www.bleepingcomputer.com
Open in
urlscan Pro
104.20.60.209
Public Scan
Submitted URL: https://t.co/Yi052ZzPJ3
Effective URL: https://www.bleepingcomputer.com/news/security/sandworm-hackers-fail-to-take-down-ukrainian-energy-provider/
Submission: On April 14 via api from US — Scanned from DE
Effective URL: https://www.bleepingcomputer.com/news/security/sandworm-hackers-fail-to-take-down-ukrainian-energy-provider/
Submission: On April 14 via api from US — Scanned from DE
Form analysis 6 forms found in the DOM
https://www.bleepingcomputer.com/search/
<form title="Search site" action="https://www.bleepingcomputer.com/search/">
<input type="hidden" name="cx" value="partner-pub-0920899300397823:3529943228">
<input type="hidden" name="cof" value="FORID:10">
<input type="hidden" name="ie" value="UTF-8">
<input type="search" name="q" aria-label="Search Site" placeholder="Search Site">
</form>https://www.bleepingcomputer.com/search/
<form action="https://www.bleepingcomputer.com/search/">
<input type="hidden" name="cx" value="partner-pub-0920899300397823:3529943228">
<input type="hidden" name="cof" value="FORID:10">
<input type="hidden" name="ie" value="UTF-8">
<input type="search" name="q" aria-label="Search Site" placeholder="Search Site">
</form>POST //bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e
<form action="//bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e" method="post" target="_blank" novalidate="">
<input type="email" name="EMAIL" aria-label="Enter email address" placeholder="Email Address...">
<div style="position: absolute; left: -5000px;"><input type="hidden" aria-hidden="true" name="b_3e2b3b692f780cdff40d45346_30c98e654e" tabindex="-1" value=""></div>
<input type="submit" value="Submit" class="bc_sub_btn">
</form>POST //bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e
<form action="//bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e" method="post" target="_blank" novalidate="">
<input type="email" aria-label="Enter email address" name="EMAIL" placeholder="Email Address...">
<div style="position: absolute; left: -5000px;"><input type="hidden" aria-hidden="true" name="b_3e2b3b692f780cdff40d45346_30c98e654e" tabindex="-1" value=""></div>
<input type="submit" value="Submit" class="bc_sub_btn">
</form>POST https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=login&do=process&return=https://www.bleepingcomputer.com/news/security/sandworm-hackers-fail-to-take-down-ukrainian-energy-provider/
<form action="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=login&do=process&return=https://www.bleepingcomputer.com/news/security/sandworm-hackers-fail-to-take-down-ukrainian-energy-provider/"
method="post">
<div class="bc_form_feild">
<label for="ips_username">Username</label>
<input aria-label="Enter login name" title="Enter login name" type="text" id="ips_username" name="ips_username" autocomplete="username">
</div>
<div class="bc_form_feild">
<label for="ips_password">Password</label>
<input aria-label="Enter login password" title="Enter login passwod" type="password" id="ips_password" name="ips_password" autocomplete="current-password">
</div>
<div class="bc_form_feild">
<div class="bc_remember">
<input id="remember" type="checkbox" name="rememberMe" value="1" checked="checked">
<label for="remember">Remember Me</label>
</div>
<div class="bc_anon">
<input id="anonymous" type="checkbox" name="anonymous" value="1">
<label for="anonymous">Sign in anonymously</label>
</div>
</div>
<div class="bc_btn_wrap">
<input type="hidden" name="auth_key" value="880ea6a14ea49e853634fbdc5015a024">
<input type="submit" aria-label="Login to site" title="Login" value="Login" class="bc_sub_btn">
<a aria-label="Sign in with Twitter" href="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=login&serviceClick=twitter&return=https://www.bleepingcomputer.com/news/security/sandworm-hackers-fail-to-take-down-ukrainian-energy-provider/" class="bc_twitter_btn"><img src="https://www.bleepstatic.com/images/site/login/twitter.png" width="28" height="24" alt="Sign in with Twitter button"> Sign in with Twitter</a>
<hr>
<p>Not a member yet? <a aria-label="Register account" title="Register account" href="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=register">Register Now</a></p>
</div>
</form><form>
<input type="hidden" id="comment-id-report" value="0">
<ul>
<li>
<label><input type="radio" name="comment-report-reason" value="Spam">Spam</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Abusive or Harmful">Abusive or Harmful</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Inappropriate content">Inappropriate content</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Strong language">Strong language</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Other">Other</label>
</li>
<li id="comment-report-other-reason-wrap" style="display:none;">
<textarea aria-label="Enter other reason for reporting the comment" rows="2" cols="2" id="comment-report-other-reason"></textarea>
</li>
</ul>
<p>Read our <a href="https://www.bleepingcomputer.com/posting-guidelines/">posting guidelinese</a> to learn what content is prohibited.</p>
</form>Text Content
WE VALUE YOUR PRIVACY
We and our partners store and/or access information on a device, such as cookies
and process personal data, such as unique identifiers and standard information
sent by a device for personalised ads and content, ad and content measurement,
and audience insights, as well as to develop and improve products.
With your permission we and our partners may use precise geolocation data and
identification through device scanning. You may click to consent to our and our
partners’ processing as described above. Alternatively you may access more
detailed information and change your preferences before consenting or to refuse
consenting. Please note that some processing of your personal data may not
require your consent, but you have a right to object to such processing. Your
preferences will apply to this website only. You can change your preferences at
any time by returning to this site or visit our privacy policy.
MORE OPTIONSAGREE
*
*
*
*
*
*
* News
* Featured
* Latest
* Windows 10 KB5012599 and KB5012591 updates released
* Sandworm hackers fail to take down Ukrainian energy provider
* RaidForums hacking forum seized by police, owner arrested
* Microsoft: New malware uses Windows bug to hide scheduled tasks
* Hackers target Ukrainian govt with IcedID malware, Zimbra exploits
* Hetzner lost customer data and gave 20€ as compensation
* The top 10 password attacks and how to stop them
* Instagram beyond pics: Sexual harassers, crypto crooks, ID thieves
* Downloads
* Latest
* Most Downloaded
* Qualys BrowserCheck
* STOPDecrypter
* AuroraDecrypter
* FilesLockerDecrypter
* AdwCleaner
* ComboFix
* RKill
* Junkware Removal Tool
* Virus Removal Guides
* Latest
* Most Viewed
* Ransomware
* How to remove the PBlock+ adware browser extension
* Remove the Toksearches.xyz Search Redirect
* Remove the Smashapps.net Search Redirect
* Remove the Smashappsearch.com Search Redirect
* Remove Security Tool and SecurityTool (Uninstall Guide)
* How to remove Antivirus 2009 (Uninstall Instructions)
* How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
* How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using
TDSSKiller
* Locky Ransomware Information, Help Guide, and FAQ
* CryptoLocker Ransomware Information Guide and FAQ
* CryptorBit and HowDecrypt Information Guide and FAQ
* CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
* Tutorials
* Latest
* Popular
* How to make the Start menu full screen in Windows 10
* How to install the Microsoft Visual C++ 2015 Runtime
* How to open an elevated PowerShell Admin prompt in Windows 10
* How to Translate a Web Page in Google Chrome
* How to start Windows in Safe Mode
* How to remove a Trojan, Virus, Worm, or other Malware
* How to show hidden files in Windows 7
* How to see hidden files in Windows
* Deals
* Categories
* eLearning
* IT Certification Courses
* Gear + Gadgets
* Security
* Forums
* More
* Startup Database
* Uninstall Database
* File Database
* Glossary
* Chat on Discord
* Send us a Tip!
* Welcome Guide
* Home
* News
* Security
* Sandworm hackers fail to take down Ukrainian energy provider
* AddThis Sharing Buttons
Share to FacebookFacebookShare to TwitterTwitterShare to
LinkedInLinkedInShare to RedditReddit590Share to Hacker NewsHacker NewsShare
to EmailEmail
*
SANDWORM HACKERS FAIL TO TAKE DOWN UKRAINIAN ENERGY PROVIDER
By
BILL TOULAS
* April 12, 2022
* 08:03 AM
* 0
The Russian state-sponsored hacking group known as Sandworm tried on Friday to
take down a large Ukrainian energy provider by disconnecting its electrical
substations with a new variant of the Industroyer malware for industrial control
systems (ICS) and a new version of the CaddyWiper data destruction malware.
The threat actor used a version of the Industroyer ICS malware customized for
the target high-voltage electrical substations and then tried to erase the
traces of the attack by executing CaddyWiper and other data-wiping malware
families tracked as Orcshred, Soloshred, and Awfulshred for Linux and Solaris
systems.
Researchers at cybersecurity company ESET collaborating with the
Ukrainian Computer Emergency Response Team (CERT) to remediate and protect the
attacked network say that they do not know how the attacker compromised the
environment or how they managed to move from the IT network into the ICS
environment.
PLAY Top Articles Video Settings Full Screen About Connatix V158870 Read More
Read More Read More Read More Read More Read More Flaw in Rarible NFT market
allowed trickycrypto asset transfers 1/1 Skip Ad Continue watching after the ad
Visit Advertiser websiteGO TO PAGE
The image below shows an overview of the data wiping components used in the
attack:
Sandworm activities diagram (ESET)
In an announcement today, CERT-UA notes that the threat actor's goal was
"decommissioning of several infrastructural elements."
The ICS malware used in the attack is now tracked as Industroyer2 and
ESET assesses "whith high confidence" that it was built using the source code of
Industroyer used in 2016 to cut the power in Ukraine and attributed to
the state-sponsored Russian hacking group Sandworm.
CERT-UA and ESET say that Sandworm planned to start the final stage of the
attack on Friday, April 8 (at 14:58 UTC) by deploying malware on the following
types of systems:
* Windows computers and automated workstations by deploying the CaddyWiper
malware, decrypted, loaded, and executed via the ArgeuPatch and Tailjump
tools (at 14:58 UTC)
* Linux servers using the OrcShred, Soloshred, and AwfulShred scripts (at 14:58
UTC)
* high-voltage electrical substations using the INDUSTROYER2 malware, each
executable containing a set of unique parameters specified for their
respective substation targets. Sandworm operators created a scheduled task at
15:02:22 UTC to launch the malware at 16:10 UTC and cut power in an Ukrainian
region
* active network equipment
At 16:20 UTC, the adversary executed CaddyWiper on the machines to erase the
tracks of Industroyer2.
CERT-UA says that "the implementation of [Sandworm's] malicious plan has so far
been prevented" while ESET notes in a technical report on the malware used in
this attack that "Sandworm attackers made an attempt to deploy the Industroyer2
malware against high-voltage electrical substations in Ukraine."
ESET researchers say that Industroyer2 is highly configurable and comes with
hardcoded detailed configuration, which requires it to be recompiled for each
new victim environment.
"However, given that the Industroyer malware family was only deployed twice,
with a five year gap between each version, this is probably not a limitation for
Sandworm operators." - ESET
The researchers say that the Portable Executable timestamp of Industroyer2 shows
that it was compiled on March 23, which suggests that the attack had been
planned for at least two weeks.
source: ESET
Additional tools used in the attack include the PowerGap PowerShell script used
to add a Group Policy that downloads payloads and creates scheduled tasks, and
Impacket, used for remote command execution.
The worm component in this attack - a Bash script named sc.sh - looks for
accessible networks (via ip route or ifconfig) and tries to connect to all
available hosts via SSHH (TCP port 22, 2468, 24687, 522) using credentials in a
list the adversary added in the script.
NEW INDUSTROYER VERSION
Industroyer, also known as CrashOverride, was first sampled and analyzed in
2017, with ESET calling it the "biggest threat to industrial control systems
since Stuxnet".
The new variant used last week on an Ukrainian energy provider is an evolution
of the original malware used in the 2016 power outage attacks in Ukraine.
Industroyer2 only employs the IEC-104 protocol to communicate with industrial
equipment, whereas previously, it supported multiple ICS protocols.
It's more configurable than the original strain and the settings, including
IOAs, timeouts, and ASDUs, are stored as a string which is passed through the
IEC-104 communication routine.
According to ESET's analysis, the recently analyzed sample communicated with
eight devices simultaneously.
Hardcoded configuration in Industroyer2 (ESET)
The exact actions performed by Industroyer2 after its connection to the relays
are still being examined, but it has been determined that it terminates the
legitimate processes that industrial equipment performs in its standard
operation.
RECENT SANDWORM ACTIVITIES
The recent attack on Friday appears to be a parallel operation from Sandworm,
who also focused on targeting WatchGuard firewall appliances and ASUS
routers using the Cyclops Blink botnet.
That botnet was severely disrupted last week due to coordinated action of
American law enforcement and cyber-intelligence agencies.
CERT-UA placed the initial compromise to February 2022 and identified two
distinct attack waves against the victim organization, resulting in some
substation disconnections.
This coincides with another operation run in parallel by Sandworm, which was the
build-up of the Cyclops Blink botnet that attacked WatchGuard firewall
appliances, and later also ASUS routers.
ANSSI, the French national cyber-security agency, blames Sandworm for a campaign
starting in 2017 that focused on compromising French IT providers that were
using an outdated version of the Centreon network, system, and monitoring tool.
Sandworm is an experienced cyber-espionage threat group that has been
associated with the Russian Military Unit 74455 of the Main Intelligence
Directorate (GRU).
CERT-UA has shared indicators of compromise (Yara rules, file hashes, hosts,
network) to help prevent new attacks from this threat actor.
RELATED ARTICLES:
Microsoft: Ukraine hit with FoxBlade malware hours before invasion
US, UK link new Cyclops Blink malware to Russian state hackers
New CaddyWiper data wiping malware hits Ukrainian networks
Hackers use Conti's leaked ransomware to attack Russian companies
Ukraine: Russian Armageddon phishing targets EU govt agencies
* CaddyWiper
* Industroyer
* Malware
* Russia
* Sandworm
* Ukraine
* Facebook
* Twitter
* LinkedIn
* Email
*
BILL TOULAS
Bill Toulas is a technology writer and infosec news reporter with over a decade
of experience working on various online publications. An open source advocate
and Linux enthusiast, is currently finding pleasure in following hacks, malware
campaigns, and data breach incidents, as well as by exploring the intricate ways
through which tech is swiftly transforming our lives.
* Previous Article
* Next Article
POST A COMMENT COMMUNITY RULES
YOU NEED TO LOGIN IN ORDER TO POST A COMMENT
Not a member yet? Register Now
YOU MAY ALSO LIKE:
Popular Stories
* Microsoft April 2022 Patch Tuesday fixes 119 flaws, 2 zero-days
* Windows 10 KB5012599 and KB5012591 updates released
NEWSLETTER SIGN UP
To receive periodic updates and news from BleepingComputer, please use the form
below.
NEWSLETTER SIGN UP
* Follow us:
*
*
*
*
MAIN SECTIONS
* News
* Downloads
* Virus Removal Guides
* Tutorials
* Startup Database
* Uninstall Database
* File Database
* Glossary
COMMUNITY
* Forums
* Forum Rules
* Chat
USEFUL RESOURCES
* Welcome Guide
* Sitemap
COMPANY
* About BleepingComputer
* Contact Us
* Send us a Tip!
* Advertising
* Write for BleepingComputer
* Social & Feeds
* Changelog
Terms of Use - Privacy Policy - Ethics Statement
Copyright @ 2003 - 2022 Bleeping Computer® LLC - All Rights Reserved
LOGIN
Username
Password
Remember Me
Sign in anonymously
Sign in with Twitter
--------------------------------------------------------------------------------
Not a member yet? Register Now
REPORTER
HELP US UNDERSTAND THE PROBLEM. WHAT IS GOING ON WITH THIS COMMENT?
* Spam
* Abusive or Harmful
* Inappropriate content
* Strong language
* Other
*
Read our posting guidelinese to learn what content is prohibited.
Submitting...
SUBMIT