Industroyer2 Malware

Critical infrastructure services in Ukrain have been targeted by cyberattacks, preceding and following the Russian invasion of the country. It appears that cybercriminals are still launching more attack operations with one of the latest targets being a Ukrainian energy provider.

The threatening campaign attempted to deploy a new piece of malware called Industroyer2, which is capable of damaging or disrupting the victim's ICS (Industrial Control Systems). The operation was aimed at a high-voltage electrical substation and reportedly failed to achieve its nefarious goals. Ukraine's Computer Emergency Response Team (CERT-UA), Microsoft, and the cybersecurity firm ESET are analyzing the attack. So far the likely culprit is the Sandworm threat group, which is believed to operate under orders from Russia's GRU intelligence agency.

Threatening Characteristics

The Industroyer2 threat appears to be a new and improved version of malware known as Industroyer (CRASHOVERRIDE). Back in December 2016, the original Industroyer was deployed as part of an attack against an electrical substation in Ukraine that managed to cause a short-lived power outage. Now, the Industroyer2 threat is being used in a similar manner. It is deployed on the targeted systems as a Windows executable that was supposed to be executed on April 8 via a scheduled task.

To communicate with the industrial equipment of the target, Industroyer2 utilizes the IEC-104 (IEC 60870-5-104) protocol. This means that it can affect protection relays in electrical substations. In contrast, the older Industroyer threat was fully modular and could deploy payloads for several ICS protocols. Another difference was discovered in the configuration data. While the original threat used a separate file to store this information, Industroyer2 has its configuration data hardcoded into its body. As a result, each sample of the threat needs to be specifically tailored for the environment of the chosen victim.