Ukraine thwarted large-scale cyberattacks on electrical substations

According to Ukrinform, the State Service of Special Communications and Information Protection of Ukraine reports in a Telegram.

The government’s Computer Emergency Response Team CERT-UA, operating under the auspices of the State Special Communications Service, reported that Sandworm Group (UAC-0082) had a cyberattack on Ukraine’s power plants using the malware Industroyer2 and CaddyWiper.

It was established that the attackers’ plan ensured the failure of various infrastructure elements of the attack object.

In particular, it was planned to decommission electrical substations with the help of the malicious program Industroyer2. Each executable was found to contain a statically determined set of unique parameters for the corresponding substations.

With the help of the malicious program CaddyWiper, the attackers planned to disable electronic computers (user computers, servers and automated workstations ACS TP) running the Windows operating system.

It was planned to disable the server hardware running the Linux operating system using malicious destructive scripts. The attackers also planned to hack active network hardware.

According to the State Special Service, the organization affected by the cyberattack has experienced two waves of attacks.

“The first compromise took place no later than February 2022. On the evening of Friday, April 8, the attackers planned to disable the electrical substations and disable the company’s infrastructure. But the implementation of the malicious plan was foiled,” the service said.

Information, including malware samples, was passed on to international partners and Ukrainian energy companies to confirm the existence of a similar threat to other Ukrainian entities.

CERT-UA gives special thanks to Microsoft and ESET.

As Ukrinform reported, the State Special Communications and Information Protection Service warned of a new cyber-attack of the Armageddon group against the Ukrainian authorities.