Ukraine energy grid hit by Russian Industroyer2 malware

A notorious piece of malware has been rehashed as an agent of cyberwar in Russia's invasion of Ukraine.

Security researchers working with the Ukraine government say that a new variant of the "Industroyer" malware has been detected in power stations in the Ukraine and is likely being used by the Russian government to sabotage industrial controller systems (ICS). Industroyer was first detected in 2016 cyber attacks against Ukraine's power grid, which caused substantial blackouts in the country.

Researchers with threat detection vendor ESET reported Tuesday that Russian attackers have been targeting energy plants in Ukraine with the aim of shutting down critical infrastructure. The Industroyer2 malware targets the controller hardware that manages the flow of water, use of cleaning agents and other embedded machines that keep water systems running efficiently.

Both ESET and the Computer Emergency Response Team of Ukraine (CERT-UA) believe the Russian government deployed the attack with the aim of disrupting power and IT traffic among the Ukrainian government. Specifically, the two organizations attributed the attacks to Sandworm, a Russian state-sponsored threat group that has been active with wiper attacks against Ukraine in recent months.

According to ESET analysts, the Industroyer2 malware is very specifically tasked.

"Industroyer2 was deployed as a single Windows executable named 108_100.exe and executed using a scheduled task on 2022-04-08 at 16:10:00 UTC," ESET wrote in the blog post.

"It was compiled on 2022-03-23, according to the PE timestamp, suggesting that attackers had planned their attack for more than two weeks."

CERT-UA said in a security advisory that the Industroyer2 attack hit a single, unnamed Ukrainian organization in two separate waves, but the attack apparently failed to trigger a power grid failure and that "the implementation of the malicious plan has so far been prevented."

It is not unheard of for malware payloads to be focused on a single piece of hardware. Most famous is the 2008 Conficker worm that targeted one specific type of uranium centrifuge being used by the Iranian government for an alleged nuclear weapons program. The malware was intended for Windows systems, but also included code to attack Linux and Solaris machines.

While the conflict in Ukraine remains one of the important issues on the global news stage, the possibility that Russian cyber attacks could spill over to the rest of the world is a prospect that will have nations who are not involved in the conflict on pins and needles.

ESET researchers said that the malware spotted in the Ukraine isn't just a one-off piece of code and it is possible that the attack code could be adopted to machines in other parts of the world. Of particular interest is the gap in deployment time, with the original code having been spotted more than five years ago.

"Industroyer2 is highly configurable. It contains a detailed configuration hardcoded in its body, driving the malware actions," ESET said.

"This is different from Industroyer, stores configuration in a separate .INI file. Thus, attackers need to recompile Industroyer2 for each new victim or environment."