Five years ago, ESET researchers released their first analysis of malware designed specifically to attack the power grid.
June 12M In 2017, ESET researchers released their findings on unique malware that could cause massive blackouts. Industroyer, they named it, was the first known piece of malware that was created specifically to target a power grid.
Indeed, the industry was heavily deployed a few months ago – resulting in thousands of homes losing power for about an hour on December 17 in parts of Kiev, Ukraine.M, 2016, after malware hit a local electrical substation. A few days later, ESET malware researcher Anton Cherepanov will begin dissecting the Industroyer.
A ticking bomb
Once planted, the Industroyer spreads across the substation network looking for specific industry control devices whose communication protocols it can speak to. Then, like a time bomb blast, it apparently opened every circuit breaker at once, while denying any attempt by the substation operators to restore easy control: if an operator tried to shut down a breaker, the malware reopened it.
To clear its footprint, the malware released a data wiper designed to leave the substation’s computers inoperative and delay the return to normal operation. In fact, wipers often fail, but the results could be worse if they are more successful – especially in the winter when power outages cause water-filled pipes to rupture during freezing.
A final malicious operation was performed by malware to deactivate some protective relays at the substation, but also failed. When protective relays do not work in place, operators may be at high risk of damage to substation equipment when they finally restore electrical transmission.
Cherepanov and fellow ESET researcher Robert Lipovsky said at the time that Industroyer’s sophistication made it possible to adapt malware to any similar environment. In fact, the industrial communication protocols that Industroyer uses are not only used in Kiwi, but also in “global power supply infrastructure, transportation control systems and other important infrastructure systems (such as water and gas).”
On the other hand, considering how sophisticated the industrialist was, the effect was rather unpleasant in the end, because ESET researchers have mentioned themselves Back in 2017. Maybe it was just a test for a future attack, or maybe it was a sign of what the team behind it could do.
Sandworm work
ESET researchers point out that the vulgarities of malware are a reflection of the malicious intent of those who created it. A. 2017 Virus Bulletin Conference, Lipovsky highlights that “attackers need to understand the architecture of a power grid, what commands to send and how to achieve it.” Its creators went a long way in creating this malware, and their purpose was not just a power outage. “Some clues in the manufacturer’s configuration suggest that they wanted to cause equipment damage and errors.”
In Black Hat 2017Cherepanov added that “it seems unlikely that anyone would be able to write and test such malware without access to specialized tools used in specific, targeted industrial environments.”
In October 2020, The United States has claimed responsibility for the attack Unit 74455, aka Sandworm, to six officers belonging to the Russian military intelligence agency GRU.
A return for the industroyer
Fast forward to 2022 and it is not surprising that in the weeks before and after the February 24 Russian invasionMESET Telemetry has shown an increase in cyber attacks targeting Ukraine.
April 12M, With CERT-UA, ESET researchers have announced that they have identified a new form of Industroyer targeting a power supplier in Ukraine. Industroyer2 was scheduled for 8 April to cut off power to a region of UkraineM; Fortunately, the attack failed before further destruction could be inflicted on the war-torn country. ESET researchers have assessed with high confidence that the sandworm is again responsible for this new attack.
The thing to come is a harbinger
In recent years, it has become increasingly clear that critical infrastructure services around the world are at greater risk of disruption. Strings of events that have affected critical infrastructure in Ukraine (and, indeed, other parts of the world) have alerted many to the risks of cyber-attack-induced power outages, water supply disruptions, disruptions to fuel distribution, and loss of medical information. And there are many other consequences that can do much more than disrupt our daily routines – they can be life-threatening.
In 2017, both Cherepanov and Lipovsky ended their research blog with a warning that, five years later, it was still true: Call up for those responsible. “
