
The CERT-UA has disrupted an attempt by Sandworm, a hacking group known to work for Russia’s military intelligence, to take down a Ukrainian energy provider.
The Russia-backed hacking group attempted to disconnect the unnamed provider’s electrical substations using a new version of the infamous Industroyer malware. This malware was used by the Sandworm APT group to cut power in Ukraine in 2016, which left hundreds of thousands of customers without electricity two days before Christmas.
Researchers at cybersecurity company ESET, says that the industrial control system (ICS) malware was built using the source code of the malware deployed in 2016, which it branded at the time as the biggest threat to industrial control systems since Stuxnet.
The new variant, dubbed ‘Industroyer2’ was deployed by the hackers to cause damage to high voltage power substations. It was used alongside CaddyWiper destructive wiper malware first observed targeting a Ukrainian bank in March which was planted on systems running Windows to erase traces of the attack. The attackers also targeted the organization’s Linux servers using other variants of wiper malware dubbed Orcshred, Soloshred, and Awfulshred.
The attackers breached the energy provider’s network and had planned to cut power in a Ukrainian region on April 8. However, it’s been prevented. the initial intrusion and other details are still unknown.
Indicators of Compromise
- 43d07f28b7b699f43abd4f695596c15a90d772bfbd6029c8ee7bc5859c2b0861
- bcdf0bd8142a4828c61e775686c9892d89893ed0f5093bdc70bde3e48d04ab99
- 87ca2b130a8ec91d0c9c0366b419a0fce3cb6a935523d900918e634564b88028
- cda9310715b7a12f47b7c134260d5ff9200c147fc1d05f030e507e57e3582327
- 1724a0a3c9c73f4d8891f988b5035effce8d897ed42336a92e2c9bc7d9ee7f5a
- fc0e6f2effbfa287217b8930ab55b7a77bb86dbd923c0e8150551627138c9caa
- 7062403bccacc7c0b84d27987b204777f6078319c3f4caa361581825c1a94e87
- 91.245.255 [.] 243
- 195.230.23 [.] 19