On analysis, the team found a new malware planted in the industrial control systems of that energy facility, and has been there for weeks! Also, there’s a wiper spotted in the impacted systems, aimed at removing the traces after the attack. Researchers linked the malware to a Russian state-backed hacking group.
Ukraine Defended a Critical Cyberattack
Amidst the war with visible weapons, Ukraine and Russia are involved in cyberattacks too. Several researchers have previously warned, and even notifying now that Russia is constantly cyber attacking Ukraine. In this pursuit, the Ukrainian Governmental Computer Emergency Response Team (CERT-UA) revealed that a potential cyberattack was planned against one of their energy facilities – which they successfully stopped on April 8th. Hackers have implanted a new malware to disconnect and decommission the high voltage energy infrastructure. An analysis by the ESET team – who accompanied CERT-UA in preventing this attack – has linked the attack to the Sandworm gang – a hacking group attributed to a Russian military unit called GRU. UK’s NCSC, CISA, and NSA in their past reports linked Sandworm to the GRU and warned organizations that are potential targets of it. Hackers in the campaign against Ukraine used an updated version of Industroyer – a malware that was previously used to cause power outages in Ukraine in 2015. The traces left by Industroyer2 says that it’s been in the power systems since February 2022, and is unknown how they had entered the industrial control systems. Also, there’s a new version of CaddyWiper spotted, which is a destructive malware aimed at wiping out traces and also slowing down the recovery processes of the energy company after the attack.