Ukraine, ESET Foil Cyberattack On Energy Grid

Russian cyber offensive? Ukraine government and ESET confirm Russian GRU attempted to hack Ukraine’s energy grid last week

After Russia’s defeat of its attempt to conquer Kyiv, Moscow has switched its focus and military forces to the east of that country.

As part of this strategic change, Russia last week attempted to hack Ukraine energy grid, a noted security specialist and the Ukraine government confirmed.

Slovakia-based cybersecurity specialist ESET and the Ukraine Computer Emergency Response Team (CERT-UA) announced on Tuesday that Russian military hackers from the GRU had tried and failed to attack Ukraine’s energy infrastructure last week.

Ukraine - Shutterstock - © Mykhaylo Palinchak

Energy grid

ESET it should be remembered was the security firm that discovered data wiper malware used in Ukraine on the day before Russia’s invasion, on hundreds of computers, which ESET named HermeticWiper.

Now ESET has provided an indepth analysis of an attack against the unnamed Ukrainian energy company, and discovered a new variant of Industroyer malware which they, together with CERT-UA, named Industroyer2.

Industroyer is an infamous piece of malware that was used in 2016 by the Sandworm APT group to cut power in Ukraine.

The Sandworm attackers made an attempt to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine, ESET reported.

In addition to Industroyer2, Sandworm used several destructive malware families including CaddyWiper, ORCSHRED, SOLOSHRED and AWFULSHRED.

ESET first discovered CaddyWiper on 2022-03-14, when it was used against a Ukrainian bank, and a variant of CaddyWiper was used again on 2022-04-08 14:58 against the Ukrainian energy provider previously mentioned.

Russia’s GRU

The attack was designed to infiltrate computers connected to multiple substations, then delete all files, which would shut that infrastructure down, according to Ukraine’s summary of the incident.

ESET said the attack was conducted by the same arm of Russia’s military intelligence agency, GRU, that had previously successfully executed similar attacks in 2014 and 2015.

In both of those incidents, some residents of Kyiv temporarily lost power.

This latest attack had been planned for at least two weeks, ESET said, and comes as Russia gears up for a fresh offensive in the east of Ukraine.

Ukraine has been utilising the help and assistance of ESET, Microsoft and others to help defend the country online.

Critical infrastructure

“Ukraine is once again at the center of cyberattacks targeting their critical infrastructure,” said ESET. “This new Industroyer campaign follows multiple waves of wipers that have been targeting various sectors in Ukraine. ESET researchers will continue to monitor the threat landscape in order to better protect organisations from these types of destructive attacks.”

Ukraine officials confirmed that the malware did successfully infiltrate some computers in Ukraine’s energy sector and caused disruptions at one facility.

But that was quickly remedied and no customers lost power.

The fact that Ukraine’s power and communications networks have by and large withstood cyberattacks and military action is a testament to how well Ukraine has prepared its cyberdefences and hardened its communications and electrical networks.

“The nature of this attack is one that everyone in the international critical infrastructure community should note, as it’s one of a handful of attacks that has directly hit OT systems,” noted Chris Grove, director, cybersecurity strategy at Nozomi Networks.

“According to Nozomi Networks Labs, there have been reports of some hardcoded IPs in the malware sample, which is an indication that the threat actors had intimate knowledge of the environment they were deploying this in,” said Grove.

“Much like the similar malware that Sandworm deployed in Ukraine in 2016, ICS operators must monitor their networks for any strange activity, as Russian tactics prove to sit in environments for weeks to months before executing these attacks,” Grove concluded.