securityaffairs.co
Open in
urlscan Pro
2001:8d8:100f:f000::289
Public Scan
URL:
https://securityaffairs.co/wordpress/130123/apt/russia-sandworm-targets-energy-facilities-ukraine.html
Submission: On April 14 via api from US — Scanned from DE
Submission: On April 14 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
Name: searchform — GET https://securityaffairs.co/wordpress/
<form role="search" method="get" name="searchform" id="searchform" action="https://securityaffairs.co/wordpress/">
<div>
<input type="text" value="" name="s" id="s" autocomplete="off" title="Search..." class="blur">
<button type="submit">
<i class="fa fa-search"></i>
</button>
</div>
<div id="autocomplete"></div>
</form>Text Content
* Home * Cyber Crime * Cyber warfare * APT * Data Breach * Deep Web * Digital ID * Hacking * Hacktivism * Intelligence * Internet of Things * Laws and regulations * Malware * Mobile * Reports * Security * Social Networks * Terrorism * ICS-SCADA * EXTENDED COOKIE POLICY * Contact me MUST READ Headlines * US gov agencies e private firms warn nation-state actors are targeting ICS & SCADA devices * CISA adds Windows CLFS Driver Privilege Escalation flaw to its Known Exploited Vulnerabilities Catalog * Critical VMware Workspace ONE Access CVE-2022-22954 flaw actively exploited * Microsoft has taken legal and technical action to dismantle the Zloader botnet * CVE-2021-31805 RCE bug in Apache Struts was finally patched * China-linked Hafnium APT leverages Tarrask malware to gain persistence * Home * Cyber Crime * Cyber warfare * APT * Data Breach * Deep Web * Digital ID * Hacking * Hacktivism * Intelligence * Internet of Things * Laws and regulations * Malware * Mobile * Reports * Security * Social Networks * Terrorism * ICS-SCADA * EXTENDED COOKIE POLICY * Contact me RUSSIA-LINKED SANDWORM APT TARGETS ENERGY FACILITIES IN UKRAINE WITH WIPERS April 12, 2022 By Pierluigi Paganini Powered by pixfutureⓘ RUSSIA-LINKED SANDWORM APT GROUP TARGETED ENERGY FACILITIES IN UKRAINE WITH INDUSTROYER2 AND CADDYWIPER WIPERS. Russia-linked Sandworm threat actors targeted energy facilities in Ukraine with a new strain of the Industroyer ICS malware (INDUSTROYER2) and a new version of the CaddyWiper wiper. Powered by pixfutureⓘ According to the CERT-UA, nation-state actors targeted high-voltage electrical substations with INDUSTROYER2, the variant analyzed by the researchers were customized to target respective substations. The attackers also employed the CADDYWIPER wiper to target Windows-based systems, while hit server equipment running Linux operating systems with ORCSHRED, SOLOSHRED, AWFULSHRED desruptive scripts. “Centralized distribution and launch of CADDYWIPER is implemented through the Group Policy Mechanism (GPO). The POWERGAP PowerShell script was used to add a Group Policy that downloads file destructor components from a domain controller and creates a scheduled task on a computer.” reads the advisory published by the Ukrainian CERT. “The ability to move horizontally between segments of the local area network is provided by creating chains of SSH tunnels. IMPACKET is used for remote execution of commands.” CERT-UA states that the APT groups launched at least two waves of attacks against the energy facilities. The initial compromise took place no later than February 2022. It is interesting to note that the disconnection of electrical substations and the decommissioning of the company’s infrastructure was scheduled for Friday evening, April 8, 2022. The good news is that the attacks were detected and neutralized by government experts with the help of cybersecurity firms ESET and Microsoft. The CERT-UA collected indicators of compromise for these attacks and shared them, along with Yara rules, with a limited number of international partners and Ukrainian energy companies. Security firm ESET, which helped the Ukrainian government, published a detailed report on the Industroyer2 wiper used to target a Ukrainian energy company. The researchers confirmed that the attacks were scheduled for 2022-04-08, but artifacts suggest that the attack had been planned for at least two weeks. “We assess with high confidence that the attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine” reads the report published by ESET. “We assess with high confidence that the APT group Sandworm is responsible for this new attack.” Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice. To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform Follow me on Twitter: @securityaffairs and Facebook Pierluigi Paganini (SecurityAffairs – hacking, Ukraine) Powered by pixfutureⓘ Share this... Facebook Twitter Linkedin SHARE THIS: * Twitter * Print * LinkedIn * Facebook * More * * Tumblr * Pocket * * APTHackinghacking newsinformation security newsIT Information SecurityPierluigi PaganiniRussiaSandwormSecurity AffairsSecurity NewsUkraine -------------------------------------------------------------------------------- SHARE ON * * * * * * * PIERLUIGI PAGANINI Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”. -------------------------------------------------------------------------------- PREVIOUS ARTICLE NGINX project maintainers fix flaws in LDAP Reference Implementation NEXT ARTICLE Operation TOURNIQUET: Authorities shut down dark web marketplace RaidForums -------------------------------------------------------------------------------- YOU MIGHT ALSO LIKE US GOV AGENCIES E PRIVATE FIRMS WARN NATION-STATE ACTORS ARE TARGETING ICS & SCADA DEVICES April 14, 2022 By Pierluigi Paganini CISA ADDS WINDOWS CLFS DRIVER PRIVILEGE ESCALATION FLAW TO ITS KNOWN EXPLOITED VULNERABILITIES CATALOG April 14, 2022 By Pierluigi Paganini * SPONSORED CONTENT * * PIXFUTURE * * DIGGING THE DEEP WEB: EXPLORING THE DARK SIDE OF THE WEB * CENTER FOR CYBER SECURITY AND INTERNATIONAL RELATIONS STUDIES * SUBSCRIBE SECURITY AFFAIRS NEWSLETTER * SECURITYAFFAIRS AWARDED AS BEST EUROPEAN CYBERSECURITY TECH BLOG AT EUROPEAN CYBERSECURITY BLOGGER AWARDS More Story NGINX PROJECT MAINTAINERS FIX FLAWS IN LDAP REFERENCE IMPLEMENTATION The maintainers of the NGINX web server project addressed a zero-day vulnerability in the Lightweight Directory Access Protocol... Copyright 2021 Security Affairs by Pierluigi Paganini All Right Reserved. Back to top * Home * Cyber Crime * Cyber warfare * APT * Data Breach * Deep Web * Digital ID * Hacking * Hacktivism * Intelligence * Internet of Things * Laws and regulations * Malware * Mobile * Reports * Security * Social Networks * Terrorism * ICS-SCADA * EXTENDED COOKIE POLICY * Contact me This site uses cookies, including for analytics, personalization, and advertising purposes. For more information or to change your cookie settings, click here. If you continue to browse this site without changing your cookie settings, you agree to this use. Accept Read More Privacy and Cookies Policy Close PRIVACY OVERVIEW This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities... Necessary Necessary Always Enabled Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information. Non-necessary Non-necessary Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website. SAVE & ACCEPT