In 2015, the cybercriminal group Sandworm carried out a major attack on the Ukrainian electricity system via the Industroyer malware, causing numerous power outages. The attack allowed the NCSC, CISA, and the NSA to link Sandworm to the GRU, a Russian intelligence entity.
According to CERT-UA (the Ukrainian government’s CERT), Sandworm had planned a new attack against an industrial infrastructure controlling high-voltage power substations using a new version of this malware, Industroyer2. CERT-UA, assisted by ESET researchers, managed to block the attack, which was scheduled for the evening of 8 April 2022.
CERT-UA reports that the attackers had infected the network in February 2022 and then managed to reach the ICS. In addition to Industroyer2, researchers identified a new version of the destructive CaddyWiper malware on the network, which was likely deployed to slow down the recovery of ICS consoles after the attack, and to hide the traces of the attack.
“Ukraine is once again at the centre of cyberattacks targeting their critical infrastructure. This new Industroyer campaign follows multiple waves of wipers that have been targeting various sectors in Ukraine,” comment ESET researchers.