Russia’s invasion of Ukraine in early 2022 started fighting in the region, but also escalated an ongoing cyber war. At the Black Hat security conference, security researchers from ESET examined the Industroyer2 malware, which was designed to cause a massive blackout in Ukraine.
In their talk, the ESET researchers traced the Industroyer2 malware lineage to a 2013 attack on the Ukrainian power grid using the BlackEnergy malware — “the first ever blackout caused by a cyber attack,” according to Robert Lipovsky, the Chief Threat Intelligence Researcher at ESET.
About a year later, a second attack on the power grid knocked out power in cities across Ukraine. But unlike the first attack, this one marked the beginning of the Industroyer malware, which Lipovsky says was only the second piece of malware after Stuxnet “designed to physically damage industrial hardware.”
Fast forward to Russia’s invasion of Ukraine in 2022, and ESET spotted a new version of the malware it called Industroyer2. This time, the attack was blocked, avoiding serious consequences. “If the attack had been successful, theoretically more than 2 million people could have been left in the dark,” says Lipovsky. “In our view, this is the most significant, even unsuccessful, cyber attack of the war to date.”
In their presentation, the researchers identified the Sandworm APT group as responsible for creating and deploying these attacks. The US Department of Justice charged six members of Russia’s GRU military intelligence agency for activities related to the Sandworm APT group. Why Sandworm? Well, as Lipovsky explains, this group has a penchant for using Frank Herbert-related names sand dunes. Yes, really.
Examining the Malware
An important part of Industroyer and Industroyer2 is the use of industrial protocols that can communicate with the circuit breakers and other mechanisms found in power substations. The original Industroyer was equipped with four such protocols, but Industroyer2 uses only the IEC-104 protocol. This protocol is used in many power grids, but it is vulnerable, as it was “designed decades ago without focusing on security,” explains Lipovsky.
Fellow researcher Anton Cherepanov, Senior Malware Researcher at ESET, emphasizes that the lack of protocol security is key to the attack. “[Industroyer2] it doesn’t exploit any vulnerabilities at all, it exploits the protocol as it was intended to be used.”
This is probably the biggest challenge to the world since the Second World War.
Both Industroyer and Industroyer2 deploy along with a bevy of other malware. Some are designed to help the malware spread on the infected network, while others are fake ransomware designed to hide the malware’s true function. Lipovsky hypothesizes that the attackers may have deployed the fake ransomware after it became clear that researchers had discovered the malware.
A key part of both Industroyer attacks is the use of wipers – that is, malware that messes up machines so badly that they won’t start. This hinders detection of the malware’s true purpose, and makes it more difficult to mitigate the attack once it starts.
Although neither version of Industroyer has been completely successful, they are still a serious, albeit manageable, threat, says Lipovsky. “It should not be hyped, but not downplayed or understated.”
On the front lines
An additional surprise was added to the presentation by Victor Zhora, Deputy Chairman of the Special Service of Communications and Information Protection of Ukraine. Zhora explained how the Ukrainian government is actively following industry cues, especially those related to the energy sector. Investigating such unusual activity, he said, led to the discovery and mitigation of Industroyer2.
Recommended by Our Editors
There was some luck, too. The creators of Industroyer2 created a trigger time of 5:58 pm Zhora speculates that this was chosen because, since it was late in the day, infected workstations were likely to be turned on but not actively monitored as people prepared for the end add to their working day. .
“These attackers missed one very important thing,” explains Zhora. “Friday is a short work day.” By the time the triggers should have been activated, most of the infected workstations had already been shut down.
Zhora was careful to thank the security companies that helped Ukraine, “in our struggle for existence.” He emphasized that Industroyer2 is a “destructive act aimed entirely at civilian infrastructure.”
“This is perhaps the biggest challenge to the world since the Second World War,” says Zhora. “And it’s happening in cyberspace.”
Keep reading PCMag for the latest from Black Hat.
Like What Are You Reading?
Register for SecurityWatch newsletter of our top privacy and security stories delivered straight to your inbox.