Russia's Sandworm hackers tried to knock out Ukrainian energy provider but failed

The first attack took place no later than February 2022, while the final destructive stages were set for April 8, 2022

A long-planned assault by the Russian state-sponsored hacking outfit Sandworm to shut off power to millions of Ukrainians was thwarted last week, Ukraine ' s government and security researchers disclosed on Tuesday.

Cybersecurity firm ESET said in its report that hackers used a new Industroyer malware variant and a new version of the CaddyWiper data destruction malware to target high-voltage electrical substations in Ukraine.

Ukraine's Governmental Computer Emergency Response Team (CERT-UA) said it took immediate steps to foil the assault.

It revealed that the target entity was attacked twice. The first attack took place no later than February 2022, while the final destructive stages were set for April 8, 2022.

The authorities did not say how many substations were targeted or where they were located due to security concerns, but an official claimed that around two million people would have been without power if the attack had been successful.

ESET and Microsoft researchers worked with the CERT-UA to remediate and defend the affected network.

The researchers said they were unable to determine how the attacker gained access to the environment or how they were able to move from the IT network into the ICS environment without being detected.

The ICS malware used in the attack is now identified as Industroyer2, and ESET believes it was built using the source code of Industroyer malware, which was used to disrupt power supplies in Ukraine in 2016.

The researchers described Industroyer2 as a highly configurable malware strain. It includes hardcoded extensive settings, necessitating recompilation for each new victim environment.

Industroyer2 was created on March 23, according to its Portable Executable date, implying that the assault had been prepared for at least two weeks.

CaddyWiper malware targets Windows OS, erasing user data and partition information from attached devices. This variant was designed for servers, user PCs and ACS TP (automated control systems of technological processes) workstations.

Victor Zhora, deputy chair of the State Service of Special Communications, said hackers had programmed the malware to shut off the power supply on Friday evening just as people returned home from work and turned on their TV sets to watch news broadcasts.

He said that intruders breached power grid networks before Russia's invasion in late February, and then uploaded the Industroyer2 virus later.

The Sandworm hacking group is thought to be part of a Russian military unit responsible for numerous operations against Ukrainian corporations in the energy, media, banking and other sectors.

The group is also blamed by Western prosecutors for the 2017 NotPetya wiper malware, which caused more than $10 billion in harm worldwide by wiping data from whole networks of computers belonging to organisations doing business in Ukraine.

The latest attack on Ukrainian energy provider looks to be a parallel operation by Sandworm, which recently used Cyclops Blink botnet to target WatchGuard firewall products and ASUS routers.

That botnet was successfully deactivated last month following a coordinated operation by American law enforcement and cyber-intelligence agencies.

The Federal Bureau of Investigation (FBI) worked with security vendor WatchGuard in a court-approved operation in March 2022 to copy and remove the Cyclops Blink malware from vulnerable internet-connected firewall devices that Sandworm exploited for command and control (C2) of the underlying botnet.

According to the US Justice Department, the operation disrupted the GRU's control over thousands of infected devices in multiple countries.