Russian Group Sandworm Foiled in Attempt to Disrupt Ukraine Power Grid

  /     /     /  
Publicated : 23/11/2024   Category : security


Russian Group Sandworm Foiled in Attempt to Disrupt Ukraine Power Grid


The attack involved use of a new version of Industroyer tool for manipulating industrial control systems.



Ukraines computer emergency response team (CERT-UA), in collaboration with researchers from ESET and Microsoft, last week foiled a cyberattack on an energy company that would have disconnected several high-voltage substations from a section of the countrys electric grid on April 8.
The attack, by Russias infamous Sandworm group, involved the use of a new, more customized version of Industroyer, a malware tool that the threat actor first used in
Dec. 2016 to cause a temporary power outage in Ukraines capital Kyiv
. In addition to the ICS-capable malware, the latest attack also featured destructive disk-wiping tools for the energy companys Windows, Linux, and Solaris operating system environments that were designed to complicate recovery efforts.
The Russian cyber-assault, in the middle of the countrys grinding war in Ukraine, has stirred concern about similar attacks on other energy companies in Ukraine and outside the country as well. It prompted the
CERT-UA to distribute
indicators of compromise and other attack artifacts to energy companies in Ukraine and to what it described as a limited number of international partners.
Andrii Bezverkhyi, CEO of SOC Prime, who is currently in Ukraine as a consultant with CERT-UA, says energy companies everywhere need to view the latest Sandworm cyber operation as a signal of escalation and be on high alert.
They have capability to strike synchronously across entire [industries or geographies], Bezverkhyi says. He advises that energy companies everywhere hone up on Sandworms tactics, techniques, and procedures so they can better detect and protect against the threat actor.
A Dangerous, Persistent Threat
Sandworm is an advanced persistent threat actor linked to a special technology operations group at the Russian General Staff Main Intelligence Directorate (GRU). The group has been associated with several high-profile and destructive attacks over the years — most notably on Ukraines electricity system. In 2015, Sandworm used malware called BlackEnergy in an attack that took down a swathe of Ukraines power grid for several hours.
In 2016, it used Industroyer to similar effect in Ukraine
and then followed up the next year with destructive data-wiping attacks using the
NotPetya malware tool
. The
Sandworm group
is also thought to behind denial-of-service attacks in the country of Georgia, as well as a campaign that targeted the 2018 Winter Olympics.
Industroyer, the threat actors weapon of choice in the latest attack, is malware
specifically made to disrupt
equipment associated with electric grids. Previous research by
ESET
and
Dragos
have showed the malware to be designed to allow threat actors to gain remote control of switches and circuit breakers in high-voltage substations and to manipulate them in such a way as to trigger disruptions. For example, the version of the malware used in the 2016 Ukraine attack could be used to force circuit breakers to remain open, resulting in the substation becoming de-energized.
The malware also allowed attackers in 2016 to essentially disconnect a substation from the rest of the grid by continuously toggling circuit breakers between on and off until protective measures kicked in to island off the substation — and trigger a blackout on that section of the grid.
One key feature of Industroyer is that it does not exploit any vulnerabilities, nor is it limited to attacking a single vendors technology. Rather, the malware — as used in the 2016 attacks — employs different industrial control protocols to communicate directly with systems in industrial control environments.
Jean-Ian Boutin, director of threat research at ESET, says the
new version of the malware
, Industroyer2, uses only one protocol to communicate with industrial equipment. The original version was modular and used four industrial protocols, he says. The reason why the new version uses just one hardcoded configuration is likely because it is easier to deploy. The malware uses industrial protocol IEC-104, which communicates directly with equipment. It can switch circuit breakers in protection relays [and] could lead to a blackout.
The malwares sophistication suggests that it was tested in an industrial environment like the one that was targeted, with similar equipment and servers, he says.
CERT-UA said the goal of the attackers appears to have been to decommission not just high-voltage electric substations but also other infrastructure elements using different malware tools designed to disrupt the energy companys Windows, Linux, and Solaris servers. Among the tools that Sandworm deployed on the energy companys network was a Windows disk wiper called CaddyWiper and similar disk-wiping tools dubbed Orcshred, Soloshred, and Awfulshred for Linux and Solaris systems.
Attackers wanted to wipe data on these servers, which would make it hard to recover quickly following an attack, Boutin says.
Its unclear how Sandworm gained initial access to the energy companys network or how it might have moved from the corporate network to the ICS systems. According to CERT-UA, the data suggests at least two waves of attacks on the company — one likely in February and the other in April. The disconnection of electrical substations and the decommissioning of the companys infrastructure was scheduled for Friday evening, April 8, it said.
Maturing Capabilities
Bezverkhyi says the attack shows the Russian threat actor has matured its capabilities to a point where it can cause damage to power grids at multiple levels: ICS equipment, network devices, and operating workstations and servers.
If an attack is fully successful, recovery of operations would take days, if not weeks, he says. Sandworm is known for using highly autonomous malware with multivector decision trees, Bezverkhyi says. In this attack, the binaries were compiled per target and contained a unique set of instructions per target, apparently to increase the likelihood of the attacks success.
Though the initial entry vector remains unclear, Sandworms past attacks involved the use of valid accounts and exploitation of remote services for initial access, Bezverkhyi says. Sandworm also has demonstrated an ability to get access to the latest exploits, he says, pointing to the groups use of the NSA-developed EternalBlue exploit during its NotPetya campaign.
Beyond initial access, Sandworm heavily relies on living-off-the-land techniques such as using the task scheduler in Windows or the cron job scheduler in Unix to deploy malware and escalate privileges. All the techniques, beyond exploitation, are quite known and observed in the wild since 2019, he says.
Luke McNamara, principal analyst at Mandiant, points out that one notable TTP in the latest attacks is the reported utilization of Group Policy Objects (GPO) for propagation within victim networks in several cases. This highlights the importance of hardening defenses around Active Directory, he says.
Russian threat actors have certainly demonstrated the capability to disrupt Ukraine’s energy grid in the past, McNamara notes. He says, The added complexity now is that all of this is taking place during Russia’s military invasion into Ukraine, when even short-term disruptions of energy infrastructure could have cascading effects on the battle space and the populace.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Russian Group Sandworm Foiled in Attempt to Disrupt Ukraine Power Grid