Cyber attack against electrical power grid in Ukraine

Russia tried to cut off electricity to about two million Ukrainians in a cyber operation scheduled to take place on Friday night, April 8th. The Russian state-sponsored hacking group known as Sandworm tried on Friday to take down a large Ukrainian energy provider by disconnecting its electrical substations with a new variant of the Industroyer malware for industrial control systems (ICS). The attack was on the Ukrainian energy company Oblenergo, whose systems were successfully infiltrated. If successful, the attack would have blackouted some two million Ukrainians.

According to ESET, the attack, whose likely goal was to carry out destructive actions in the targeted energy facility and cause power outages on April 8, involved the deployment of several pieces of malware, in both the ICS network and systems running Solaris and Linux. The attack used ICS-capable to Industroyer2 malware and regular disk wipers for Windows, Linux and Solaris operating systems. Sandworm attackers made an attempt to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine. This malware designed to cause damage by manipulating industrial control systems (ICS). The plan was to control the substations so that it will shut down power and try to damage several critical electrical power distribution equipment. CERT-UA notes that the threat actor’s goal was “decommissioning of several infrastructural elements.”

The attack, which targeted high-voltage electrical substations and reportedly failed, has been analyzed by Ukraine’s Computer Emergency Response Team (CERT-UA), cybersecurity firm ESET, and Microsoft. The cyber weapon installed to the systems was neutralized on Thursday 7th April The destructive actions were scheduled for Friday night, April 8th 2022. The artifacts suggest that the complex attack had been planned for at least two weeks and cyber operation began months ago with intelligence how to get into the systems. After discovering the vulnerabilities, the attackers managed to gain access to the energy company’s workstations. They managed to expand their foothold and eventually gain access to the company’s electrical network management systems. There is high confidence that the APT group Sandworm is responsible for this new attack. According to the analysis the the attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine.

Industroyer2 attack overview from ESET

Sources:

https://www.bleepingcomputer.com/news/security/sandworm-hackers-fail-to-take-down-ukrainian-energy-provider/

https://www.securityweek.com/energy-provider-ukraine-targeted-industroyer2-ics-malware

https://www.is.fi/digitoday/art-2000008748186.html

https://www.computerweekly.com/news/252515855/Sandworm-rolls-out-Industroyer2-malware-against-Ukraine

https://www.techtarget.com/searchsecurity/news/252515899/Ukraine-energy-grid-hit-by-Russian-Indestroyer2-malware

https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/

https://medium.com/@RoseSecurity/industroyer2-the-worst-sequel-9103a8998ee9

15 Comments

  1. jyoti says:

    Nice info. Thanks for sharing
    For interior designs plz visit https://jdelegantinteriors.com/

    Reply
  2. Tomi Engdahl says:

    Ukraine says Russian hackers tried and failed to attack an energy provider
    https://www.engadget.com/ukraine-russia-hack-energy-provider-eset-microsoft-162847785.html

    Ukraine says Russian military hackers attempted to disrupt an energy provider in the country, but they were unsuccessful. The Computer Emergency Response Team of Ukraine (CERT-UA) claims it was able to thwart an effort to gain access to computers linked to substations and wipe all files on them. That would have shut down the unnamed provider’s infrastructure. The company in question is said to provide power to customers in a highly populated area.

    Cybersecurity company ESET, which has been helping shore up Ukraine’s defenses, said Sandworm was behind the latest attempt as well. Sandworm is said to have used a new version of the Industroyer malware it employed to shut down Ukraine’s power grid in late 2015.

    The latest attempted attack had been in the works for at least two weeks, according to ESET. Microsoft also helped ESET and Ukraine fend off the hackers, according to Viktor Zhora, a cybersecurity official in the country. According to CNBC, Zhora said the attackers did gain access to some systems and created disruption at one power facility, but they were snuffed out before any residents lost electricity.

    Ukraine says Russian cyberattack sought to shut down energy grid
    https://www.cnbc.com/2022/04/12/ukraine-says-russian-cyberattack-sought-to-shut-down-energy-grid.html

    Russian military hackers tried and failed to attack Ukraine’s energy infrastructure last week, the country’s government and a major cybersecurity company said Tuesday.

    The attack was designed to infiltrate computers connected to multiple substations, then delete all files, which would shut that infrastructure down, according to Ukraine’s summary of the incident.

    Reply
  3. Tomi Engdahl says:

    Study finds TikTok’s ban on uploads in Russia failed, leaving it dominated by pro-war content
    https://techcrunch.com/2022/04/13/study-finds-tiktiks-ban-on-uploads-in-russia-failed-leaving-it-dominated-by-pro-war-content/?tpcc=tcplusfacebook

    Tracking Exposed found pro-war content dominates on TikTok in Russia after poor implementation of ban
    With Facebook, Twitter and Instagram banned by the Kremlin, TikTok is the last global social media platform still operating in Russia. In response to the Russian invasion of Ukraine, it announced it had banned new uploads on March 6 to protect users from Russian “fake news” law.

    But a new report has found that the ban was applied inconsistently; that new content uploads related to the war outnumbered anti-war content by 10-1; and that these pro-war posts now dominate TikTok’s war-related content. This has left the platform – after the ban was fully applied – effectively frozen in time, and Russian TikTokers none-the-wiser about new developments.

    Reply
  4. Tomi Engdahl says:

    In the midst of Russia’s brutal invasion of Ukraine, Sandworm appears to be pulling out its old tricks.

    Russia’s Sandworm Hackers Attempted a Third Blackout in Ukraine
    https://www.wired.com/story/sandworm-russia-ukraine-blackout-gru/?mbid=social_facebook&utm_source=facebook&utm_social-type=owned&utm_brand=wired&utm_medium=social

    The attack was the first in five years to use Sandworm’s Industroyer malware, which is designed to automatically trigger power disruptions.

    Reply
  5. Tomi Engdahl says:

    US agencies warn of custom-made hacking tools targeting energy sector systems
    https://therecord.media/us-agencies-warn-of-custom-made-hacking-tools-targeting-energy-sector-systems/

    Several advanced persistent threat (APT) actors have created custom-made tools designed to breach IT equipment used in critical infrastructure facilities, according to a new advisory from multiple US agencies.

    In an alert released on Wednesday, the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) warned critical infrastructure operators of potential attacks targeting multiple industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices.

    The alert says the tools used in the attacks were designed specifically for Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers.

    Eric Byres, chief technology officer of ICS cybersecurity software firm aDolus Technology, told The Record that Schneider Electric MODICON PLCs and OPC Unified Architecture (OPC UA) servers are incredibly common and are used widely within many major industrial facilities across the US.

    “The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities,” the alert explained.

    “By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.”

    Reply
  6. Tomi Engdahl says:

    U.S. Warns New Sophisticated Malware Can Target ICS/SCADA Devices
    https://www.securityweek.com/us-warns-new-sophisticated-malware-can-target-icsscada-devices

    The U.S government is sounding a loud alarm after discovering new custom tools capable of full system compromise and disruption of ICS/SCADA devices and servers.

    A joint advisory from the Department of Energy, CISA, NSA and the FBI warned that unidentified APT actors have created specialized tools capable of causing major damage to PLCs from Schneider Electric and OMRON Corp. and servers from open-source OPC Foundation.

    “The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities,” the agencies warned.

    “By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions,” according to the joint advisory [PDF].

    The government warning comes on the heels of a series of wiper malware attacks linked to Russia’s invasion of Ukraine and a software supply chain compromise that effectively crippled Viasat’s satellite internet service.

    APT Cyber Tools Targeting ICS/SCADA Devices
    https://www.cisa.gov/uscert/sites/default/files/publications/Joint_Cybersecurity_Advisory_APT%20Cyber%20Tools%20Targeting%20ICS%20SCADA%20Devices.pdf

    Reply
  7. Tomi Engdahl says:

    Alert (AA22-110A) – Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure https://www.cisa.gov/uscert/ncas/alerts/aa22-110a
    he cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom are releasing this joint Cybersecurity Advisory (CSA). The intent of this joint CSA is to warn organizations that Russias invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity . This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States and U.S. allies and partners.
    Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks (see the March 21, 2022, Statement by U.S. President Biden for more information).

    Reply
  8. Tomi Engdahl says:

    Ex-tiedustelupäällikkö: Ukraina on ollut kahdeksan vuotta kybernyrkkeilysäkki, mikä on opettanut sen torjumaan Venäjän kyberhyökkäyksiä
    https://yle.fi/uutiset/3-12410214
    Kahdeksan vuotta kestänyt sodankäynti Itä-Ukrainassa on opettanut ukrainalaisille, kuinka puolustustautua Venäjän kohdistamiin kyberhyökkäyksiin. Ukraina on kehittynyt esimerkiksi kyvyssään reagoida ja estää toimintaa, joka pyrkii tietoliikennejärjestelmien tai sähköverkkojen lamauttamiseen, arvioi Puolustusvoimien entinen tiedustelupäällikkö ja nykyinen puolustusministeriön neuvotteleva virkamies Harri Ohra-aho.

    Reply
  9. Tomi Engdahl says:

    Insight: Russia is failing’ in its mission to destabilize Ukraine’s networks after a series of thwarted cyber-attacks https://portswigger.net/daily-swig/insight-russia-is-failing-in-its-mission-to-destabilize-ukraines-networks-after-a-series-of-thwarted-cyber-attacks
    That was the takeaway from WithSecure’s Sphere conference this week, as chief research officer Mikko Hyppönen told attendees that Putin’s regime is “largely failing”. During the event, held in Helsinki, Finland, Mikko shared insight into the conflict between the two countries, which has now been ongoing for more than three months.

    Reply
  10. Tomi Engdahl says:

    Euroopan suurin ydin­voimala Ukrainassa on vaurioitunut pahasti tulituksessa, kertoo voimalan käytöstä vastaava yhtiö https://www.is.fi/ulkomaat/art-2000008989045.html

    Reply
  11. Tomi Engdahl says:

    https://www.securityweek.com/black-hat-2022-ten-presentations-worth-your-time-and-attention

    2. Industroyer2: Sandworm’s Cyberwarfare Targets Ukraine’s Power Grid Again (Robert Lipovsky and Anton Cherepanov, ESET).

    Industroyer2 – a new version of the only malware to ever trigger electricity blackouts – was deployed in Ukraine amidst the ongoing Russian invasion. Like in 2016 with the original Industroyer, the aim of this recent cyberattack was to cause a major blackout – this time against two million+ people and with components amplifying the impact, making recovery harder. Researchers believe the malware authors and attack orchestrators are the notorious Sandworm APT group, attributed by the US DoJ to Russia’s GRU.

    This presentation covers the technical details: reverse engineering of Industroyer2, and a comparison with the original. Industroyer is unique in its ability to communicate with electrical substation ICS hardware – circuit breakers and protective relays – using dedicated industrial protocols. While Industroyer contains implementations of four protocols, Industroyer2 “speaks” just one: IEC-104.

    Expect a higher-level analysis of the attackers’ modus operandi and discuss why and how the attack was mostly unsuccessful. One of the most puzzling things about Industroyer has been the stark contrast between its sophistication and its impact: a blackout lasting one hour in the middle of the night is not the worst it could’ve achieved. Industroyer2 didn’t even accomplish that.

    Why does it matter? These presentations shine a bright spotlight on an apex threat actor previously caught using some of the most destructive malware tools. As we have previously reported, this malware attack has some major geopolitical implications and all new disclosures will be closely followed.

    https://www.blackhat.com/us-22/briefings/schedule/index.html#industroyer-sandworms-cyberwarfare-targets-ukraines-power-grid-again-27832

    Reply
  12. Tomi Engdahl says:

    Mitä Zaporizzjan ydin­voimalan tulittamisesta voi seurata? Asiantuntija kertoo mahdollisista skenaarioista https://www.is.fi/ulkomaat/art-2000008991694.html

    Reply
  13. Tomi Engdahl says:

    Ukrainan sota, päivä 174: Ukrainan ydinvoimamonopoliin kohdistui valtava kyberhyökkäys
    Tähän artikkeliin on koottu tiistain tärkeimmät tapahtumat Ukrainan sotaan liittyen.
    https://www.iltalehti.fi/ulkomaat/a/7885d276-14c3-40df-87ea-2dcaea8c7b00

    Ukrainan ydinvoimamonopoliin kohdistunut valtava kyberhyökkäys

    Ukrainan valtiollinen ydinvoimayhtiö Energoatom on kertonut mittavan kyberhyökkäyksen kohdistuneen tiistaina sen verkkosivuihin.

    Yhtiö kertoo hyökkäyksestä Telegram-kanavallaan.

    Energoatomin mukaan kyseessä on mittavin kyberhyökkäys sitten Venäjän hyökkäyssodan alkamisen. Yhtiö kertoo varmistuneensa siitä, että hyökkäyksen takana on venäläinen taho.

    Uutistoimisto Reutersin mukaan tiistain hyökkäys kesti kolme tuntia, eikä se aiheuttanut merkittäviä ongelmia.

    https://t.me/energoatom_ua/8965

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*