On April 12, the Ukrainian CERT (CERT-UA) reported that the Russian Sandworm Team targeted high-voltage electrical substations in Ukraine using a new variant of a malware known as Industroyer (aka Crash Override). The Sandworm Team, which is associated with the Russian GRU, previously used the original Industroyer variant to compromise Ukrainian power grids in 2016, causing a portion of Kyiv to lose power for over an hour. The new variant, dubbed Industroyer2, directly interacts with electrical utility equipment to send commands to the substation devices that control the flow of power. The threat actors planted the malware on systems within a regional Ukrainian energy firm, and were believed to have gained access in early February 2022. However, the attack was detected and mitigated before a blackout occurred, which would have impacted roughly two million people.
In addition to deploying Industroyer2, Sandworm also dropped several wipers, including the CaddyWiper malware that was first seen on March 14 targeting Ukrainian organizations. Researchers believe Sandworm’s use of wipers was likely an effort to slow down the recovery process and prevent operators of the energy company from regaining control of the industrial control system (ICS) consoles. CaddyWiper was also observed deployed on the same machine where Industroyer2 was executed, likely as an effort to cover up their tracks. In addition to CaddyWiper, destructive malware for systems running Linux and Solaris were also found on the network of the targeted energy company. These were observed deployed with a Linux worm called OrcShred, which uses SSH worm propagation to spread the two different wiper malware. The Linux wiper variant is called Awfulshred and was lightly obfuscated and the Solaris variant is called SoloShred and is not obfuscated, and both aim to wipe systems disks and render the machines inoperable. It is believed the attackers had credentials prior to the attack to enable the spread of these wipers.
As of right now, the initial access vector and how the threat actors moved laterally from the IT network to the Industrial Control System (ICS) network is not yet known. IronNet is closely monitoring updates on Industroyer2 and the attack campaign for additional information, and is also tracking wider reports on other APT tools targeting ICS/SCADA systems. This includes PIPEDREAM (aka INCONTROLLER) malware, which threat actors can use to scan for, compromise, and control impacted devices once establishing initial access to an OT network. This particularly impacts organizations using the following ICS/SCADA devices: Schneider Electric MODICON and MODICON Nano Programmable Logic Controllers (PLCs), OMRON Sysmac NJ and NX PLCs, and OPC Unified Architecture (OPC UA) servers.
IronNet will continue to track this threat and work with partners to ensure customers are protected. Given the threat to OT and ICS networks, we encourage organizations to take precautions and implement proactive mitigations to defend against potential compromise and disruption. This proactive action includes isolating ICS/SCADA systems and networks from corporate networks and using strong perimeter controls to limit any communications entering or leaving ICS/SCADA perimeters. It also includes implementing and enforcing multi-factor authentication (MFA) to protect against the unauthorized use of compromised credentials. Additionally, we advise companies to maintain good offline backups and to enforce the principle of least privilege and limit ICS/SCADA systems’ network connections to only specifically allowed management and engineering workstations.