A botched malware attack on the Ukrainian electricity grid could have disrupted the energy supply for two million people, it emerged yesterday. The cyberattack, which used an updated version of the Industroyer malware that caused blackouts in Kyiv in 2016, may indicate a growing readiness by Russia to hit Ukraine’s critical national infrastructure with destructive cyberattacks as its war effort founders.
Malware capable of disrupting industrial control systems has been detected at electrical substations in Ukraine, the country’s Computer Emergency Response Team (CERT) and security provider ESET revealed yesterday. If successful, the attack could have cut off the electricity supply for two million people, Ukrainian officials said.
The attack incorporated a new variant of the Industroyer malware that was used in a successful destructive cyberattack on an electrical substation near Kyiv in 2016. ESET has attributed the attack to Russian APT Sandworm “with a high degree of confidence”.
Attackers succeeded in infecting computers at some electrical substations with the Industroyer2 malware in February, Ukraine’s digital transformation minister Victor Zhora said in a press conference yesterday, but the destructive phase of the attack did not take place.
What is Industroyer2?
The original Industroyer malware was first detected following a successful cyberattack on an electricity substation outside Kyiv in December 2016. The malware was programmed to disrupt control systems at a predetermined time, and did not require an internet connection to execute.
In 2017, ESET described Industroyer as the “biggest threat to industrial control systems since Stuxnet”, the malware that targeted Iranian nuclear power plants and revealed the insecurity on industrial systems. The malware is highly customisable, ESET said, meaning it can be tailored to attack a wide variety of control systems.
Industroyer2 is a more focused version of Industroyer, according to ESET’s latest analysis, targeting a specific protocol used to control power plants or substations remotely.
Unlike the original variant, which used a separate .INI file, Industroyer2’s configurations are hard-coded into the malware itself. “Thus, attackers need to recompile Industroyer2 for each new victim or environment,” ESET said. “However, given that the Industroyer* malware family has only been deployed twice, with a five-year gap between each version, this is probably not a limitation for Sandworm operators.”
The attack included various other technical components, including Sandworm’s Cyclops Blink botnet, “which Sandworm relies on for communication with Industroyer2 malware,” says Jon DiMaggio, chief security strategist at threat intelligence provider Analyst1. “The malware uses Cyclops Blink to obtain configuration parameters and other necessary information required for it to execute properly.”
Last week, the FBI took down the Cyclops Blink botnet as part of an ongoing crackdown on the infrastructure used by Russia’s APTs.
Cyberattacks on Ukraine’s critical infrastructure may increase
Russia had been expected to deploy destructive cyberattacks to bolster its invasion of Ukraine, but initial attacks were mostly superficial.
However, destructive attacks on critical national infrastructure may intensify as Russia becomes increasingly desperate to secure victory, says Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.
“As time draws on, Russia’s military efforts and scope of targeting may broaden through a desperation to find an end to the conflict,” he says. “It is highly likely that destructive malware will continue to be used throughout the conflict, particularly as the rate of attrition hits Russia’s military and sanctions continue to cause havoc for Russia’s economy.”