Ukraine's computer emergency response team (CERT-UA), in collaboration with researchers from ESET and Microsoft, last week foiled a cyberattack on an energy company that would have disconnected several high-voltage substations from a section of the country's electric grid on April 8.
The attack, by Russia's infamous Sandworm group, involved the use of a new, more customized version of Industroyer, a malware tool that the threat actor first used in Dec. 2016 to cause a temporary power outage in Ukraine's capital Kyiv. In addition to the ICS-capable malware, the latest attack also featured destructive disk-wiping tools for the energy company's Windows, Linux, and Solaris operating system environments that were designed to complicate recovery efforts.
The Russian cyber-assault, in the middle of the country's grinding war in Ukraine, has stirred concern about similar attacks on other energy companies in Ukraine and outside the country as well. It prompted the CERT-UA to distribute indicators of compromise and other attack artifacts to energy companies in Ukraine and to what it described as a "limited number" of international partners.
Andrii Bezverkhyi, CEO of SOC Prime, who is currently in Ukraine as a consultant with CERT-UA, says energy companies everywhere need to view the latest Sandworm cyber operation as a signal of escalation and be on high alert.
"They have capability to strike synchronously across entire [industries or geographies]," Bezverkhyi says. He advises that energy companies everywhere hone up on Sandworm's tactics, techniques, and procedures so they can better detect and protect against the threat actor.
A Dangerous, Persistent Threat
Sandworm is an advanced persistent threat actor linked to a special technology operations group at the Russian General Staff Main Intelligence Directorate (GRU). The group has been associated with several high-profile and destructive attacks over the years — most notably on Ukraine's electricity system. In 2015, Sandworm used malware called BlackEnergy in an attack that took down a swathe of Ukraine's power grid for several hours. In 2016, it used Industroyer to similar effect in Ukraine and then followed up the next year with destructive data-wiping attacks using the NotPetya malware tool. The Sandworm group is also thought to behind denial-of-service attacks in the country of Georgia, as well as a campaign that targeted the 2018 Winter Olympics.
Industroyer, the threat actor's weapon of choice in the latest attack, is malware specifically made to disrupt equipment associated with electric grids. Previous research by ESET and Dragos have showed the malware to be designed to allow threat actors to gain remote control of switches and circuit breakers in high-voltage substations and to manipulate them in such a way as to trigger disruptions. For example, the version of the malware used in the 2016 Ukraine attack could be used to force circuit breakers to remain open, resulting in the substation becoming de-energized.
The malware also allowed attackers in 2016 to essentially disconnect a substation from the rest of the grid by continuously toggling circuit breakers between "on" and "off" until protective measures kicked in to "island" off the substation — and trigger a blackout on that section of the grid.
One key feature of Industroyer is that it does not exploit any vulnerabilities, nor is it limited to attacking a single vendor's technology. Rather, the malware — as used in the 2016 attacks — employs different industrial control protocols to communicate directly with systems in industrial control environments.
Jean-Ian Boutin, director of threat research at ESET, says the new version of the malware, Industroyer2, uses only one protocol to communicate with industrial equipment. "The original version was modular and used four industrial protocols," he says. The reason why the new version uses just one hardcoded configuration is likely because it is easier to deploy. "The malware uses industrial protocol IEC-104, which communicates directly with equipment. It can switch circuit breakers in protection relays [and] could lead to a blackout."
The malware's sophistication suggests that it was tested in an industrial environment like the one that was targeted, with similar equipment and servers, he says.
CERT-UA said the goal of the attackers appears to have been to decommission not just high-voltage electric substations but also other infrastructure elements using different malware tools designed to disrupt the energy company's Windows, Linux, and Solaris servers. Among the tools that Sandworm deployed on the energy company's network was a Windows disk wiper called CaddyWiper and similar disk-wiping tools dubbed Orcshred, Soloshred, and Awfulshred for Linux and Solaris systems.
"Attackers wanted to wipe data on these servers, which would make it hard to recover quickly following an attack," Boutin says.
It's unclear how Sandworm gained initial access to the energy company's network or how it might have moved from the corporate network to the ICS systems. According to CERT-UA, the data suggests at least two "waves of attacks" on the company — one likely in February and the other in April. "The disconnection of electrical substations and the decommissioning of the company's infrastructure was scheduled for Friday evening, April 8," it said.
Bezverkhyi says the attack shows the Russian threat actor has matured its capabilities to a point where it can cause damage to power grids at multiple levels: ICS equipment, network devices, and operating workstations and servers.
"If an attack is fully successful, recovery of operations would take days, if not weeks," he says. Sandworm is known for using highly autonomous malware with multivector decision trees, Bezverkhyi says. In this attack, the binaries were compiled per target and contained a unique set of instructions per target, apparently to increase the likelihood of the attack's success.
Though the initial entry vector remains unclear, Sandworm's past attacks involved the use of valid accounts and exploitation of remote services for initial access, Bezverkhyi says. Sandworm also has demonstrated an ability to get access to the latest exploits, he says, pointing to the group's use of the NSA-developed EternalBlue exploit during its NotPetya campaign.
Beyond initial access, Sandworm heavily relies on living-off-the-land techniques such as using the task scheduler in Windows or the cron job scheduler in Unix to deploy malware and escalate privileges. "All the techniques, beyond exploitation, are quite known and observed in the wild since 2019," he says.
Luke McNamara, principal analyst at Mandiant, points out that one notable TTP in the latest attacks is the reported utilization of Group Policy Objects (GPO) for propagation within victim networks in several cases. "This highlights the importance of hardening defenses around Active Directory," he says.
Russian threat actors have certainly demonstrated the capability to disrupt Ukraine’s energy grid in the past, McNamara notes. He says, "The added complexity now is that all of this is taking place during Russia’s military invasion into Ukraine, when even short-term disruptions of energy infrastructure could have cascading effects on the battle space and the populace."