"Ukrainian Energy Supplier Targeted by New Industroyer Malware"

Security researchers from cybersecurity vendor ESET in collaboration with the Ukrainian Computer Emergency Response Team (CERT-UA), have found that a Ukrainian energy supplier was targeted by a new variant of Industroyer malware named Industroyer2.  The Industroyer malware was believed to have been used by the Sandworm APT group to cut power in Kyiv, Ukraine, back in 2016.  In the latest incident, ESET stated that Sandworm, which is linked to the Russian state security services, attempted to deploy the new version of Industroyer against high-voltage electrical substations in Ukraine to trigger power outages.  The scheduled execution of the malware was April 8, 2022.  The researchers noted that Sandworm used several other destructive malware in coordination with Industroyer2, including CaddyWiper, ORCSHRED, SOLOSHRED, and AWFULSHRED.  The use of CaddyWiper was designed to erase traces of Industroyer2.  It is believed the attack had been planned for at least two weeks.  ESET and CERT-UA managed to remediate the attack on the unnamed critical infrastructure network and are continuing to investigate the incident.  Currently, there is no information on how the attackers were able to compromise the initial victim or how they moved from the IT network to the industrial control system network (ICS).  The researchers stated that while Industroyer2 shares several characteristics with the original Industroyer malware, it also has some notable differences.  These include holding a detailed configuration hardcoded in its body, driving the malware actions, whereas Industroyer stores configuration in a separate .INI file.  The researchers said this new configuration format enables Industroyer2 to communicate with multiple devices at once.

Infosecurity reports: "Ukrainian Energy Supplier Targeted by New Industroyer Malware"