Curated commentary; timely topics View web version

“Cannot be overstated what an incredible feat it was to catch this before they shut off power,” she later added.

“Those Sandworm a**hats got shut down this time,” tweeted infosec influencer @z3r0trust.

The attackers attempted to use the Industroyer malware, a tool used in the past by Sandworm and designed to automatically trigger power disruptions. It was first used in a 2016 attack that lead to a temporary power outage in the Ukrainian capital Kyiv. While successful in the past, some security influencers questioned if the Sandworm group had run out of steam in recent months and if the failed attempt was a question of capabilities in a dying unit.

“Correct me if wrong, but seems the Moscow/St Pete tech/hackers may've fled RU while they could,” said Nancy Bowman, a diversity recruitment specialist (@BowmanNancy). “Wonder if Putin still has a cyber team up to the task post exodus?”

Others noted the latest attack attempted signaled that the war in Ukraine may increasingly develop digitally.

“An important development: the discovery of a destructive malware campaign by Sandworm against Ukrainian energy company,” said Lauren Zabierek, Executive Director with the Cyber Project at Harvard Kennedy School’s Belfer Center, who tweets under the handle @lzxdc. “The Russian war against Ukraine is far from over, and events in the cyber domain will continue to unfold.”

US removes malware in preemptive move

The power supply attack is yet another move to stop malicious cyber activity at Russian hands as  earlier this month United States officials announced they had secretly removed malware from computer networks around the world preemptively. In that instance, officials allege Sandworm had implanted a specific type of malware known as Cyclops Blink on thousands of WatchGuard Technologies’ Firebox devices, which are security appliances often used in home office environments and in small to midsize businesses.

“US says it secretly took down Russian  GRU-run malware operation. Aim unclear: Intelligence? Something disruptive? Disabled before it became operational,” tweeted security researcher John Scott-Railton.

Sandworm, according to an FBI statement, had constructed a botnet that would allow attackers to launch malware or to orchestrate distributed denial of service attacks. Officials are unsure of the exact intent of the malware, but similar tactics have already been used by the same group to attack Ukraine in the past.  

The GRU’s Sandworm team “has a long history of outrageous, destructive attacks: The disruption of the Ukrainian electric grid in 2015, attacks against the Winter Olympics and the Paralympics in 2018, a series of disruptive attacks against the nation of Georgia in 2019, and, in 2017, the NotPetya attack that devastated Ukraine but also ended up hitting systems here in the U.S., throughout Europe, and elsewhere, causing more than 10 billion dollars in damages­—one of the most damaging cyberattacks in the history of cyberattacks,” the FBI statement said.

Attacks on US next?

While speculation about Russian attacks targeting American infrastructure have swirled for weeks, CISA is now warning of the very real potential for attacks on critical infrastructure. The agency is urging critical infrastructure organizations, especially energy sector organizations, to implement recommendations provided in a CISA alert.

“Today the US Government announced a new ICS malware that has been designed to disrupt industrial operations. CISA/FBI/NSA put out a great advisory,” tweeted Dragos CEO and Co-founder Robert M Lee. “We call the malware PIPEDREAM.”

Perlroth tweeted that the warning warrants immediate attention: “Here we go. New unnamed state hackers are infecting U.S. critical infrastructure—like grid operators—with custom tools capable of worst-case scenario attacks. There’s no soft peddling it. This is very serious. Read @CISAgov’s advisory in full. And do everything they say. Now.”

How are we doing? We’d love to hear how you like this newsletter. Email us at idgnewsletters@idg.com

Related reading:

Rare and dangerous Incontroller malware targets ICS operations

A coalition of U.S. government agencies, security researchers, and companies warn about this new malware that can gain complete access to ICS and SCADA systems. Read More.

 

FBI active defense measure removes malware from privately owned firewalls

The action targeted devices infected by the Cyclops Blink malware, believed to have been developed by Russia's Sandworm group. Read More.

 

Ukraine energy facility hit by two waves of cyberattacks from Russia’s Sandworm group

Sandworm succeeded in planting a new version of the Industroyer malware to disrupt ICS infrastructure at multiple levels but was thwarted from doing serious damage. Read More.

 

About the Author
Joan Goodchild is a veteran writer and editor with 20+ years experience. She writes about information security and strategy and is the former editor in chief of CSO. 

Linkedin Facebook Twitter YouTube
Privacy Policy | Manage Your Subscriptions | Unsubscribe
Advertise with us! | More Newsletters | Our Brands
©2022 IDG Communications, Inc.
140 Kendrick Street
Building B
Needham, MA 02494