A new variant of the Industroyer malware, used to great effect against the Ukrainian energy sector by Russia’s Sandworm or Voodoo Bear advanced persistent threat (APT) group in 2016, has been identified by researchers from ESET, working in tandem with Ukraine’s national Computer Emergency Response Team, CERT-UA.
Predictably dubbed Industroyer2, it was used in an attempted cyber attack on a Ukraine-based energy company on the evening of Friday 8 April 2022. The attack used an ICS-capable malware and disk wipers against Windows, Linux and Solaris operating systems at the target’s high-voltage electrical substations.
The Industroyer2 malware was compiled on 23 March, suggesting the attack had been planned for some time, and the initial compromise took place in February according to CERT-UA.
Sandworm also used a number of other destructive malwares in its attack, including the recently identified CaddyWiper, Orcshred, Soloshred and Awfulshred.
“Ukraine is once again at the centre of cyber attacks targeting their critical infrastructure,” said ESET’s research team in a disclosure notice. “This new Industroyer campaign follows multiple waves of wipers that have been targeting various sectors in Ukraine. ESET researchers will continue to monitor the threat landscape in order to better protect organisations from these types of destructive attacks.”
ESET said it had been unable to establish how the victim was compromised, nor how Sandworm, which is part of the Russian GRU intelligence service’s Main Centre for Special Technologies, or GTsST, moved laterally from the victim’s IT network to the separate ICS network.
Industroyer2 differs from its parent because it uses only a single protocol – IEC-104 – to communicate with industrial equipment, and incorporates a detailed, hardcoded configuration to drive its actions, which makes it highly specific and means it must be recompiled by its operators for any new victim or environment they wish to attack.
It does, however, share multiple code similarities with the previous Industroyer payload, enabling the analysts to assess with high confidence that both malwares stem from the same source code.
More details on how the malware works, along with new information on the CaddyWiper malware used alongside it, is available from ESET.
A parallel cyber war
Industroyer2 is the latest in a string of new malwares that have been deployed by Russia in its parallel cyber war against Ukraine, many of them also discovered by ESET.
Moscow’s campaign of destructive data wiper attacks began in the month prior to the initial kinetic invasion of Ukraine, with the use of the new WhisperGate malware against government targets in Kyiv.
As the invasion began, these initial attacks were followed by the use of other new wipers, including HermeticWiper, IsaacWiper, and in mid-March, CaddyWiper.
In addition to its use of destructive wiper malwares, Russia also deployed the new Cyclops Blink malware as a means of accessing target networks through vulnerable firewall devices and coopting them into a botnet – although this was neutralised earlier in April by American and German authorities.
Meanwhile, an actor linked to Russia’s European puppet state, Belarus, targeted organisations involved in supporting Ukrainian refugees with a malware called SunSeed.
