Russia’s invasion of Ukraine in early 2022 reignited fighting in the region, but also escalated an ongoing cyberwar. At the Black Hat security conference, security researchers from ESET examined the Industroyer2 malware, which was designed to cause a mass blackout in Ukraine.
Enter Industroyer2
In their talk, the ESET researchers traced the lineage of the Industroyer2 malware to a 2013 attack on the Ukrainian power grid using the BlackEnergy malware—”the first ever blackout caused by a cyberattack,” according to Robert Lipovsky, the Principal Threat Intelligence Researcher at ESET.
About a year later, a second power grid attack knocked out power in cities across Ukraine. But unlike the first attack, this one featured the debut of the Industroyer malware, which Lipovsky says was only the second piece of malware after Stuxnet “designed to cause physical damage to industrial hardware.”
Fast forward to Russia’s invasion of Ukraine in 2022, and ESET spotted a new version of the malware it dubbed Industroyer2. This time, the attack was thwarted, avoiding dire consequences. “Had the attack been successful, theoretically more than 2 million people could have been left in the dark,” Lipovsky says. “In our opinion, this was the most significant cyberattack, even if unsuccessful, in the war thus far.”
In their presentation, the researchers identified the Sandworm APT group as responsible for creating and deploying these attacks. The US Department of Justice previously charged six members of Russia’s GRU military intelligence agency for activities tied to the Sandworm APT group. Why Sandworm? Well, as Lipovsky explains, this group has a penchant for using names related to Frank Herbert’s Dune. Yes, really.
Examining the Malware
An important part of Industroyer and Industroyer2 are the use of industrial protocols that can communicate with the circuit breakers and other mechanisms found in power substations. The original Industroyer was equipped with four such protocols, but Industroyer2 only uses the IEC-104 protocol. This protocol is used in many power grids, but it’s vulnerable, as it was “designed decades ago without focusing on security,” Lipovsky explains.
His co-researcher Anton Cherepanov, Senior Malware Researcher at ESET, stresses that the protocol’s lack of security is critical for the attack. “[Industroyer2] does not exploit any vulnerabilities at all, it exploits the protocol as it was intended to be used.”
This is perhaps the biggest challenge for the world since World War II.
Both Industroyer and Industroyer2 deploy along with a bevy of other malware. Some is intended to help the malware spread on the infected network, while another is fake ransomware intended to disguise the real function of the malware. Lipovsky hypothesizes that the attackers may have deployed the fake ransomware after it was clear that researchers had discovered the malware.
A key part of both Industroyer attacks is the use of wipers—that is, malware that messes up machines so badly that they won’t boot. This hinders discovery of the malware’s real purpose, and makes it harder to mitigate the attack once it begins.
Although neither version of Industroyer was completely successful, they’re still a major—albeit manageable—threat, Lipovsky says. “It should not be hyped, but not downplayed or understated.”
On the Front Lines
A surprise addition to the presentation came from Victor Zhora, Deputy Chair of the State Service of Special Communications and Information Protection of Ukraine. Zhora explained how the Ukrainian government is actively following up on tips from industry, particularly ones related to the energy sector. Investigating unusual activity like that is what he said led to the discovery and mitigation of Industroyer2.
Recommended by Our Editors
There was some luck, too. The creators of Industroyer2 hardcoded a trigger time of 5:58 p.m. Zhora speculates that this was chosen because, being late in the day, it was likely that infected workstations would still be turned on but not being actively monitored as people prepared to end their workday.
“These attackers missed one very important thing,” explains Zhora. “Friday is a short working day.” By the time the triggers should have activated, most infected workstations were already shut off.
Zhora was careful to thank the security companies that assisted Ukraine, “in our struggle for existence.” He emphasized that Industroyer2 is a “destructive action focused completely on civilian infrastructure.”
“This is perhaps the biggest challenge for the world since World War II,” says Zhora. “And it’s happening in cyberspace.”
Keep reading PCMag for the latest from Black Hat.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Hits: 0