Russian group Sandworm foiled in attempt to disrupt Ukraine power grid

Ukraine’s computer emergency response team (CERT-UA), in collaboration with researchers from ESET and Microsoft, last week foiled a cyberattack on an energy company that would have disconnected several high-voltage substations from a section of the country’s electric grid on April 8.

The attack, by Russia’s infamous Sandworm group, involved the use of a new, more customized version of Industroyer, a malware tool that the threat actor first used in Dec. 2016 to cause a temporary power outage in Ukraine’s capital Kyiv. In addition to the ICS-capable malware, the latest attack also featured destructive disk-wiping tools for the energy company’s Windows, Linux, and Solaris operating system environments that were designed to complicate recovery efforts.

The Russian cyber-assault, in the middle of the country’s grinding war in Ukraine, has stirred concern about similar attacks on other energy companies in Ukraine and outside the country as well. It prompted the CERT-UA to distribute indicators of compromise and other attack artifacts to energy companies in Ukraine and to what it described as a “limited number” of international partners.

Andrii Bezverkhyi, CEO of SOC Prime, who is currently in Ukraine as a consultant with CERT-UA, says energy companies everywhere need to view the latest Sandworm cyber operation as a signal of escalation and be on high alert.

“They have capability to strike synchronously across entire [industries or geographies],” Bezverkhyi says. He advises that energy companies everywhere hone up on Sandworm’s tactics, techniques, and procedures so they can better detect and protect against the threat actor.

A Dangerous, Persistent Threat
Sandworm is an advanced persistent threat actor linked to a special technology operations group at the Russian General Staff Main Intelligence Directorate (GRU). The group has been associated with several high-profile and destructive attacks over the years — most notably on Ukraine’s electricity system. In 2015, Sandworm used malware called BlackEnergy in an attack that took down a swathe of Ukraine’s power grid for several hours. In 2016, it used Industroyer to similar effect in Ukraine and then followed up the next year with destructive data-wiping attacks using the NotPetya malware tool. The Sandworm group is also thought to behind denial-of-service attacks in the country of Georgia, as well as a campaign that targeted the 2018 Winter Olympics.

Industroyer, the threat actor’s weapon of choice in the latest attack, is malware specifically made to disrupt equipment associated with electric grids. Previous research by ESET and Dragos have showed the malware to be designed to allow threat actors to gain remote control of switches and circuit breakers in high-voltage substations and to manipulate them in such a way as to trigger disruptions. For example, the version of the malware used in the 2016 Ukraine attack could be used to force circuit breakers to remain open, resulting in the substation becoming de-energized.

The malware also allowed attackers in 2016 to essentially disconnect a substation from the rest of the grid by continuously toggling circuit breakers between “on” and “off” until protective measures kicked in to “island” off the substation — and trigger a blackout on that section of the grid.

One key feature of Industroyer is that it does not exploit any vulnerabilities, nor is it limited to attacking a single vendor’s technology. Rather, the malware — as used in the 2016 attacks — employs different industrial control protocols to communicate directly with systems in industrial control environments.

To read the complete article, visit Dark Reading.