The infamous Sandworm threat group operating out of Russia's military GRU unit has no qualms about taunting researchers when it finds it is being watched. Just ask Robert Lipovsky and his fellow researchers at ESET, who got the message loud and clear when they dissected one of Sandworm's newer malware variants earlier this year: The Sandworm attackers disguised the loader for one of its data-wiping variants as the IDAPro reverse-engineering tool — the very same tool the researchers had used to analyze the attackers' malware.
Lipovsky, principal threat intelligence researcher at ESET, knew it was no coincidence. Sandworm most likely was brazenly — and sarcastically — making a point that the group knew ESET was on its trail. "There's no reason to use IDAPro" in an attack on an engineering substation because that's not a tool that would be used on that system, he explains. "It's fairly clear the attackers are fully aware we are onto them and blocking their threats. They are maybe trolling us, I would say."
That wasn't the only message Sandworm seemed to be sending. The group also dropped a Trojan-ridden version of ESET's security software in its targeting of Ukrainian networks. "They were sending a message that they were aware we are doing our job protecting the users in Ukraine," Lipovsky says.
Lipovsky was part of the ESET team that — along with Ukraine's computer emergency response team (CERT-UA) and Microsoft — in April blocked a cyberattack by Sandworm on an energy company in Ukraine using a new version of its game-changing Industroyer malware weapon, Industroyer2. Had it not been thwarted in time, the attack would have knocked several high-voltage substations from part of the nation's electric grid.
Industroyer2 is a more custom version of the first iteration (Industroyer) that Sandworm unleashed in December 2016, temporarily knocking out power in parts of Kyiv, the capital of Ukraine. The Industroyer2 attack attempt in April also came with destructive disk-wiping tools designed to destroy engineering workstations running Windows, Linux, and Solaris, in an attempt to thwart recovery operations when the attackers' planned power blackout hit. Industroyer was the first known malware able to shut out the lights, and it can communicate with ICS hardware in electrical substations — circuit breakers and protective relays, for instance — via popular industrial network protocols.
Even after the high-profile foiling of the Industroyer2 attack attempt on Ukraine in April, Sandworm continues to relentlessly hammer at Ukraine's cyber defenses. "It didn't end with Industroyer2. It continues today," says Lipovsky, who with ESET senior malware researcher Anton Cherepanov will share their insiders' view of Sandworm and dissect the group's Industroyer2 malware at Black Hat USA in Las Vegas next month.
"There are more wipers today … and new execution chains being used," he says.
Most of the current attack attempts by Sandworm against Ukraine's infrastructure now carry disk-wiping weapons. "We've seen disruption activity [attempts] at an increased rates since February," he says, when Russia first invaded Ukraine. Intel-gathering via cyber-espionage attacks also has been active, he adds, noting that while Sandworm is the most prominent Russian threat actor targeting Ukraine, it's not the only one.
Industroyer2 up Close
In their Black Hat talk, Lipovsky and Cherepanov plan to reveal more technical details about Sandworm that haven't yet been made public, as well as share recommendations for utilities to defend against the nation-state group's attacks.
Lipovsky and his team describe Industroyer2 as a simpler, more streamlined version of the first version. Unlike the first Industroyer, Industroyer2 speaks just one OT protocol, IEC 104. The original version used four different industrial protocols. It's likely more efficient and focused that way: "[IEC 104 is] one of most common [OT] protocols and a regional thing" in Europe, he notes.
The disk-wiping capabilities with Industroyer2 eclipse that of the first version. "The first one was a framework with multiple components, and it was also calling additional modules that were there for wiping," he says. Industroyer2 is more "self-contained" and offers wipers as separate executables, he says, malware weapons that have been discovered in other recent cyber incidents.
CaddyWiper is the main disk wiper used with Industroyer2. Sandworm pointed CaddyWiper at a Ukrainian bank 24 hours before Russia invaded Ukraine in February, at a government agency in early April, and on some Windows workstations at the targeted Ukrainian energy firm. Sandworm also set destructive malware programs ORCSHRED, SOLOSHRED, and AWFULSHRED on Linux and Solaris workstations there. And, as a final touch, Sandworm had scheduled CaddyWiper to execute on April 8 as a way to erase all evidence of Industroyer2, but it was blocked.
Interestingly, Sandworm does not typically wipe domain controllers, so as not to disrupt its own foothold in the victim's network. "They wipe regular workstations to disrupt a target's operations, but they want to keep their presence once they've infiltrated an environment," Lipovsky says.
Even with all that ESET and other researchers now know about Industroyer2, there is still no full picture of the initial attack vector in the Industroyer2 attack on the Ukrainian energy firm. CERT-UA said the attack appeared to be in two stages, the first one likely in February of this year and the other in April, when the goal was to disconnect the electrical substations and sabotage the power operations on April 8.
Defense Against Industroyer, Sandworm
While Industroyer2 has been trained on Ukraine, its emergence has shaken the OT industry. "Industroyer was a wake-up call for the whole ICS community. This is a serious threat," Lipovsky says.
The playbook for protecting an OT network from Industroyer and related attacks isn't much different than others. "It's what we've always been saying: Have visibility into the environment; have EDR, XDR tools; multiple layers of security in the stack; and access controls," Lipovsky says.
In their talk at Black Hat Lipovsky and Cherepanov also will share EDR rules, configuration suggestions to stop lateral movement, and rules for Snort and YARA tools
They also plan to reiterate that engineering workstations in OT networks have become major targets, so they have to be part of the security equation. "A lot of SCADA software and monitoring is happening on regular workstations that run Windows or Linux. These machines should have the appropriate security measures and solutions that are multilayered," including running EDR or XDR tools, he says.