The notorious Sandworm risk group working out of Russia’s navy GRU unit has no qualms about taunting researchers when it finds it’s being watched. Simply ask Robert Lipovsky and his fellow researchers at ESET, who received the message loud and clear after they dissected certainly one of Sandworm’s newer malware variants earlier this yr: The Sandworm attackers disguised the loader for certainly one of its data-wiping variants because the IDAPro reverse-engineering device — the exact same device the researchers had used to investigate the attackers’ malware.
Lipovsky, principal risk intelligence researcher at ESET, knew it was no coincidence. Sandworm almost definitely was overtly — and sarcastically — making a degree that the group knew ESET was on its path. “There isn’t any motive to make use of IDAPro” in an assault on an engineering substation as a result of that is not a device that may be used on that system, he explains. “It is pretty clear the attackers are totally conscious we’re onto them and blocking their threats. They’re perhaps trolling us, I might say.”
That wasn’t the one message Sandworm appeared to be sending. The group additionally dropped a Trojan-ridden model of ESET’s safety software program in its focusing on of Ukrainian networks. “They have been sending a message that they have been conscious we’re doing our job defending the customers in Ukraine,” Lipovsky says.
Lipovsky was a part of the ESET group that — together with Ukraine’s pc emergency response group (CERT-UA) and Microsoft — in April blocked a cyberattack by Sandworm on an power firm in Ukraine utilizing a brand new model of its game-changing Industroyer malware weapon, Industroyer2. Had it not been thwarted in time, the assault would have knocked a number of high-voltage substations from a part of the nation’s electrical grid.
Industroyer2 is a extra customized model of the primary iteration (Industroyer) that Sandworm unleashed in December 2016, quickly knocking out energy in elements of Kyiv, the capital of Ukraine. The Industroyer2 assault try in April additionally got here with damaging disk-wiping instruments designed to destroy engineering workstations working Home windows, Linux, and Solaris, in an try to thwart restoration operations when the attackers’ deliberate energy blackout hit. Industroyer was the primary identified malware in a position to shut out the lights, and it could actually talk with ICS {hardware} in electrical substations — circuit breakers and protecting relays, as an illustration — through common industrial community protocols.
Even after the high-profile foiling of the Industroyer2 assault try on Ukraine in April, Sandworm continues to relentlessly hammer at Ukraine’s cyber defenses. “It did not finish with Industroyer2. It continues right this moment,” says Lipovsky, who with ESET senior malware researcher Anton Cherepanov will share their insiders’ view of Sandworm and dissect the group’s Industroyer2 malware at Black Hat USA in Las Vegas subsequent month.
“There are extra wipers right this moment … and new execution chains getting used,” he says.
A lot of the present assault makes an attempt by Sandworm towards Ukraine’s infrastructure now carry disk-wiping weapons. “We have seen disruption exercise [attempts] at an elevated charges since February,” he says, when Russia first invaded Ukraine. Intel-gathering through cyber-espionage assaults additionally has been lively, he provides, noting that whereas Sandworm is probably the most outstanding Russian risk actor focusing on Ukraine, it isn’t the one one.
Industroyer2 up Shut
Of their Black Hat speak, Lipovsky and Cherepanov plan to disclose extra technical particulars about Sandworm that have not but been made public, in addition to share suggestions for utilities to defend towards the nation-state group’s assaults.
Lipovsky and his group describe Industroyer2 as an easier, extra streamlined model of the primary model. Not like the primary Industroyer, Industroyer2 speaks only one OT protocol, IEC 104. The unique model used 4 completely different industrial protocols. It is possible extra environment friendly and targeted that approach: “[IEC 104 is] certainly one of most typical [OT] protocols and a regional factor” in Europe, he notes.
The disk-wiping capabilities with Industroyer2 eclipse that of the primary model. “The primary one was a framework with a number of parts, and it was additionally calling further modules that have been there for wiping,” he says. Industroyer2 is extra “self-contained” and gives wipers as separate executables, he says, malware weapons which were found in different latest cyber incidents.
CaddyWiper is the primary disk wiper used with Industroyer2. Sandworm pointed CaddyWiper at a Ukrainian financial institution 24 hours earlier than Russia invaded Ukraine in February, at a authorities company in early April, and on some Home windows workstations on the focused Ukrainian power agency. Sandworm additionally set damaging malware packages ORCSHRED, SOLOSHRED, and AWFULSHRED on Linux and Solaris workstations there. And, as a remaining contact, Sandworm had scheduled CaddyWiper to execute on April 8 as a option to erase all proof of Industroyer2, but it surely was blocked.
Curiously, Sandworm doesn’t usually wipe area controllers, in order to not disrupt its personal foothold within the sufferer’s community. “They wipe common workstations to disrupt a goal’s operations, however they wish to hold their presence as soon as they’ve infiltrated an setting,” Lipovsky says.
Even with all that ESET and different researchers now find out about Industroyer2, there’s nonetheless no full image of the preliminary assault vector within the Industroyer2 assault on the Ukrainian power agency. CERT-UA stated the assault gave the impression to be in two levels, the primary one possible in February of this yr and the opposite in April, when the objective was to disconnect {the electrical} substations and sabotage the ability operations on April 8.
Protection Towards Industroyer, Sandworm
Whereas Industroyer2 has been educated on Ukraine, its emergence has shaken the OT business. “Industroyer was a wake-up name for the entire ICS group. This can be a critical risk,” Lipovsky says.
The playbook for safeguarding an OT community from Industroyer and associated assaults is not a lot completely different than others. “It is what we have at all times been saying: Have visibility into the setting; have EDR, XDR instruments; a number of layers of safety within the stack; and entry controls,” Lipovsky says.
Of their speak at Black Hat Lipovsky and Cherepanov additionally will share EDR guidelines, configuration ideas to cease lateral motion, and guidelines for Snort and YARA instruments
In addition they plan to reiterate that engineering workstations in OT networks have grow to be main targets, in order that they should be a part of the safety equation. “Quite a lot of SCADA software program and monitoring is occurring on common workstations that run Home windows or Linux. These machines ought to have the suitable safety measures and options which can be multilayered,” together with working EDR or XDR instruments, he says.
