Detect Industroyer2 and CaddyWiper Malware: Sandworm APT Hits Ukrainian Power Facilities
Table of contents:
CERT-UA in collaboration with Microsoft and ESET has recently reported about the large-scale cyber-attack on the Ukrainian energy providers, marking the second power outage attack in human history. This latest activity is attributed to the russia-affiliated Sandworm APT group also tracked as UAC-0082.
In this very attack, threat actors leveraged Industroyer2, the latest sample of the infamous Industroyer malware family designed to attack power grids that was first discovered by ESET researchers in June 2017. The cyber-attack of 2017 traces back to the malware-induced massive blackouts caused by the nefarious BlackEnergy malware designed to cripple the critical infrastructure of Ukrainian electrical companies.
In the latest cyber-attack on Ukrainian power facilities, in addition to the use of the Industroyer malware strain, Sandworm APT group has also leveraged an infamous data wiper dubbed as CaddyWiper. The latter is yet another data-wiping malware that emerged hot over the heels of HermeticWiper and WhisperGate attacks targeting Ukrainian organizations.
Industroyer Reloaded: Sandworm Deploys Industroyer2 to Cripple Ukrainian Power Grid
CERT-UA in collaboration with ESET and Microsoft cybersecurity experts has thwarted the massive cyber-attack against Ukrainian energy providers. It is the second power outage attack in human history that was thoroughly planned by russia-backed Sandworm APT to disrupt the critical infrastructure of Ukraine.
According to ESET analysis, the malicious actions were arranged by hackers at least two weeks in advance and the attack launch was scheduled for April 8, 2022. Sandworm threat actors planned to deploy Industroyer2, the successor of the infamous Industroyer malware, to disrupt the operations of the high-voltage electrical substations in Ukraine.
In addition to the ICS-capable malware, hackers used several wiper families. Particularly, CERT-UA reports that recently revealed CaddyWiper was applied against personal computers, servers, and automated process control systems running Windows OS. For Linux-based systems, attackers leveraged RSHRED, SOLOSHRED, and AWFULSHRED data-wiping scripts. Presumably, the wipers were deployed with further intention to erase Industroyer2 traces and complicate the regaining control of the ICS consoles for the power grid operators.
The Sandworm Group is known to have been attributed to russia’s General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455. During 2015-2017, Sandworm repeatedly attacked the Ukrainian critical infrastructure using the infamous BlackEnergy and Industroyer malware samples. The disruptions in power grid performance ended up in massive blackouts throughout the country, marking the first case in human history when a cyber threat resulted in serious damages to physical plant operational assets. Further, in 2017 the infamous NotPetya malware was applied by the Sandworm group to cripple the Ukrainian banking institutions. This cyber-attack evolved into a global crisis with millions of instances compromised and billions of dollars in losses. Later on, in 2018, russia leveraged another devastating malware, VPNFilter, to attack the Auly Chlorine Distillation Station. And finally, multiple destructive cyber-attacks by Sandworm APT gained momentum in 2020-2021, with lots of government institutions and businesses being attacked. You can explore the detailed timeline of the russian warfare here.
Industroyer2 Detection: Latest Attack by Sandworm APT
Security practitioners can detect possible cyber-attacks including Industroyer2 and CaddyWiper malware strains in their infrastructure with a set of curated Sigma rules based on Windows and Linux log sources:
Sigma rules to detect cyber-attacks by Sandworm APT (UAC-0082)
To simplify the search for dedicated detection content for the latest Sandworm APT (UAC-0082) activity, all above-referenced detection algorithms are tagged accordingly as #UAC-0082.
Please note that only registered users can leverage these detections from SOC Prime’s Detection as Code platform. All Sigma-based rules included in this detection stack are available via the credit-card range #Sigma2SaveLives subscription tier as part of 500+ bonus rules against russian state-backed APTs. 100% of revenue from each subscription purchase goes to the Ukrainian Come Back Alive Foundation.
Security professionals can also leverage curated hunting queries from the rule kit above to instantly search for related russia-linked cyber threats with SOC Prime’s Quick Hunt module. For more details on how to drill down to hunt for the latest threats associated with Sandworm APT group, please refer to this video tutorial.
MITRE ATT&CK® Context
To dive into the context of the latest destructive cyber-attack of Sandworm APT group/UAC-0082 targeting Ukrainian power facilities, the dedicated Sigma-based detection rules are aligned with the MITRE ATT&CK matrix v.10 addressing all relevant tactics and techniques:
Tactics | Techniques | Sigma Rules |
Defense Evasion | Masquerading (T1036) | |
Signed Binary Proxy Execution (T1218) | ||
Domain Policy Modification (T1484) | ||
File and Directory Permissions Modification (T1222) | ||
Execution | Scheduled Task/Job (T1053) | |
Collection | Data from Network Shared Drive (T1039) | |
Credential Access | OS Credential Dumping (T1003) | |
Unsecured Credentials (T1552) | ||
Discovery | System Information Discovery (T1082) |
Security professionals can also check out the following ATT&CK Navigator file with mapped-out TTPs. For more details, please refer here.