CERT-UA team with the help of ESET and Microsoft researchers stopped cyber attack on the Ukrainian energy provider. During the shutdown, a new version of Industroyer was discovered – the infamous malware used in 2016 by the Sandworm APT group to cut off electricity in Ukraine.

CERT-UA is the government’s computer emergency response team in Ukraine. According to them, the attack was aimed at several infrastructure facilities. These include high-voltage electrical substations, network equipment, on-site computers, and server equipment running Linux.

The victim organization suffered two waves of attacks. The initial compromise took place no later than February 2022, and a complete shutdown of the substations and disrupting was scheduled for Friday evening, April 8. The efforts of specialists managed to avoid this.

ESET researchers explained that in addition to the new Industroyer, attackers used several destructive malware families, including CaddyWiper, ORCSHRED, SOLOSHRED and AWFULSHRED. CaddyWiper first appeared on March 14, 2022, when it was used to attack a Ukrainian bank.

ESET is not sure exactly how the attackers initially compromised or how they managed to move from the IT network to the Industrial Control System (ICS) network. However, CERT-UA stated that the attackers could have moved horizontally between network segments, creating chains of SSH tunnels.

SSH tunnels are used to remotely access the operating system and transfer files over secure networks.

The US Cyber ​​Security and Infrastructure Security Agency is currently working with CERT-UA on the attack. This was announced on Twitter by Jen Easterly, the director of the Agency. 

The attack on ESET’s energy sector is most likely blamed on the APT Sandworm group, which is also responsible for the 2016 power outage. According to ESET, Ukraine is once again at the center of cyber attacks aimed at critical infrastructure.