[ad_1]

A botched malware attack on the Ukrainian electricity grid could have disrupted the energy supply for two million people, it emerged yesterday. The cyberattack, which used an updated version of the Industroyer malware that caused blackouts in Kyiv in 2016, may indicate a growing readiness by Russia to hit Ukraine’s critical national infrastructure with destructive cyberattacks as its war effort founders.

Ukrainian electricity grid attack
Russia’s use of destructive attacks on Ukraine’s critical infrastructure may intensify as it seeks an end to the conflict. (Photo by SOPA Images/Getty Images)

Malware capable of disrupting industrial control systems has been detected at electrical substations in Ukraine, the country’s Computer Emergency Response Team (CERT) and security provider ESET revealed yesterday. If successful, the attack could have cut off the electricity supply for two million people, Ukrainian officials said.

The attack incorporated a new variant of the Industroyer malware that was used in a successful destructive cyberattack on an electrical substation near Kyiv in 2016. ESET has attributed the attack to Russian APT Sandworm “with a high degree of confidence”.

Attackers succeeded in infecting computers at some electrical substations with the Industroyer2 malware in February, Ukraine’s digital transformation minister Victor Zhora said in a press conference yesterday, but the destructive phase of the attack did not take place.

What is Industroyer2?

The original Industroyer malware was first detected following a successful cyberattack on an electricity substation outside Kyiv in December 2016. The malware was programmed to disrupt control systems at a predetermined time, and did not require an internet connection to execute.

In 2017, ESET described Industroyer as the “biggest threat to industrial control systems since Stuxnet”, the malware that targeted Iranian nuclear power plants and revealed the insecurity on industrial systems. The malware is highly customisable, ESET said, meaning it can be tailored to attack a wide variety of control systems.

Content from our partners
How AI can empower Middle East energy operators to deliver Oil & Gas 4.0

How should enterprises go about exiting their data centre?

The plan to transform patient outcomes in the Middle East through the use of AI

Industroyer2 is a more focused version of Industroyer, according to ESET’s latest analysis, targeting a specific protocol used to control power plants or substations remotely.

Unlike the original variant, which used a separate .INI file, Industroyer2’s configurations are hard-coded into the malware itself. “Thus, attackers need to recompile Industroyer2 for each new victim or environment,” ESET said. “However, given that the Industroyer* malware family has only been deployed twice, with a five-year gap between each version, this is probably not a limitation for Sandworm operators.”

The attack included various other technical components, including Sandworm’s Cyclops Blink botnet, “which Sandworm relies on for communication with Industroyer2 malware,” says Jon DiMaggio, chief security strategist at threat intelligence provider Analyst1. “The malware uses Cyclops Blink to obtain configuration parameters and other necessary information required for it to execute properly.”

Last week, the FBI took down the Cyclops Blink botnet as part of an ongoing crackdown on the infrastructure used by Russia’s APTs.

Cyberattacks on Ukraine’s critical infrastructure may increase

Russia had been expected to deploy destructive cyberattacks to bolster its invasion of Ukraine, but initial attacks were mostly superficial.

However, destructive attacks on critical national infrastructure may intensify as Russia becomes increasingly desperate to secure victory, says Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.

“As time draws on, Russia’s military efforts and scope of targeting may broaden through a desperation to find an end to the conflict,” he says. “It is highly likely that destructive malware will continue to be used throughout the conflict, particularly as the rate of attrition hits Russia’s military and sanctions continue to cause havoc for Russia’s economy.”

Read more: Microsoft disrupts ‘Russian nation-state’ cyberattacks on Ukraine

[ad_2]

Source link