HackDig : Dig high-quality web security articles

Russia-linked Sandworm continues to conduct attacks against Ukraine

2022-05-21 10:31

Security researchers from ESET reported that the Russia-linked APT group Sandworm continues to target Ukraine.

Security experts from ESET reported that the Russia-linked cyberespionage group Sandworm continues to launch cyber attacks against entities in Ukraine.

Sandworm (aka BlackEnergy and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).

The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017, causing billions worth of damage.

In April, Sandworm targeted energy facilities in Ukraine with a new strain of the Industroyer ICS malware (INDUSTROYER2) and a new version of the CaddyWiper wiper.

According to the CERT-UA, nation-state actors targeted high-voltage electrical substations with INDUSTROYER2, the variant analyzed by the researchers were customized to target respective substations.

The attackers also employed the CADDYWIPER wiper to target Windows-based systems, while hit server equipment running Linux operating systems with ORCSHRED, SOLOSHRED, AWFULSHRED desruptive scripts.

“Centralized distribution and launch of CADDYWIPER is implemented through the Group Policy Mechanism (GPO). The POWERGAP PowerShell script was used to add a Group Policy that downloads file destructor components from a domain controller and creates a scheduled task on a computer.” reads the advisory published by the Ukrainian CERT. “The ability to move horizontally between segments of the local area network is provided by creating chains of SSH tunnels. IMPACKET is used for remote execution of commands.”

CERT-UA states that the APT groups launched at least two waves of attacks against the energy facilities. The initial compromise took place no later than February 2022. Interestingly, the disconnection of electrical substations and the decommissioning of the company’s infrastructure was scheduled for Friday evening, April 8, 2022. 

The good news is that the attacks were detected and neutralized by government experts with the help of cybersecurity firms ESET and Microsoft.

The CERT-UA collected indicators of compromise for these attacks and shared them, along with Yara rules, with a limited number of international partners and Ukrainian energy companies.

Security firm ESET, which helped the Ukrainian government, published a detailed report on the Industroyer2 wiper used to target a Ukrainian energy company.

Now, the experts from ESET announced the discovery of a new variant of a malware loader used by the threat actors as part of the Industroyer2 attacks, CERT-UA tracked the malicious code as ArguePatch.

“Russia-linked Sandworm continues to conduct attacks against Ukraine”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)
Tell me why you support me <3

Tag Cloud