How Ukraine avoided another blackout attack

LAS VEGAS — The Industroyer malware attack on Ukraine’s energy grid in 2016 caused a significant blackout and marked a turning point for cyber attacks against critical infrastructure.

But the Industroyer2 malware attack, which was more sophisticated than the original, failed to take down Ukraine’s energy grid in March, thanks in part to the lessons learned from the 2016 attack.

During a Black Hat 2022 session Wednesday, researchers from cybersecurity vendor ESET and Victor Zhora, deputy chairman of Ukraine’s State Service of Special Communications and Information Protection (SSSCIP), discussed the Industroyer2 malware and the response to the attack, which was unsuccessful.

The Industroyer2 attack was preceded by several wiper attacks on Ukraine networks, starting with HermeticWiper Feb. 23 — a day before Russia’s invasion of Ukraine. “HermeticWiper was found on hundreds of systems in multiple organizations, and it was a pure act of cyber sabotage,” said Robert Lipovsky, principal threat intelligence researcher at ESET, during the presentation.

The situation escalated; on April 8, ESET was called in to analyze new malware discovered by CERT-UA, the national computer emergency response team for Ukraine, following an incident at an energy provider in the country. “Our analysis found that threat was bigger than expected,” Lipovsky said. “It was a new version of Industroyer, something which we hadn’t seen in the last five years.”

Unlike the original Industroyer malware, the second attempt failed to cause a blackout. But Lipovsky said that had Industroyer2 been successful, it could have left more than 2 million people in Ukraine in the dark.

“The attack was thwarted thanks to a prompt response by the defenders at the targeted energy company, and the work of CERT-UA and our assistance,” he said.

Responding to Industroyer2

Zhora said many private-sector companies have provided invaluable cybersecurity support for Ukraine during Russia’s invasion, but added that Microsoft and ESET have been especially crucial because the two vendors have the biggest presence on Ukraine networks and massive amounts of telemetry data.

That data proved to be extremely valuable in thwarting…