APTs on a Power Trip

The Sandworm Group, a Russian based APT, which recently made headlines after their botnet of machines infected with Cyclops Blink malware, was taken down by the US Department of Justice, has been busy crafting attacks targeting the Ukrainian power grid. The Computer Emergency Response Team of Ukraine (CERT-UA), had to step in and take action to thwart the attack on the country’s energy facilities. Blame for the attack has been placed on Sandworm in support of Russian military actions in Eastern Ukraine. The Slovakian cybersecurity firm, ESET, stated that Russian attacks on the Ukrainian power grid attempted to cause a blackout that would affect two million people.

The attackers attempted to destroy computers using wiper malware that was crafted to infect specific targets and erase data making the machines useless. Multiple strains of wiper malware have been used in attacks against Ukraine since the beginning of the conflict, however, the wiper malware used in the power grid attacks is a new variant.

The new wiper malware called CaddyWiper, was first observed on 14 March 2022, and differs from the HermeticWiper and IsaacWiper because it does not destroy domain controllers. Researchers from ESET believe that this is because attackers want to maintain access to target systems to further disrupt operations.[1]

CaddyWiper operates in two primary stages. The first stage overwrites all files on the machines disk, and the second stage destroys the disk layout and partition tables. Most wiper malware delete or destroy the start files to prevent file recovery. In an event that a target file is greater than 10 Megabytes, CaddyWiper only destroys the first 10 megabytes. The wiper malware starts with the “C:\Users” drive and works all the way to the “Z:\” if it exists. IBM Security X-Force has provided both a Yara signature and Indicators of Compromise to identify CaddyWiper, they are pictured below.[2]According to CERT-UA, CaddyWiper was supposed to wipe data from Windows machines and malicious scripts including ORCSHRED, SOLOSHRED, and AWFULSHRED, were set to disrupt and wipe data on Linux servers.

This is not the first time that Russia has used cyber attacks on the Ukrainian power grid. Russian hackers were able to successfully cause blackouts in Kyiv in 2016 using the original Industroyer malware marking one of the first recorded critical infrastructure cyber attacks and resulted in blackouts that last over and hour.[3]

The Sandworm team used a revamped version of Industroyer called Industroyer2, which directly interacts with the electrical equipment and sends commands to substations to control the flow of power. Researchers believe that the attackers were able to access systems at a regional Ukrainian energy firm and plant the malware as early as February 2022, but the attack was detected and mitigated before any blackouts occurred.[4] The Industroyer2 code shares the same source code as the original but is highly configured with hard coded target IP addresses, meaning that it must be recompiled for new targets and environments.

Russian attackers were successful in penetrating and disrupting part of the industrial control system, but ultimately were stopped when Ukrainian workers intervened and prevented electrical outages. Industroyer2 tasks were scheduled for 8 April 2022, followed by wiping procedures 10 minutes after. The attack plan was to disrupt power distribution and then wipe the machines prolonging recovery.

The escalation of attacks in Ukraine has prompted a Cybersecurity & Infrastructure Security Agency (CISA) alert warning critical infrastructure organizations that Advanced Persistent Threats (APTs) have created tools targeting Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) devices. APTs are using tools to scan ICS/SCADA devices for vulnerabilities that, once exploited, will allow attackers access to the Operational Technology (OT) network.

The revamp of Industroyer2, development of new wiper malware, CaddyWiper, and the recent discovery of PIPEDREAM, means it is time for domestic energy companies to look hard at their security practices and prepare to defend against a new wave of sophisticated ICS/SCADA attacks.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings: