Industroyer2: Sandworm's Cyberwarfare Targets Ukraine's Power Grid Again

Sandworm, a Russian military intelligence service, has been carrying out targeted attacks against Ukraine since 2014, including the infamous power grid attack in 2015. The group uses highly targeted spearfishing emails and the black energy malware to infiltrate organizations. The attacks are serious but can be thwarted with proper security measures.

• Sandworm is a Russian military intelligence service that has been carrying out targeted attacks against Ukraine since 2014
• The group uses highly targeted spearfishing emails and the black energy malware to infiltrate organizations
• The most notable attack was the power grid attack in 2015, which caused the first-ever blackout caused by a cyber attack
• Proper security measures can thwart these attacks

The power grid attack in 2015 caused the homes of over 200,000 Ukrainians to go dark for several hours, and was facilitated by the black energy malware. The attackers misused remote access software to manually switch off the flow of electricity.

Industroyer2 – a new version of the only malware to ever trigger electricity blackouts – was deployed in Ukraine amidst the ongoing Russian invasion. Like in 2016 with the original Industroyer, the aim of this recent cyberattack was to cause a major blackout – this time against two million+ people and with components amplifying the impact, making recovery harder.We believe the malware authors and attack orchestrators are the notorious Sandworm APT group, attributed by the US DoJ to Russia's GRU.Our talk covers the technical details: our reverse engineering of Industroyer2, and a comparison with the original. Industroyer is unique in its ability to communicate with electrical substation ICS hardware – circuit breakers and protective relays – using dedicated industrial protocols. While Industroyer contains implementations of four protocols, Industroyer2 "speaks" just one: IEC-104.We also provide a higher-level analysis of the attackers' modus operandi and discuss why and how the attack was mostly unsuccessful. One of the most puzzling things about Industroyer has been the stark contrast between its sophistication and its impact: a blackout lasting one hour in the middle of the night is not the worst it could've achieved. Industroyer2 didn't even accomplish that.Even though it didn't cause any significant outage, the attack did cause disruption – mostly through multiple pieces of destructive wiper malware, including CaddyWiper. We discuss this and other malware accompanying Industroyer2, and other cyberattacks we have discovered in Ukraine, since Russia's 2022 invasion, and in the eight years since the war in Donbas began.Finally, we present actionable advice for defenders, including: log entries to check; EDR rules to consider; configuration options to hamper Sandworm compromise and lateral movement; and detection/hunting rules for Snort and YARA. By sharing our extensive experience tracking Sandworm, attendees will leave better able to protect their infrastructure and hunt for traces of Sandworm.