The Ukrainian Computer Emergency Response Team CERT-UA has taken a number of urgent measures to respond to an attempted cyberattack on a critical infrastructure facility. The purpose of the attack was to disable high-voltage electrical substations, computers, servers, network equipment and automated control systems of the Ukrainian electric power company.
According to experts from CERT-UA and the ESET information Security company, who helped repel and analyze the attack, the attackers intended to disable electrical substations using the Industriyer2 malware. According to them, malicious actions were planned for April 8, 2022, but judging by the date of compilation of the files, the attack was being prepared at least two weeks before that date.
“In the course of a new attack, cybercriminals attempted to deploy the Industriyer2 malicious software at high-voltage electrical substations in Ukraine. In addition to Industriyer2, during the attack, the Sandworm group used several malware families to destroy data, including CaddyWiper,” ESET reports.
According to ESET, malicious software called Industriroyer was used to cut off electricity in Kiev in December 2016. The previous version of Industriroyer could interact with industrial control systems, which are usually used in electrical systems, in particular IEC-101, IEC-104, IEC 61850 and OPC DA.
Attackers planned to use destructive malware (viper) to attack computers, servers and automated control systems running Windows OS CaddyWiper, designed to delete all data from infected systems. As SecurityLab previously reported, CaddyWiper is one of four detected vipers used in attacks on Ukraine since the beginning of this year.
Hackers intended to attack servers running Linux using malicious destructor scripts ORCSHRED, SOLOSHRED and AWFULSHRED.
“It is known that the victim organization has been subjected to two waves of attacks. The initial compromise occurred no later than February 2022. The shutdown of electrical substations and the disabling of the company’s infrastructure was scheduled for the evening of Friday, April 8, 2022. However, the implementation of the malicious plan has been prevented at the moment,” CERT-UA reported.