âCannot be overstated what an incredible feat it was to catch this before they shut off power,â she later added.
âThose Sandworm a**hats got shut down this time,â tweeted infosec influencer @z3r0trust.
The attackers attempted to use the Industroyer malware, a tool used in the past by Sandworm and designed to automatically trigger power disruptions. It was first used in a 2016 attack that lead to a temporary power outage in the Ukrainian capital Kyiv. While successful in the past, some security influencers questioned if the Sandworm group had run out of steam in recent months and if the failed attempt was a question of capabilities in a dying unit.
âCorrect me if wrong, but seems the Moscow/St Pete tech/hackers may've fled RU while they could,â said Nancy Bowman, a diversity recruitment specialist (@BowmanNancy). âWonder if Putin still has a cyber team up to the task post exodus?â
Others noted the latest attack attempted signaled that the war in Ukraine may increasingly develop digitally.
âAn important development: the discovery of a destructive malware campaign by Sandworm against Ukrainian energy company,â said Lauren Zabierek, Executive Director with the Cyber Project at Harvard Kennedy Schoolâs Belfer Center, who tweets under the handle @lzxdc. âThe Russian war against Ukraine is far from over, and events in the cyber domain will continue to unfold.â
US removes malware in preemptive move
The power supply attack is yet another move to stop malicious cyber activity at Russian hands as earlier this month United States officials announced they had secretly removed malware from computer networks around the world preemptively. In that instance, officials allege Sandworm had implanted a specific type of malware known as Cyclops Blink on thousands of WatchGuard Technologiesâ Firebox devices, which are security appliances often used in home office environments and in small to midsize businesses.
âUS says it secretly took down Russian GRU-run malware operation. Aim unclear: Intelligence? Something disruptive? Disabled before it became operational,â tweeted security researcher John Scott-Railton.
Sandworm, according to an FBI statement, had constructed a botnet that would allow attackers to launch malware or to orchestrate distributed denial of service attacks. Officials are unsure of the exact intent of the malware, but similar tactics have already been used by the same group to attack Ukraine in the past.
The GRUâs Sandworm team âhas a long history of outrageous, destructive attacks: The disruption of the Ukrainian electric grid in 2015, attacks against the Winter Olympics and the Paralympics in 2018, a series of disruptive attacks against the nation of Georgia in 2019, and, in 2017, the NotPetya attack that devastated Ukraine but also ended up hitting systems here in the U.S., throughout Europe, and elsewhere, causing more than 10 billion dollars in damagesÂâone of the most damaging cyberattacks in the history of cyberattacks,â the FBI statement said.
Attacks on US next?
While speculation about Russian attacks targeting American infrastructure have swirled for weeks, CISA is now warning of the very real potential for attacks on critical infrastructure. The agency is urging critical infrastructure organizations, especially energy sector organizations, to implement recommendations provided in a CISA alert.
âToday the US Government announced a new ICS malware that has been designed to disrupt industrial operations. CISA/FBI/NSA put out a great advisory,â tweeted Dragos CEO and Co-founder Robert M Lee. âWe call the malware PIPEDREAM.â
Perlroth tweeted that the warning warrants immediate attention: âHere we go. New unnamed state hackers are infecting U.S. critical infrastructureâlike grid operatorsâwith custom tools capable of worst-case scenario attacks. Thereâs no soft peddling it. This is very serious. Read @CISAgovâs advisory in full. And do everything they say. Now.â |
