Industroyer, previously linked to the Russian actor Sandworm and also tracked as CrashOverride, was first seen in 2016 and was purpose-built to disrupt the energy sector. The new malware, which ESET has dubbed "Industroyer2," was found in Ukranian electrical substations and, if not caught in time, would have deployed on Friday, April 8, according to the firm.
During Russia's invasion of Ukraine, much has been made so far of Russia's reluctance to use cyberwarfare — opting against flashy attacks on infrastructure. Several more subdued attacks, including attacks on internet infrastructure than impacted German wind turbines, have been detected, though none had so far been concretely linked to Russia.
An attack on energy would match the public conception of cyberwarfare. And ESET is making a very firm attribution of the attack to Sandworm, an actor previously attributed to Russia by the United States Department of Justice. ESET does not attribute attacks to specific countries.
"We assess with high confidence that the APT group Sandworm is responsible for this new attack," wrote ESET Research in a blog Tuesday morning.
The blog says that Sandworm attempted several attacks in conjunction with Industroyer, including CaddyWiper, ORCSHRED, SOLOSHRED and AWFULSHRED. CaddyWiper, one of several new wipers seen in Ukraine since the beginning of the war, had not been tied to a specific actor before these attacks.
ESET has not identified the initial vectors for compromise used in the attacks.
Industroyer2 differs from the 2016 version in a few ways. Both the new and old versions are highly configurable, but the new version hardcodes configuration details into each build rather than include a .INI file. That means new software would need to be compiled each time a new configuration is selected.
The new version only implements the IEC-104 protocol to talk with industrial equipment, including the relays used in electrical substations. The first version included more protocols. Industroyer2 can communicate with multiple devices at a time. The new version also replaces a log file with easy-to-understand messages with one recording error codes, which ESET believes is an attempt to obfuscate the attack.
"The analysis is still ongoing in order to determine what are the exact actions taken for each device. We believe that this component is able to control specific ICS systems in order to cut power," wrote ESET.
ORCSHRED, SOLOSHRED, AWFULSHRED were also discovered on the network of the energy company, a combination of a Linux worm (ORCSHRED) with a Solaris wiper (SOLOSHRED) and LinuxWiper (AWFULSHRED).
Indicators of compromise are included in the blog.