CERT-UA (Computer Emergency Response Team of Ukraine; Ukrainian CERT) and computer scientists at ESET have published a document revealing how hackers from the Russian secret service-linked Sandworm group are attacking the Ukrainian system that manages the country’s power grids and trying to disrupt its operation.
It appears that the hackers are using a new type of malware that attacks the industrial infrastructure that controls high-voltage electrical substations. One such attack was thought to have been initiated late last week, but the malware was detected and blocked in time. An analysis by ESET, a company that helps Ukrainians fight these types of attacks, linked the campaign to the hacking group Sandworm.
It turned out that the attack uses an updated version of the Industroyer software. This is one of the slightly modified forms of malware used by the Sandworm group in previous campaigns of this type, which successfully disrupted the Ukrainian power system several years ago.
Analysis of traces left by the modified Industroyer malware (which has been given the name Industroyer2) indicates that the latest attack, scheduled for April, had been planned for several weeks and that hackers first managed to enter the attacked network in February this year.
Interestingly, the hackers then launched a new malware called CaddyWiper. It was designed to be able to slow down the process of the Ukrainians regaining control of the entire power system, when the actual attack had already served its purpose, as well as to cover its tracks.