Russia-linked Sandworm APT targets energy facilities in Ukraine with wipers

Russia-linked Sandworm APT group targeted energy facilities in Ukraine with INDUSTROYER2 and CADDYWIPER wipers.

Russia-linked Sandworm threat actors targeted energy facilities in Ukraine with a new strain of the Industroyer ICS malware (INDUSTROYER2) and a new version of the CaddyWiper wiper.

According to the CERT-UA, nation-state actors targeted high-voltage electrical substations with INDUSTROYER2, the variant analyzed by the researchers were customized to target respective substations.

The attackers also employed the CADDYWIPER wiper to target Windows-based systems, while hit server equipment running Linux operating systems with ORCSHRED, SOLOSHRED, AWFULSHRED desruptive scripts.

“Centralized distribution and launch of CADDYWIPER is implemented through the Group Policy Mechanism (GPO). The POWERGAP PowerShell script was used to add a Group Policy that downloads file destructor components from a domain controller and creates a scheduled task on a computer.” reads the advisory published by the Ukrainian CERT. “The ability to move horizontally between segments of the local area network is provided by creating chains of SSH tunnels. IMPACKET is used for remote execution of commands.”

CERT-UA states that the APT groups launched at least two waves of attacks against the energy facilities. The initial compromise took place no later than February 2022. It is interesting to note that the disconnection of electrical substations and the decommissioning of the company’s infrastructure was scheduled for Friday evening, April 8, 2022. 

The good news is that the attacks were detected and neutralized by government experts with the help of cybersecurity firms ESET and Microsoft.

The CERT-UA collected indicators of compromise for these attacks and shared them, along with Yara rules, with a limited number of international partners and Ukrainian energy companies.

Security firm ESET, which helped the Ukrainian government, published a detailed report on the Industroyer2 wiper used to target a Ukrainian energy company.

The researchers confirmed that the attacks were scheduled for 2022-04-08, but artifacts suggest that the attack had been planned for at least two weeks.

“We assess with high confidence that the attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine” reads the report published by ESET. “We assess with high confidence that the APT group Sandworm is responsible for this new attack.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

[adrotate banner=”5″]

[adrotate banner=”13″]