Industroyer2: How Ukraine avoided another blackout attack

A Black Hat 2022 session explained how the latest attack on Ukraine's energy grid was thwarted this spring, thanks to quick responses and timely sharing of threat data.

LAS VEGAS -- The Industroyer malware attack on Ukraine's energy grid in 2016 caused a significant blackout and marked a turning point for cyber attacks against critical infrastructure.

But the Industroyer2 malware attack, which was more sophisticated than the original, failed to take down Ukraine's energy grid in March, thanks in part to the lessons learned from the 2016 attack.

During a Black Hat 2022 session Wednesday, researchers from cybersecurity vendor ESET and Victor Zhora, deputy chairman of Ukraine's State Service of Special Communications and Information Protection (SSSCIP), discussed the Industroyer2 malware and the response to the attack, which was unsuccessful.

The Industroyer2 attack was preceded by several wiper attacks on Ukraine networks, starting with HermeticWiper on Feb. 23 -- a day before Russia's invasion of Ukraine. "HermeticWiper was found on hundreds of systems in multiple organizations, and it was a pure act of cyber sabotage," said Robert Lipovsky, principal threat intelligence researcher at ESET, during the presentation.

The situation escalated; on April 8, ESET was called in to analyze new malware discovered by CERT-UA, the national computer emergency response team for Ukraine, following an incident at an energy provider in the country. "Our analysis found that threat was bigger than expected," Lipovsky said. "It was a new version of Industroyer, something which we hadn't seen in the last five years."

Unlike the original Industroyer malware, the second attempt failed to cause a blackout. But Lipovsky said that, had Industroyer2 been successful, it could have left more than 2 million people in Ukraine in the dark.

"The attack was thwarted thanks to a prompt response by the defenders at the targeted energy company and the work of CERT-UA and our assistance," he said.

Responding to Industroyer2

Zhora said many private-sector companies have provided invaluable cybersecurity support for Ukraine during Russia's invasion but added that Microsoft and ESET have been especially crucial because the two vendors have the biggest presence on Ukraine networks and massive amounts of telemetry data.

That data proved to be extremely valuable in thwarting Industroyer2; Zhora said timely sharing of information by ESET and Microsoft tipped off Ukrainian authorities that an attack may be in progress. In addition, the quick response of CERT-UA to contact the target organization and detect the malware was key.

Zhora said investigators believe the initial compromise of the targeted energy company occurred on Feb. 17 and likely even earlier. Like the original Industroyer, the malware was specifically designed to disrupt industrial control systems at energy providers.

"It was a well-planned and technically sophisticated operation, with a lot of tools that we later discovered," Zhora said.

Lipovsky said Industroyer2 had a lot of code similarities to the original Industroyer malware, though the new version was contained in a single executable rather than a framework.

And, like its predecessor, Industroyer2 was attributed to Sandworm, a state-sponsored group run by Russia's Main Intelligence Directorate, more commonly known as the GRU. Lipovsky told the audience the threat group earned the name because its malware contained obvious references to Dune, Frank Herbert's classic science fiction novel.

ESET researchers explained that Sandworm, the Russian state-sponsored threat group behind Industroyer2 and other attacks, earned its name because the group's malware contained several references to Frank Herbert's science fiction novel, 'Dune.'

Anton Cherepanov, senior malware researcher at ESET, told the audience that Industroyer2 contained hardcoded configurations, which showed the attack was planned well in advance of the malware's delivery. Industroyer2, he said, was specifically designed to disable circuit-breaker failure protections for the exact systems used in the targeted energy company's network.

Cherepanov said Industroyer2 was just one part of an operation to take down a portion of Ukraine's energy grid. Sandworm also deployed additional wiper malware known as CaddyWiper to make response and recovery more difficult and to erase any traces of the Industroyer2 malware.

Ultimately, the CaddyWiper attack caused more disruption than Industroyer2; Lipovsky said the malware's authors made some mistakes that allowed defenders to mitigate the attack before it could successfully trigger a blackout. But he emphasized that, even though Sandworm's latest attempt failed, "the threat shouldn't be hyped but also should not be downplayed or underestimated," he said. "These threats are serious, but they can be thwarted by proper security measures."

Following the session, Zhora told SearchSecurity that the time period in between the 2016 blackout attack and Industroyer2 gave Ukraine and its private-sector partners time to prepare for the next attack. "Ukraine defenders were ready for this," he said. "Industroyer1 was quite effective. It took us two hours to restore power."

Zhora also said he isn't sure when version 3 of Industroyer may arrive but that SSSCIP, CERT-UA and other organizations are expecting additional critical infrastructure attacks at some point in the future.

"These attacks are very dangerous and have a lot of potential to cause serious damage," he said. "We have to monitor the situation 24 hours a day and prepare for escalation and further aggression."

Dig Deeper on Threat detection and response