Industroyer2: Sandworm's Cyberwarfare Targets Ukraine's Power Grid Again

Presented at Black Hat USA 2022, Aug. 10, 2022, 10:20 a.m. (40 minutes)

Industroyer2 – a new version of the only malware to ever trigger electricity blackouts – was deployed in Ukraine amidst the ongoing Russian invasion. Like in 2016 with the original Industroyer, the aim of this recent cyberattack was to cause a major blackout – this time against two million+ people and with components amplifying the impact, making recovery harder.

We believe the malware authors and attack orchestrators are the notorious Sandworm APT group, attributed by the US DoJ to Russia's GRU.

Our talk covers the technical details: our reverse engineering of Industroyer2, and a comparison with the original. Industroyer is unique in its ability to communicate with electrical substation ICS hardware – circuit breakers and protective relays – using dedicated industrial protocols. While Industroyer contains implementations of four protocols, Industroyer2 "speaks" just one: IEC-104.

We also provide a higher-level analysis of the attackers' modus operandi and discuss why and how the attack was mostly unsuccessful. One of the most puzzling things about Industroyer has been the stark contrast between its sophistication and its impact: a blackout lasting one hour in the middle of the night is not the worst it could've achieved. Industroyer2 didn't even accomplish that.

Even though it didn't cause any significant outage, the attack did cause disruption – mostly through multiple pieces of destructive wiper malware, including CaddyWiper. We discuss this and other malware accompanying Industroyer2, and other cyberattacks we have discovered in Ukraine, since Russia's 2022 invasion, and in the eight years since the war in Donbas began.

Finally, we present actionable advice for defenders, including: log entries to check; EDR rules to consider; configuration options to hamper Sandworm compromise and lateral movement; and detection/hunting rules for Snort and YARA. By sharing our extensive experience tracking Sandworm, attendees will leave better able to protect their infrastructure and hunt for traces of Sandworm.


Presenters:

  • Robert Lipovsky - Principal Threat Intelligence Researcher, ESET
    Robert Lipovsky is a Principal Threat Intelligence Researcher for ESET, with 15 years' experience in cybersecurity and a broad spectrum of expertise covering targeted APTs, crimeware, as well as vulnerability research. He is responsible for threat intelligence and malware analysis and leads the Malware Research Team at ESET headquarters in Bratislava. He is a regular speaker at security conferences, including Black Hat USA, RSA Conference, Virus Bulletin, BlueHat, ATT&CKcon, Gartner Security & Risk Management Summit, and various NATO-organized conferences. He also teaches reverse engineering at the Slovak University of Technology – his alma mater – and at Comenius University. When not bound to a keyboard, he enjoys traveling, playing guitar and flying single-engine airplanes. Follow Robert on Twitter @Robert_Lipovsky
  • Anton Cherepanov - Senior Malware Researcher, ESET
    Anton Cherepanov is a Senior Malware Researcher for ESET; his responsibilities include the hunting for and analysis of the most complex threats. He has done extensive research on cyberattacks in Ukraine and uncovered the origins of the NotPetya attack. He has presented his research at numerous conferences, including Black Hat USA, Virus Bulletin and CARO Workshop. His interests focus on reverse engineering and malware analysis automation. Follow Anton on Twitter @cherepanov74

Links:

Similar Presentations: