Industroyer2 – a new version of the only malware to ever trigger electricity blackouts – was deployed in Ukraine amidst the ongoing Russian invasion. Like in 2016 with the original Industroyer, the aim of this recent cyberattack was to cause a major blackout – this time against two million+ people and with components amplifying the impact, making recovery harder.
We believe the malware authors and attack orchestrators are the notorious Sandworm APT group, attributed by the US DoJ to Russia's GRU.
Our talk covers the technical details: our reverse engineering of Industroyer2, and a comparison with the original. Industroyer is unique in its ability to communicate with electrical substation ICS hardware – circuit breakers and protective relays – using dedicated industrial protocols. While Industroyer contains implementations of four protocols, Industroyer2 "speaks" just one: IEC-104.
We also provide a higher-level analysis of the attackers' modus operandi and discuss why and how the attack was mostly unsuccessful. One of the most puzzling things about Industroyer has been the stark contrast between its sophistication and its impact: a blackout lasting one hour in the middle of the night is not the worst it could've achieved. Industroyer2 didn't even accomplish that.
Even though it didn't cause any significant outage, the attack did cause disruption – mostly through multiple pieces of destructive wiper malware, including CaddyWiper. We discuss this and other malware accompanying Industroyer2, and other cyberattacks we have discovered in Ukraine, since Russia's 2022 invasion, and in the eight years since the war in Donbas began.
Finally, we present actionable advice for defenders, including: log entries to check; EDR rules to consider; configuration options to hamper Sandworm compromise and lateral movement; and detection/hunting rules for Snort and YARA. By sharing our extensive experience tracking Sandworm, attendees will leave better able to protect their infrastructure and hunt for traces of Sandworm.