ESET recently reported on Industroyer2, a multi-component ICS malware used to target a Ukrainian energy company.
What is Industroyer2?
Industroyer2 is a malware specifically used to target ICS (industrial control systems), like those typically used for critical infrastructure entities such as energy companies. ESET worked with CERT-UA to respond to an attempted attack on a Ukrainian energy company. The threat actors responsible for the attack used Industroyer2, a newer variant of the Industroyer malware ESET previously profiled.
The original Industroyer was a sophisticated malware used in 2016 to disrupt industrial control systems’ working processes. The attacks were attributed to the Russian nexus threat actor group known as Sandworm. According to ESET, the threat actors responsible for developing Industroyer had an advanced understanding of ICS, particularly those used in electrical substations. The original Industroyer malware consisted of a main backdoor, a secondary backdoor used to maintain persistence in the targeted systems, a launcher, multiple payloads tailored to the target environment, a port scanner tool, a DoS tool, and a data wiper used in the final phase of the attack.
Industroyer2 is a single Windows executable compiled on March 3, 2022. It was executed on April 8th using a scheduled task. ESET assessed Industroyer and Industroyer2 were built using the same source code.
However, Industroyer2 differs from the original Industroyer malware in that it uses the IEC-104 protocol to communicate with industrial equipment, rather than a fully-modular platform with payloads for multiple ICS protocols. Industroyer2 is highly configurable but must be tailored and recompiled for each victim or target environment.
The attack leveraging Industroyer2 has been attributed to Sandworm. Additionally, the threat actors used CaddyWiper, ORCSHRED, SOLOSHRED, and AWFULSHRED in the attack. PolySwarm profiled CaddyWiper in a blog post last month. In the recent attack on the Ukrainian energy company, the threat actors used a new version of CaddyWiper with a new loader. ORCSHRED, SOLOSHRED, and AWFULSHRED were used to target Linux and Solaris systems, leveraging both a worm and a wiper component. At present, ESET has not determined how the threat actors initially gained access to the target systems, or how they moved from the IT network to the ICS network.
Who is Sandworm?
Sandworm, also known as VooDoo Bear, BlackEnergy, Quedagh, Telebots, and Iron Viking, is a Russian nexus threat actor group active since at least 2011. The group is thought to be affiliated with GRU Unit 74455. Sandworm has a history of attacks targeting ICS and critical infrastructure systems. They were allegedly responsible for the 2015 and 2016 cyberattacks on the Ukrainian power grid, the 2017 NotPetya attacks, and the Cyclops Blink malware released earlier this year. Sandworm TTPs include but are not limited to phishing, password spraying, masquerading as other threat actors, credential dumping, defacement, wipers, BlackEnergy, GCat, NotPetya, VPNFilter, CHEMISTGAMES, Exaramel, Olympic Destroyer, PassKillDisk, Cyclops Blink, CaddyWiper, ORCSHRED, SOLOSHRED, AWFULSHRED, Industroyer, and Industroyer2.
PolySwarm has multiple samples of Industroyer2.
You can use the following CLI command to search for all Industroyer2 samples in our portal:
$ polyswarm link list -f Industroyer2