Threat Signal Report

Industroyer2 Discovered Attacking Critical Ukrainian Verticals

description-logo Description

FortiGuard Labs is aware of new reports of Industroyer2, the successor to the Industroyer malware. First discovered in 2016, Industroyer was attributed to energy grid attacks in Kiev, Ukraine. The attack resulted in a loss of electricity for over an hour and was attributed to the Russian government (Sandworm). The latest discovery of Industroyer2 was discovered by researchers at ESET (who also discovered Industroyer in 2015).


Industroyer is an Industrial Control System (ICS) specific malware that is modular and was discovered to have capabilities to control electrical substations and circuit breakers. It uses industrial communication protocols and techniques to conduct its operations via a global industry standard used by many critical infrastructure verticals.


This latest variant of Industroyer2 was seen targeting ICS devices within electrical substations and then trying to erase any evidence of its attack by running CaddyWiper malware along with other Linux and Solaris (UNIX) wipers. It is currently unknown at this time how the threat actors were able to compromise and obtain initial access before entering into the ICS network. For further details on CaddyWiper, please see our Threat Signal here.


This is a current news event, further details will be published when available.


What are the Technical Details of this Attack?

Industroyer2 is a Windows executable file and was executed via a scheduled task on April 8th. According to the analysis, it was compiled on March 23rd which suggests that the threat actors (Sandworm) behind this attack had planned it for over two weeks.


Industroyer2 communicates over the IEC 60870-5-104 protocol, which is used by ICS/SCADA devices to communicate. This variant is different from the original Industroyer, which supported multiple ICS protocols.


Caddywiper was deployed via a group policy object (GPO) to likely thwart any forensic recovery and analysis. It was found on machines that contained Industroyer2 installations. Other malware (ORCSHRED, SOLOSHRED, AWFULSHRED) found in these campaigns were destructive Linux and Solaris (UNIX) versions that acted as a worm and wiper and were deployed via shell scripts.


What Operating Systems are Affected?

Windows, Linux and Solaris systems are affected.


What is the Severity of this Attack?

Medium. This is limited specifically to targeted attacks.


What is the Status of Coverage?

FortiGuard Labs has the following (AV) signatures in place for publicly available samples as:


W32/IndustroyerB!tr

W32/Agent.AECG!tr

Data/KillDisk.NDA!tr


All network IOC's are blocked by the WebFiltering client.



Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.