Russia tried to cut off electricity to about two million Ukrainians in a cyber operation scheduled to take place on Friday night, April 8th. The Russian state-sponsored hacking group known as Sandworm tried on Friday to take down a large Ukrainian energy provider by disconnecting its electrical substations with a new variant of the Industroyer malware for industrial control systems (ICS). The attack was on the Ukrainian energy company Oblenergo, whose systems were successfully infiltrated. If successful, the attack would have blackouted some two million Ukrainians.
According to ESET, the attack, whose likely goal was to carry out destructive actions in the targeted energy facility and cause power outages on April 8, involved the deployment of several pieces of malware, in both the ICS network and systems running Solaris and Linux. The attack used ICS-capable to Industroyer2 malware and regular disk wipers for Windows, Linux and Solaris operating systems. Sandworm attackers made an attempt to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine. This malware designed to cause damage by manipulating industrial control systems (ICS). The plan was to control the substations so that it will shut down power and try to damage several critical electrical power distribution equipment. CERT-UA notes that the threat actor’s goal was “decommissioning of several infrastructural elements.”
The attack, which targeted high-voltage electrical substations and reportedly failed, has been analyzed by Ukraine’s Computer Emergency Response Team (CERT-UA), cybersecurity firm ESET, and Microsoft. The cyber weapon installed to the systems was neutralized on Thursday 7th April The destructive actions were scheduled for Friday night, April 8th 2022. The artifacts suggest that the complex attack had been planned for at least two weeks and cyber operation began months ago with intelligence how to get into the systems. After discovering the vulnerabilities, the attackers managed to gain access to the energy company’s workstations. They managed to expand their foothold and eventually gain access to the company’s electrical network management systems. There is high confidence that the APT group Sandworm is responsible for this new attack. According to the analysis the the attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine.
Industroyer2 attack overview from ESET
Sources:
https://www.securityweek.com/energy-provider-ukraine-targeted-industroyer2-ics-malware
https://www.is.fi/digitoday/art-2000008748186.html
https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
https://medium.com/@RoseSecurity/industroyer2-the-worst-sequel-9103a8998ee9
71 Comments
Tomi Engdahl says:
Fingrid toimittaa Ukrainalle varaosia, jotta maa saa korjattua Venäjän tuhoamaa sähköverkkoa
Kantaverkkoyhtiö Fingrid toimittaa Ukrainalle varaosia, joilla maassa voi korjata Venäjän iskujen tuhoamaa sähköverkkoa.
Lukashenka väittää Naton valmistelevan hyökkäystä Valko-Venäjälle – ISW: tästä on kyse https://www.is.fi/ulkomaat/art-2000009217548.html
Tomi Engdahl says:
Venäjä iskenyt Ukrainan sähköntuotantoon yli tuhannella ohjuksella ja ammuksella
https://www.is.fi/ulkomaat/art-2000009253726.html
Ukrainan sähköyhtiön hallituksen puheenjohtaja sanoo, että viimeaikaiset iskut ovat “suurin ihmiskunnan kokema hyökkäys” energiaverkostoon.
Tomi Engdahl says:
https://www.is.fi/ulkomaat/art-2000009217548.html
Sähköyhtiö: Venäjä iskenyt yli tuhannella ohjuksella
Venäjä on iskenyt Ukrainan sähkölaitoksiin ja -linjoihin yli tuhannella ohjuksella ja ammuksella, sanoo Ukrainan sähköyhtiön Ukrenergon hallituksen puheenjohtaja Volodymyr Kudrytskyi.
Ukrainan Interfax-uutistoimiston mukaan Kudrytskyi puhui asiasta Euroopan jälleenrakennus- ja kehityspankin (EBRD) kokouksessa eilen.
Hänen mukaansa viimeaikaiset massiiviset iskut ovat “suurin ihmiskunnan kokema hyökkäys” energiaverkostoon. Tästä johtuen Ukraina kärsii nyt vakavasta sähköpulasta.
Tilannetta ei ole helpottanut sekään, että sähkön kulutus on Kudrytskyin mukaan vähentynyt sodan aikana ainakin neljänneksellä, ellei lähes kolmanneksen verran.
Tomi Engdahl says:
Ukrainan puolustusministerin selkeä arvio: Vastahyökkäykset jatkuvat, kun maa on jäässä https://www.is.fi/ulkomaat/art-2000009217548.html
Ukrainan pääministeri: Kaikki maan lämpövoimalaitokset ja vesivoimalat ovat vaurioituneet
Ukrainan pääministeri Denys Shmyhal sanoi sunnuntaina, että kaikki maan lämpövoimalaitokset ja vesivoimalat ovat vaurioituneet Venäjän iskuissa, kertoo Kyiv Independent. Shmyhalin mukaan lisäksi noin 40 prosenttia Ukrainan suurjännitevoimalinjoista on vaurioitunut. Linjat kuljettavat sähköä voimalaitoksilta taajamiin ja kaupunkeihin.
Pääministeri Shmyhalin mukaan ukrainalaisten tulisi ymmärtää, että talvesta tulee sähkön suhteen hyvin haastava. Hänen mukaansa sähkönkulutusta on rajoitettava rajusti.
Tällä hetkellä muun muassa Etelä-Ukrainassa kärsitään pahasta sähköpulasta Venäjän parin päivän takaisten iskujen vuoksi.
Tomi Engdahl says:
In the face of homegrown domestic terrorism, hard-to-replace transformers in the U.S. are becoming increasingly essential infrastructure. Meanwhile, a Russia-bombarded Ukraine is finding grid assistance from unexpected sources.
Transformer Stockpiles—and Grids—Come Under Threat The U.S. failed to improve its stock, but Ukraine’s supply may be improving
https://spectrum.ieee.org/transformer-stockpiles?share_id=7382953&socialux=facebook&utm_campaign=RebelMouse&utm_content=IEEE+Spectrum&utm_medium=social&utm_source=facebook#toggle-gdpr
Among the most basic power equipment components—transformers—are in short supply in both the U.S. and Ukraine, increasing their power grids’ vulnerability. In the U.S., a spate of hurricanes, global supply holdups, domestic terror attacks on grid infrastructure, and a dearth of domestic manufacturing has depleted stocks. In Ukraine, relentless Russian bombardment of electrical substations is destroying transformers faster than they can be replaced.
Both situations came before the U.S. Congress this week. President Volodymyr Zelenskyy appeared before a joint session of Congress appealing for more weapons to combat Russia’s attacks. Zelenskyy struck a defiant tone, saying bombs and blackouts will not steal Ukraine’s Christmas: “Even if there is no electricity, the light of our faith in ourselves will not be put out.”
Meanwhile, behind the scenes, members of Congress made a last-ditch and ultimately unsuccessful appeal for federal dollars to boost transformer production.
Transformers are like trust—months or years to build, seconds or minutes to destroy.
Since the birth of modern power grids, millions of transformers on street poles and in switchyards have underpinned the practicality of alternating current.
Yet nearly 140 years since their invention, transformers remain much like trust: they can take months or even years to build and just seconds to minutes to destroy.
Projectiles puncturing their cases can release or ignite the heat-transfer oils that protect their intricate coil windings from overheating, often causing irreparable damage. That can be a crippling weakness at a time of increasing attacks on transformers.
In Ukraine, Russian barrages destroy multiple transformers almost daily. That’s made transformers the most sought-after hardware in the country after Western missile systems. And it has forced Ukraine’s grid operators to appeal for spares from their counterparts abroad.
Deliberate grid attacks are also raising anxiety in the U.S. Gunfire that took out the occasional transformer can on a pole five years ago is increasingly destroying transformers in substations that can weigh over 200 tonnes and feed power to neighborhoods or to entire cities.
Coordinated firearms attacks on a pair of Duke Energy transmission substations in North Carolina this month grabbed headlines by blacking out about 45,000 people for up to four days. But in the last two months alone, deliberate damage to substations has sparked blackouts across the U.S., including in a second area in North Carolina, Ohio, and Oregon and Washington state. All remain unsolved.
The scale of hostile outages in the U.S. pales compared to Ukraine’s suffering. But there are unsettling commonalities. In both countries, substation attacks seem designed to sow chaos and fear, and are at least partly motivated by an antipathy that’s anywhere from reckless to outright vengeful.
The conspirators “expected the damage would lead to economic distress and civil unrest,”
Six months after the Columbus filings, federal authorities became aware that a “suspected white supremacist” posted online the “exact coordinates of more than 75,000 substations across the U.S.,” according to cable news network NewsNation.
Attacks and warnings are boosting utility interest in programs that give them access to shared stockpiles of transformers and other critical equipment.
Pooling resources provides an insurance policy against high-impact events expected to occur infrequently to any one firm. But Rupert says more and closer manufacturing would enhance security. Tighter supplies mean longer delays to replace stocks that could be cleared out by a major incident causing widespread destruction—such as a massive solar storm, or attack via electromagnetic weapons.
Large transformers Grid Assurance acquired in 2020 to be delivered in 18-24 months would take up to 39 months to replace today. Worse still, says Rupert, 70 percent of its transformers are manufactured outside North America.
challenges contributing to transformer shortages, and honed in on one key ingredient: grain-oriented electrical steel. It’s the grade required for compact and efficient transformers, only one U.S. firm makes it, and the national lab study found its quality and quantity lacking. As a result, domestic producers serve only one-fifth of U.S. transformer demand—mostly small devices powering several homes or blocks
A Little Help from Friends
Creativity and bravery has certainly been on display by grid engineers in Ukraine, who cobble and piece together whatever parts they can to restore power knocked out by each Russian barrage.
Last Friday’s had cut power deliveries by over half when the engineers set to work—despite Ukrainian air defenses downing 60 of the 80-90 missiles fired. The next day President Zelenskyy said grid operators already had power flowing again to almost 6 million people.
Of course, there was much more work ahead. ”There is still a lot of work to do to stabilize the system. There are problems with the supply of heat, there are big problems with the supply of water,” said Zelenskyy.
DTEK, an energy conglomerate that distributes most of eastern Ukraine’s power, received its first infusion of equipment last week, including 36 transformers from Zurich-based equipment supplier Hitachi Energy.
Other distributors are benefitting from 250 transformers donated by Lithuanian power and gas distributor ESO that arrived earlier this month.
Ukrenergo, meanwhile, can buy equipment for its transmission grid thanks to more than Euro-400-million in loans and grants from European governments last week.
Ukraine’s Grid Needs Parts—Will Western Firms Step Up? As Ukraine’s energy infrastructure gets pummeled, the nation’s allies have yet to answer desperate calls for support
https://spectrum.ieee.org/russia-targets-ukraine-grid
Tomi Engdahl says:
Pormestari Klitshko: Ukrainan energiainfrastruktuuri voi romahtaa milloin hyvänsä – ”Tilanne on kriittinen” https://www.is.fi/ulkomaat/art-2000009284246.html
Vitali Klitshko: Ukrainan energiainfrastruktuuri voi romahtaa hetkenä minä hyvänsä
Kiovan pormestari Vitali Klitshko sanoi maanantaina, että Ukrainan energiainfrastruktuuri voi romahtaa hetkenä minä hyvänsä, kertoo uutiskanava Reuters.
- Emme puhu romahduksesta, mutta se voi tapahtua koska tahansa. Venäjän ohjusiskut voivat tuhota kriittisen infrastruktuurin Kiovassa.
Klitshkon mukaan Kiovan energiavaje on Venäjän pommitusten jäljiltä noin 30 prosenttia.
- Ukrainassa on melko kylmä, joten eläminen ilman sähköä ja lämmittäminen on miltei mahdotonta. Tilanne on kriittinen. Me taistelemme selviytyäksemme.
Tomi Engdahl says:
William Mauldin / Wall Street Journal:
Russian attacks on Ukraine’s electrical grid are straining its mobile network, leading to a global hunt for equipment like batteries to keep the system online
Russian Strikes Sap Ukraine Mobile Network of Vital Power
Telecom operators and internet providers scour suppliers for better batteries, generators
https://www.wsj.com/articles/russian-strikes-sap-ukraine-mobile-network-of-vital-power-11673747621?mod=djemalertNEWS
Russia’s attacks on Ukraine’s electrical grid are straining the war-torn country’s mobile-telephone network, leading to a global hunt for batteries and other equipment critical for keeping the communications system working.
Ukraine’s power outages aren’t just putting out the lights. The electricity shortages also affect water supplies, heating systems, manufacturing and the cellular-telephone and internet network, a vital communications link in a nation where fixed-line telephones are uncommon.
Consumers can charge their cellphones at cafes or gas stations with generators, but the phones have to communicate with base stations whose antennas and switching equipment need large amounts of power. With rolling blackouts now a regular feature of life in Ukraine, the internet providers are relying on batteries to keep the network going.
The stakes are high, since Ukrainian officials are using positive news of the war, speeches by President Volodymyr Zelensky and videos distributed by cellphone to maintain popular support for fighting Russia. First responders and evacuees rely on the mobile network, and a long-term loss of communications in major cities would compound the existing problems of electrical, heating and water outages, the companies say.
Labor shortages have exacerbated the mobile-network issues as many Ukrainians have been displaced by the war or gone to the front to fight.
But the biggest problem is power equipment. “We are not asking for money, we are asking for batteries,” said Yuriy Zadoya, manager of the division responsible for technology at Lifecell, part of Turkcell Iletisim Hizmetleri AS . “No one has a stock of batteries.”
Lifecell, the country’s third-biggest provider, needs roughly 250 generators and 36,000 lithium-ion batteries, a spokeswoman says.
Ukraine’s mobile network wasn’t built for wartime, and most base stations have a type of lead-acid battery known as absorbent-glass mat, or AGM. These batteries can only power a station for a couple of hours and take a long time to fully charge when the power comes back on.
Mobile operators are seeking lithium-ion backup systems, since they last longer during an outage than the lead-acid-based batteries and can be recharged quicker. Yet, mobile executives say certain base stations—which include the antennas, switching equipment and power source—need generators to keep the power going.
The U.S. Agency for International Development in November supplied 50 diesel generators to a Ukraine telecommunications and internet association to help keep cellular and fiber-optic services online, a spokeswoman for the agency said.
U.S. diplomats are on a global hunt for supplies of high-voltage transformers and other equipment to rebuild the Ukrainian grid, which would help power supplies to the telecommunications industry, as well as chemicals and metallurgy, said Geoffrey Pyatt, the assistant U.S. secretary of state for energy, after a recent tour of the country.
Meanwhile, Kyivstar, Lifecell and the other big Ukrainian operator—Neqsol Holding’s Vodafone Ukraine—approached manufacturers to get more backup batteries to replace their lead-acid batteries but were told the units would take three or four months to produce
Kyivstar has received and installed 8,000 new batteries for its system, and Vodafone Ukraine has installed 5,000, according to executives from the two companies.
The new batteries aren’t a panacea since they only provide up to half a dozen hours of power for the station, less than the length of many power outages.
Now an average of 25% of base stations across the country are down at any given time as a result of rolling power outages, Mr. Prybytko said. During the worst of the Russian strikes on the power system to date in late November, 59% of base stations weren’t functioning.
“It was unexpected for us because the attack was so massive and had a big impact on the energy system,”
Officials focused on the telecom sector are working with energy officials to change the rules giving power-access priority to select strategic sectors such as hospitals and emergency services. Mobile operators want the mobile network to receive priority access to get more hours of power each day, Mr. Prybytko said.
All three mobile operators now allow roaming in each other’s networks at no extra charge, a move that increases the likelihood that a customer can connect with a competitor’s network if the tower nearest him or her is down.
The firms are also working to restore Ukrainian mobile service in areas previously occupied by Russia
In Russian-occupied areas of Ukraine, mobile equipment was typically destroyed, with the Russian side working to set up its own network. “Some base stations were robbed—they simply took the equipment,” Mr. Zadoya, of Lifecell, said. “Quite a few were destroyed totally.”
In areas where the network has been damaged during the war, military officers and authorities sometimes have access to satellite communications, including Starlink internet service, provided by Elon Musk’s SpaceX.
Tomi Engdahl says:
Ukraine Says Five Dead as Russia Launches Massive Missile Attack
https://www.bloomberg.com/news/articles/2023-03-09/ukrainian-cities-hit-by-new-wave-of-russian-missile-attacks?srnd=premium-europe&leadSource=uverify%20wall
Attack targets energy facilities in seven Ukraine regions
At least five people were killed near Lviv in western Ukraine
Tomi Engdahl says:
Ukrainassa massiivisten iskujen sarja isoihin kaupunkeihin – Zaporizzjan ydinvoimala menetti sähkönsyötön https://www.is.fi/ulkomaat/art-2000009442315.html
Tomi Engdahl says:
New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
https://www.securityweek.com/new-russia-linked-cosmicenergy-ics-malware-can-disrupt-electric-grid/
Mandiant has analyzed a new Russia-linked ICS malware named CosmicEnergy that is designed to cause electric power disruption.
Tomi Engdahl says:
Tämä kaikki tiedetään nyt Kahovkan patoräjähdyksestä
https://www.is.fi/ulkomaat/art-2000009636055.html
Etelä-Ukrainassa sijaitsevan padon murtumisesta kerrottiin varhain tiistaiaamuna. Tuhannet asuvat kriittisellä tulva-alueella ja evakuoinnit on aloitettu.
Kahovkan pato, joka sijaitsee Dnepr-joella Nova Kahovkan kaupungissa Hersonin alueella, tuhoutui ainakin osin tiistaiaamuna.
Kahovkan pato on 30 metriä korkea ja 3,2 kilometriä pitkä, uutistoimisto Reuters kertoo. Tekojärvessä on yli 18 miljardia kuutiometriä (18 km³) vettä, mikä vastaa noin Päijänteen tilavuutta.
Pato rakennettiin vuonna 1956 Dnepr-joelle osaksi Kahovkan vesivoimalaa.
Miksi pato murtui?
Ukraina on syyttänyt padon tuhoamisesta Venäjää.
– Venäläisiä terroristeja. Kahovkan vesivoimalan padon tuhoaminen vain vahvistaa koko maailmalle sen, että heidät pitää karkottaa jokaisesta nurkasta ukrainalaisella maaperällä, Ukrainan presidentti Volodymyr Zelenskyi sanoi aiemmin tiistaina.
Ukrainan presidentin neuvonantajan Myhailo Podoljakin mukaan Venäjä tuhosi padon hidastaakseen Ukrainan hyökkäystä. Hänen mukaansa padon tuhoamisen seuraukset ovat jo tuhoisat, uutisoi STT.
Venäjä on puolestaan syyttänyt Ukrainaa. Nova Kahovka on tällä hetkellä venäläisten miehittämä. Paikallisen nukkehallinnon edustaja Vladimir Leontev ensin kiisti, että padolle olisi tapahtunut mitään. Sen jälkeen hän syytti tapahtuneesta Ukrainan tulitusta, The Guardian kertoo.
Tomi Engdahl says:
Asiantuntija tyrmistyi Kahovkan tuhosta: ”Aivan kauheaa”
https://www.is.fi/ulkomaat/art-2000009636071.html
Venäjä on jo pitkään kohdentanut iskujaan nimenomaan Ukrainan energiainfrastruktuuriin saadakseen yliotetta sodassa ja vaikuttaakseen sitä kautta lännen halukkuuteen auttaa Ukrainaa.
Venäjä on räjäyttänyt tiistain vastaisena yönä osan Hersonin alueella sijaitsevasta Kahovkan padosta.
Tällä hetkellä on epäselvää, kuinka iso osa padosta on varmuudella tuhoutunut, minkä vuoksi tarkemmat konkreettiset seuraukset ja niiden laajuudet ovat epäselviä.
Vuonna 1956 rakennettu pato pidättää Kahovkan tekojärven. Kyseisen tekoaltaan kokonaisvesitilavuus on 18,15 kuutiokilometriä, joka on noin 1,5 kertaa Päijänteen tilavuus. Kahovkan tekojärvi on pinta-alaltaan Euroopan kahdeksanneksi suurin tekojärvi.
Tomi Engdahl says:
Toistiko Venäjä Stalinin tempun? Nämä olivat patoräjähdyksen seuraukset Ukrainassa vuonna 1941
https://www.is.fi/ulkomaat/art-2000009636320.html
Neuvostoliitto räjäytti Dneprin vesivoimalaitoksen saksalaisten edetessä syvemmälle maahan.
Tomi Engdahl says:
Russian APT Group Caught Hacking Roundcube Email Servers
https://www.securityweek.com/russian-apt-group-caught-hacking-roundcube-email-servers/
A Russian hacking group has been caught hacking into Roundcube servers to spy on government institutions and military entities in Ukraine.
Mirandajoye says:
The cyberattack was complicated and included the following steps: Prior infiltration of business networks by spear-phishing emails with BlackEnergy malware. Taking control of SCADA and remotely turning off substations.
https://uno-online.co/
Slope says:
Such cyber operations can have severe consequences, https://slopeonline.org affecting critical infrastructure and disrupting the lives of millions of people.
Tomi Engdahl says:
Ukraine says an energy facility disrupted a Fancy Bear intrusion https://therecord.media/ukraine-energy-facility-cyberattack-fancy-bear-email
An infamous Russian cyberespionage group was caught attacking a critical energy facility in Ukraine, a government agency said on Tuesday.
A cybersecurity expert working for the targeted organization thwarted the attack, according to the report from Ukraine’s computer emergency response team (CERT-UA). The agency attributed the incident to Kremlin-controlled hackers known as Fancy Bear or APT28.
CERT-UA said the group targeted an unspecified energy facility in Ukraine, using phishing emails to gain initial access to the targeted systems. Fancy Bear is believed to be associated with the Russian military intelligence agency GRU, and its history includes the attack on the U.S. Democratic National Committee during the 2016 elections.
Joe Coffey says:
A spokesperson said the third-largest supplier needs 250 generators and 36,000 lithium-ion batteries. https://dino-game.co
Tomi Engdahl says:
Tällaiset havainnot ovat kummastuttaneet sähköyhtiöitä – ”Ollaan silmät auki” https://www.is.fi/kotimaa/art-2000009929813.html
Tomi Engdahl says:
Ukrainan massiivinen sähkökatko ei johtunut vain ohjusiskuista – samalla iski kyberhyökkäys
Suvi Korhonen13.11.202311:40KYBERSOTATIETOTURVAHAITTAOHJELMATUKRAINAN KRIISI
Venäläisten tekemäksi uskottu isku tiputti sähkövoimalan verkosta.
https://www.tivi.fi/uutiset/ukrainan-massiivinen-sahkokatko-ei-johtunut-vain-ohjusiskuista-samalla-iski-kyberhyokkays/1bed388c-09bd-4ecd-8a12-2a38473ea215
Ukrainassa sähkökatkojen syyksi on paljastunut ohjusiskujen lisäksi voimaloihin tehty kyberhyökkäyskampanja, väittää tietoturvayhtiö Mandiant. Yhtiö syyttää venäläistaustaista Sandworm-jengiä iskuista, jossa sähkökatkojen lisäksi samalla poistettiin tietoja uhrien it-ympäristöstä.
Tomi Engdahl says:
Nation-State
Recent OT and Espionage Attacks Linked to Russia’s Sandworm, Now Named APT44
https://www.securityweek.com/recent-ot-and-espionage-attacks-linked-to-russias-sandworm-now-named-apt44/
Google Cloud’s Mandiant on Wednesday published a new report summarizing some of the latest activities of Russia’s notorious Sandworm group, which it has started tracking as APT44.
Sandworm is one of Russia’s most well-known threat groups, being involved in operations whose goal is espionage, disruption, or disinformation. It’s known for the use of highly disruptive malware such as BlackEnergy and Industroyer.
Since the start of Russia’s war against Ukraine, the group has focused on causing disruption within Ukraine, using wipers and other tactics to achieve its goals. Its cyber operations are often timed with conventional military activities.
Mandiant summarizes some of the latest operations of Russia’s notorious Sandworm group, which it now tracks as APT44.
Malware & Threats
Kapeka: A New Backdoor in Sandworm’s Arsenal of Aggression
https://www.securityweek.com/kapeka-a-new-backdoor-in-sandworms-arsenal-of-aggression/
Kapeka is a new backdoor that may be a new addition to Russia-link Sandworm’s malware arsenal and possibly a successor to GreyEnergy.
Kapeka is a new backdoor that may be a new addition to Russia-linked Sandworm’s malware arsenal and is possibly a backdoor successor to GreyEnergy.
Kapeka
There is currently almost zero public knowledge of the Kapeka backdoor beyond a brief description from Microsoft published on February 14, 2024 concerning the discovery of a new backdoor it calls KnuckleTouch. Microsoft attributes the KnuckleTouch backdoor to SeaShell Blizzard, which is its name for Sandworm. There is no Microsoft analysis of this malware, but WithSecure is confident that KnuckleTouch is Kapeka.
In its own analysis, security firm WithSecure believes Kapeka is the tool of an APT (nation-state group). It is not yet sufficiently confident that the group is Sandworm, but has found numerous overlaps between Kapeka and GreyEnergy sufficient to make this a strong possibility.