Sandworm APT Trolls Researchers on Its Trail as It Targets Ukraine

Researchers who helped thwart the Russian nation-state groups recent attack on Ukraines power supply will disclose at Black Hat USA what they found while reverse-engineering the powerful Industroyer2 malware used by the powerful hacking team.

The infamous Sandworm threat group operating out of Russias military GRU unit has no qualms about taunting researchers when it finds it is being watched. Just ask Robert Lipovsky and his fellow researchers at ESET, who got the message loud and clear when they dissected one of Sandworms newer malware variants earlier this year: The Sandworm attackers disguised the loader for one of its data-wiping variants as the IDAPro reverse-engineering tool — the very same tool the researchers had used to analyze the attackers malware.
Lipovsky, principal threat intelligence researcher at ESET, knew it was no coincidence. Sandworm most likely was brazenly — and sarcastically — making a point that the group knew ESET was on its trail. Theres no reason to use IDAPro in an attack on an engineering substation because thats not a tool that would be used on that system, he explains. Its fairly clear the attackers are fully aware we are onto them and blocking their threats. They are maybe trolling us, I would say.
That wasnt the only message Sandworm seemed to be sending. The group also dropped a Trojan-ridden version of ESETs security software in its targeting of Ukrainian networks. They were sending a message that they were aware we are doing our job protecting the users in Ukraine, Lipovsky says.
Lipovsky was part of the ESET team that — along with Ukraines computer emergency response team (CERT-UA) and Microsoft — in April blocked a cyberattack by Sandworm on an energy company in Ukraine using a new version of its game-changing Industroyer malware weapon, Industroyer2. Had it not been thwarted in time, the attack would have knocked several high-voltage substations from part of the nations electric grid.
Industroyer2 is a more custom version of the first iteration (Industroyer) that
Sandworm unleashed in December 2016
, temporarily knocking out power in parts of Kyiv, the capital of Ukraine. The Industroyer2 attack attempt in April also came with destructive disk-wiping tools designed to destroy engineering workstations running Windows, Linux, and Solaris, in an attempt to thwart recovery operations when the attackers planned power blackout hit. Industroyer was the first known malware able to shut out the lights, and it can communicate with ICS hardware in electrical substations — circuit breakers and protective relays, for instance — via popular industrial network protocols.
Even after the high-profile foiling of the Industroyer2 attack attempt on Ukraine in April, Sandworm continues to relentlessly hammer at Ukraines cyber defenses. It didnt end with Industroyer2. It continues today, says Lipovsky, who with ESET senior malware researcher Anton Cherepanov will share
their insiders view
of Sandworm and dissect the groups Industroyer2 malware
at Black Hat USA in Las Vegas next month
.
There are more wipers today … and new execution chains being used, he says.
Most of the current attack attempts by Sandworm against Ukraines infrastructure now carry disk-wiping weapons. Weve seen disruption activity [attempts] at an increased rates since February, he says, when Russia first invaded Ukraine. Intel-gathering via cyber-espionage attacks also has been active, he adds, noting that while Sandworm is the most prominent Russian threat actor targeting Ukraine, its not the only one.
In their Black Hat talk, Lipovsky and Cherepanov plan to reveal more technical details about Sandworm that havent yet been made public, as well as share recommendations for utilities to defend against the nation-state groups attacks.
Lipovsky and his team describe Industroyer2 as a simpler, more streamlined version of the first version. Unlike the first Industroyer, Industroyer2 speaks just one OT protocol, IEC 104. The original version used four different industrial protocols. Its likely more efficient and focused that way: [IEC 104 is] one of most common [OT] protocols and a regional thing in Europe, he notes.
The disk-wiping capabilities with Industroyer2 eclipse that of the first version. The first one was a framework with multiple components, and it was also calling additional modules that were there for wiping, he says. Industroyer2 is more self-contained and offers wipers as separate executables, he says, malware weapons that have been discovered in other recent cyber incidents.
CaddyWiper
is the main disk wiper used with Industroyer2. Sandworm pointed CaddyWiper at a Ukrainian bank 24 hours before Russia invaded Ukraine in February, at a government agency in early April, and on some Windows workstations at the targeted Ukrainian energy firm. Sandworm also set destructive malware programs ORCSHRED, SOLOSHRED, and AWFULSHRED on Linux and Solaris workstations there. And, as a final touch, Sandworm had scheduled CaddyWiper to execute on April 8 as a way to erase all evidence of Industroyer2, but it was blocked.
Interestingly, Sandworm does not typically wipe domain controllers, so as not to disrupt its own foothold in the victims network. They wipe regular workstations to disrupt a targets operations, but they want to keep their presence once theyve infiltrated an environment, Lipovsky says.
Even with all that ESET and other researchers now know about Industroyer2, there is still no full picture of the initial attack vector in the Industroyer2 attack on the Ukrainian energy firm. CERT-UA said the attack appeared to be in two stages, the first one likely in February of this year and the other in April, when the goal was to disconnect the electrical substations and sabotage the power operations on April 8.
While Industroyer2 has been trained on Ukraine, its emergence has shaken the OT industry. Industroyer was a wake-up call for the whole ICS community. This is a serious threat, Lipovsky says.
The playbook for protecting an OT network from Industroyer and related attacks isnt much different than others. Its what weve always been saying: Have visibility into the environment; have EDR, XDR tools; multiple layers of security in the stack; and access controls, Lipovsky says.
In their talk at Black Hat Lipovsky and Cherepanov also will share EDR rules, configuration suggestions to stop lateral movement, and rules for Snort and YARA tools
They also plan to reiterate that engineering workstations in OT networks have become major targets, so they have to be part of the security equation. A lot of SCADA software and monitoring is happening on regular workstations that run Windows or Linux. These machines should have the appropriate security measures and solutions that are multilayered, including running EDR or XDR tools, he says.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Sandworm APT Trolls Researchers on Its Trail as It Targets Ukraine