Sandworm Continues Cyberattacks on Ukraine

Security experts from ESET have reported that Sandworm is continuing to carry out cyberattacks against organizations in Ukraine. Sandworm (also known as Telebots, Voodoo Bear, Iron Viking, and BlackEnergy), also referred to as Unit 74455, is believed to be a Russian cyber military unit under the GRU, the organization responsible for Russian military intelligence.

The group is thought to be behind the cyberattack on Ukraine’s power grid in December 2015, the 2017 cyberattacks on Ukraine using the NotPetya malware, various attempts to interfere in the 2017 French presidential elections, and the cyberattack on the computer network of the 2018 Winter Olympics in Pyeongchang.

In April, Sandworm targeted Ukrainian energy facilities using a new strain of Industroyer ICS malware (INDUSTROYER2) and a new version of the wiper CaddyWiper. According to CERT-UA, nation-state actors targeted high-voltage electrical substations with INDUSTROYER2, a variant that researchers found had been adapted for the specific substations.

The attackers also used the CADDYWIPER wiper to attack Windows-based systems, while server equipment running Linux was hit with destructive scripts named ORCSHRED, SOLOSHRED, and AWFULSHRED.

“Centralized distribution and execution of CADDYWIPER is carried out through the Group Policy (GPO) mechanism. The POWERGAP PowerShell script was used to add a group policy that downloads file wiper components from the domain controller and creates a scheduled task on the computer,” according to a bulletin published by Ukraine’s CERT.

“The ability to move laterally between segments of the local network is provided by creating chains of SSH tunnels. IMPACKET is used for remote command execution.”

CERT-UA states that APT groups carried out at least two waves of attacks on energy facilities. The initial breach occurred no later than February 2022. Interestingly, the shutdown of electrical substations and the decommissioning of the company’s infrastructure was scheduled for the evening of Friday, April 8, 2022.

However, the attacks were detected and neutralized by government experts with the help of cybersecurity companies ESET and Microsoft. CERT-UA collected indicators of compromise for these attacks and shared them, along with Yara rules, with a limited number of international partners and Ukrainian energy companies.

ESET, which assisted the Ukrainian government, published a detailed report on the Industroyer2 wiper used in the attack on a Ukrainian energy company. Now, ESET specialists have announced the discovery of a new variant of a malicious loader used by attackers in the Industroyer2 attacks, which CERT-UA has tracked as ArguePatch.

According to researchers, the Industroyer2 attacks used a modified version of the HexRaysSA IDA Pro remote debugger server (win32_remote.exe), which included code to decrypt and launch CaddyWiper from an external file.

The APT group hid ArguePatch in an ESET executable file (eset_ssl_filtered_cert_importer.exe); the malicious code was overwritten in a function called during MSVC runtime initialization. Analysis of the injected code showed that it acts as a loader for the next-stage malware at a specific time.

“This approach replaces the need to set up a scheduled Windows task for future exploitation. It may be a way to avoid detection by known TTPs,” ESET explained in a series of tweets.