The hacking group Sandworm has been confirmed as a unit of 74455 of the Russian military intelligence department of the GRU.
The hacker group Sandworm, confirmed as a unit of 74455 of the Russian military intelligence department of the GRU, in the evening of April 8 launched an attack on Ukraine's energy system, aimed at blackouting the country on the example of 2016. This was reported by Wired with reference to information received from the Government Team for Response to Computer Emergencies of Ukraine CERT-UA.
“On Tuesday, the Ukrainian Computer Emergency Response Team (CERT-UA) and the Slovak cybersecurity firm ESET published a report that the Sandworm hacker group, confirmed as unit 74455 of the Russian GRU military intelligence agency , made an attempt to hit high-voltage electric substations in Ukraine “, – the edition writes.
It is noted that a piece of malicious software was used for the attack, which the Russian aggressors have already used in historical cyberattacks on the Ukrainian power system in 2015 and 2016. According to Wired, the detected malware Sandworm Industroyer was first used in a cyber attack by hackers on the Ukrainian company “Ukrenergo” in December 2016 .
“It (software – ed.) Could directly interact with electrical equipment to cause blackouts. Industroyer was able to send commands to circuit breakers using any of the four protocols of the industrial control system,” – said in a statement.
Also, the publication claims that as a result of the hacker attack on April 8, 2022, the power supply was temporarily cut off at nine substations.
“CERT-UA says the attack was successfully detected and stopped before any actual power outages could be triggered. But earlier, a private CERT-UA consultant told the MIT Technology Review that power was temporarily cut off at nine power substations. “, – the article says.
However, apparently for security reasons, both CERT-UA and ESET refused to name the affected utility. But it is known that more than 2 million people live in the area that serves the affected substations.
The CERT-UA website does have reports of a hacker attack, though with details other than those provided by Wired.
Microsoft and ESET.
“ The victim organization suffered two waves of attacks . The initial compromise occurred no later than February 2022 < The shutdown of electrical substations and the decommissioning of the company's infrastructure were scheduled for Friday evening, April 8, 2022 . At the same time, the implementation of the malicious plan has been prevented so far, “the CERT-UA report reads.
the object of the attack, namely:
- high-voltage electrical substations – using the malicious program INDUSTROYER2; moreover, each executable file contained a statically specified set of unique parameters for the respective substations (file compilation date: 23.03.2022);
- electronic computers (computers) running the Windows operating system (user computers, servers, as well as automated workstations ACS TP) – using malicious software-destructor CADDYWIPER; to decipher and run the latter involves the use of ARGUEPATCH loader and TAILJUMP silkcode;
- server equipment running Linux operating systems – using malicious destructive scripts ORCSHRED, SOLOSHRED, AWFULSHRED;
- network equipment.
“ In order to identify signs of the presence of a similar threat in other organizations of Ukraine, operational information with the level of access restrictions TLP: AMBER, including sample malware, compromise indicators and Yara rules, passed on to a limited number of international partners and Ukrainian energy companies “, CERT-UA notes.
