On April 12, the Ukrainian CERT (CERT-UA) reported that the Russian Sandworm Team targeted high-voltage electrical substations in Ukraine using a new variant of a malware known as Industroyer (aka Crash Override). The Sandworm Team, which is associated with the Russian GRU, previously used the original Industroyer variant to compromise Ukrainian power grids in 2016, causing a portion of Kyiv to lose power for over an hour. The new variant, dubbed Industroyer2, directly interacts with electrical utility equipment to send commands to the substation devices that control the flow of power. The threat actors planted the malware on systems within a regional Ukrainian energy firm, and were believed to have gained access in early February 2022. However, the attack was detected and mitigated before a blackout occurred, which would have impacted roughly two million people.
*** This is a Security Bloggers Network syndicated blog from IronNet Blog authored by IronNet Threat Research Team with lead contributions by Morgan Demboski. Read the original post at: https://www.ironnet.com/blog/industroyer2-malware-targeting-ukrainian-energy-company