in Ukraine and planted several other types of destructive malware, including a new version of CaddyWiper, which deletes data on infected computer systems. Other malware identified included the Orcshred Linux worm, the ArguePatch loader, and Soloshred and Awfulshred data wipers.
Industroyer2’s portable executable timestamp shows that it was compiled on March 23 – more than two weeks ago. Industroyer is malware designed specifically to attack electricity grids.
“There have been reports of some hardcoded IPs in the malware sample, which is an indication that the threat actors had intimate knowledge of the environment they were deploying this in,” said Chris Grove, Director of Cybersecurity Strategy at Nozomi Networks.
Justin Fier, Vice President of Tactical Risk and Response at Darktrace, says this failed attack is a significant step up from previous “relatively unsophisticated” DDoS attacks.
“It’s particularly interesting to see that Sandworm has reared its head again,” he says. “CISA and other government agencies in the Five Eyes have been anticipating an attack like this and issuing sophisticated warnings for some time. Ukraine has been dealing with this type of threat for years and has been preparing with the help of global allies, including the US”
Defence analysts suggest the planned cyberattack was one consequence of Russia’s failure to take Ukraine easily. However, the long lead-in time also gave Ukraine and its allied cybersecurity organisations time to identify and thwart the attack. The Kremlin has denied any involvement in the cyberattack