16:20 UTC: Scheduled execution of CaddyWiper on the same machine to erase Industroyer2 traces.
16:10 UTC: Scheduled execution of Industroyer2 to cut power in an Ukrainian region.
15:02:22 UTC: Sandworm operator creates the scheduled task to launch Industroyer2.
14:58 UTC: Deployment of CaddyWiper on some Windows machines and of Linux and Solaris destructive malware at the energy provider.
: Deployment of CaddyWiper against a Ukrainian governmental entity.
: Deployment of CaddyWiper against a Ukrainian bank.
: Beginning of the current Russian invasion in Ukraine.
Figure 1 shows an overview of the different malware used in this attack. A variant of CaddyWiper was used again on 14:58 against the Ukrainian energy provider previously mentioned.Īt this point, we don’t know how attackers compromised the initial victim nor how they moved from the IT network to the Industrial Control System (ICS) network. We first discovered CaddyWiper on when it was used against a Ukrainian bank – see our Twitter thread about CaddyWiper. In addition to Industroyer2, Sandworm used several destructive malware families including CaddyWiper, ORCSHRED, SOLOSHRED and AWFULSHRED. In this case, the Sandworm attackers made an attempt to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine. Industroyer is an infamous piece of malware that was used in 2016 by the Sandworm APT group to cut power in Ukraine. The collaboration resulted in the discovery of a new variant of Industroyer malware, which we together with CERT-UA named Industroyer2 – see CERT-UA publication here. We worked closely with CERT-UA in order to remediate and protect this critical infrastructure network.
We assess with high confidence that the APT group Sandworm is responsible for this new attackĮSET researchers responded to a cyber-incident affecting an energy provider in Ukraine.
We assess with high confidence that the attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine.
The attack used ICS-capable malware and regular disk wipers for Windows, Linux and Solaris operating systems.
The destructive actions were scheduled for but artifacts suggest that the attack had been planned for at least two weeks.
ESET researchers collaborated with CERT-UA to analyze the attack against the Ukrainian energy company.
0 kommentar(er)
