Researchers Look Inside Russian Malware Targeting Ukrainian Power Grid

pcmag.com:

Russia's invasion of Ukraine in early 2022 reignited fighting in the region, but also escalated an ongoing cyberwar. At the Black Hat security conference, security researchers from ESET examined the Industroyer2 malware, which was designed to cause a mass blackout in Ukraine.

In their talk, the ESET researchers traced the lineage of the Industroyer2 malware to a 2013 attack on the Ukrainian power grid using the BlackEnergy malware—"the first ever blackout caused by a cyberattack," according to Robert Lipovsky, the Principal Threat Intelligence Researcher at ESET.

About a year later, a second power grid attack knocked out power in cities across Ukraine. But unlike the first attack, this one featured the debut of the Industroyer malware, which Lipovsky says was only the second piece of malware after Stuxnet "designed to cause physical damage to industrial hardware."

Fast forward to Russia's invasion of Ukraine in 2022, and ESET spotted a new version of the malware it dubbed Industroyer2. This time, the attack was thwarted, avoiding dire consequences. "Had the attack been successful, theoretically more than 2 million people could have been left in the dark," Lipovsky says. "In our opinion, this was the most significant cyberattack, even if unsuccessful, in the war thus far."

In their presentation, the researchers identified the Sandworm APT group as responsible for creating and deploying these attacks. The US Department of Justice previously charged six members of Russia's GRU military intelligence agency for activities tied to the Sandworm APT group. Why Sandworm? Well, as Lipovsky explains, this group has a penchant for using names related to Frank Herbert's Dune. Yes, really.

An important part of Industroyer and