Russia’s Sandworm hacking group has been specializing in bringing down power grids for years. It orchestrated the first recognized, successful attack on a power grid when it disrupted the power supply for 230,000 people in Ukraine in 2015. The following year, the Industroyer malware took down the power supply to one-fifth of the population of Kiev for one hour. This was, at the time, considered a practice attack and it specifically targeted industrial control systems (ICS) that held the power grid together. Then, in 2017, Sandworm organized the Petya and NotPetya attacks which, through an infected, fake update, affected numerous private and government enterprises and, again, targeted the power grid. All of this resulted in six members of the Sandworm group being indicted by a U.S. grand jury in 2020.
Armed with the knowledge of how to disrupt power grids, the Sandworm group began to develop a new attack vector which coincided with Russia’s attack on Ukraine. The idea was to compromise devices and add them to a botnet that they controlled. This botnet, known as Cyclops Blink, began being built in 2019. When triggered, any member of the botnet could be used to launch an attack on any or all devices incorporated into the bot-compromised network. It was first unveiled by UK and US cybersecurity agencies, just before the Russian invasion of Ukraine. As Trend Micro reported on March 17th, “we believe that it is possible that the Cyclops Blink botnet’s main purpose is to build an infrastructure for further attacks on high-value targets.”
The danger inherent in this botnet did not go unnoticed by U.S. law enforcement agencies who obtained a court order in March to sever the connections between any compromised devices it found and the C2 servers. Although not all connections were severed, enough were to make the botnet far less effective.
If anyone thought this action would stop Sandworm from continuing its operations, they would be wrong. This month, the Computer Emergency Response Team of Ukraine (CERT-UA) announced an attack on its power grid. The malware used was named Idustroyer2 after the original 2016 malware that also targeted the electric power grid. Industroyer2 was designed to bring down high-voltage electrical substations in Ukraine.
Researchers who analyzed the malware believe the attack began using some sort of normal attack vector to compromise one end point and, from there, gained access to the industrial control system (ICS) network. Sandworm used a variety of malware in this attack which ESET summarized in the diagram below.
Industroyer2 is notable in its ability to modify itself based on the environment it finds itself in. It will use different tools to attack whatever operating system it discovers. It will use the appropriate malware to take out a particular type of electric component. If there is a protection relay in the network, it will target that. If there is a merging unit connected to a transformer, it will take that down. Circuit breakers and switches can be neutralized when necessary. Such a non-specific malware can be used with a botnet to discover and exploit numerous vulnerabilities. Of course, this does not exclude the possibility that it can be used in a well-planned spearphishing attack.
In order to keep the compromised critical grid component inoperable for a longer period of time, Industroyer2 contains wiper malware which alters or deletes the boot sequence of devices to make repairs difficult, thus, effectively neutralizing entire networks for longer times.
The big question that remains is whether Russia will extend these power grid attacks to other countries in Europe or to the U.S. My guess is they are already putting the necessary tools in place, if they aren’t already there. In an interview for the Grid, Jim Lewis, a former top cyber official at the State and Commerce departments who now directs the strategic technologies program at the Center for Strategic and International Studies, stated that “the Russians are in the electrical grid or in the gas pipelines. They’re in critical infrastructure, and we don’t know if we’ve gotten them out. So we need to start preparing…My guess is they (the White House) got some kind of indicator from our own intelligence that the Russians were thinking about doing something dramatic.”
The F.B.I. also stated in a bulletin that Russia was scanning infrastructure networks looking for vulnerabilities. This is really nothing new. They do this all the time. The Industroyer2 malware has the capability of establishing itself within a network with a ‘detonator’ that could activate the malware at a specific time. In other words, all infected networks could be attacked at a specific, programmed time for maximum impact. And the Russians can’t wait forever to launch an attack because of the possibility the malware will be found and removed before it can accomplish its mission.
For the moment, there’s little the U.S. cyber team can do except warn companies to prepare themselves. They recently took the somewhat unprecedented step of offering a bounty on some Sandworm hackers.
Uncharacteristically, the government admits that attacks on U.S. infrastructure have occurred. They may be only referring to the SolarWinds attack or they know something they’re not telling us. Nothing, of course, will happen to these individuals unless they leave Russia. It’s basically a “we know who you are and what you’re doing” message. But one thing is clear. We are in a new era of cyberattacks and the main victim is going to be the infrastructure. Enter Sandworm.