Ukraine’s Governmental Computer Emergency Response Team of Ukraine (CERT-UA) confirmed on 12 April that it had taken urgent measures in response to a security incident related to a targeted cyber attack on Ukraine’s energy facilities.
The victim organization has not been disclosed by CERT-UA.
Since the start of the Russian invasion of Ukraine in late February 2022 it has been expected that Russia would use cyber-attacks as part of its campaign, with critical infrastructure a valuable target.
The attack involved the decommissioning of several infrastructural elements of the target of the attack. These included high-voltage electrical substations.
The incident occurred in two phases with the first compromising power networks in February before moving on to shut a substation and harm infrastructure on 8 April – a plan that was ultimately foiled.
New malware
In a statement, CERT-UA said the attack was carried out by the Sandworm group using malware including Industroyer2 and CaddyWiper.
Industroyer malware was used in an attack against Ukraine’s power grid in 2016, which caused a power blackout in Kiev. According to cyber security firm ESET, Industroyer2 is a new variant of the malware deployed during the 2016 incident.
ESET has worked closely with CERT-UA to remediate and protect the critical infrastructure network.
The company explained that alongside Industroyer2, Sandworm used several destructive malware families including CaddyWiper, Orcshred, Soloshred and Awfulshred.
CaddyWiper was first discovered in 2014 when it was used against a Ukrainian bank.
“Ukraine is once again at the center of cyberattacks targeting its critical infrastructure,” said ESET in an article on 12 April. “This new Industroyer campaign follows multiple waves of wipers that have been targeting various sectors in Ukraine. ESET researchers will continue to monitor the threat landscape in order to better protect organizations from these types of destructive attacks.”
It is understood that Microsoft has also played a part in identifying and mitigating cyber-attacks in Ukraine.
Putin’s cyber army
It is well known now that cyber-attacks are part of Vladimir Putin’s arsenal of weaponry.
Speaking to CS Hub earlier in 2022, Charles Denyer, an Austin-based cybersecurity and national security expert, said, “Putin is throwing digital bombs from his doorsteps, courtesy of Russia’s vast cybersecurity arsenal.”
Regarding who is behind the attacks that are hitting the Ukraine, and possibly the rest of the world, Denyer explained that Russia’s Foreign Intelligence Service of the Russian Federation (SVR), the Main Directorate of the General Staff (GRU), the Federal Security Service (FSB), the Federal Protective Service (FSO), the GRU’s cyber military Unit 26165, Unit 74455 (more commonly known as Sandworm), the Internet Research Agency and others are all involved.
For organizations throughout the globe, protecting their assets comes back to basic cyber hygiene 101, Denyer explained. This includes limiting access to systems, running anti-virus scans, monitoring all user activity, scanning for network vulnerabilities, performing penetration testing and, in the long term, training employees on security awareness issues.