[MART] - Daily Diary #490 - Industroyer2 and Wipers used against Ukrainian energy facilities

CTAS-MAT ctas-mat at appgate.com
Wed Apr 13 00:09:37 UTC 2022 

Hello,
I hope everyone is doing well!

Below is the entry for today.

04/12/2022 - Diary entry #490

In our Daily Diary #470 and #462, we covered three different Wipers - HermeticWiper, IsaacWiper and CaddyWiper - found being used against Ukrainian targets during the recent Ukrainian-Russia conflict.

This week a cyberattack launched against Ukrainian energy facilities was disclosed, and more Wipers were involved.

It's believed that the Russia-linked APT Group "Sandworm" is behind the attack. The group used a variant of Industroyer (a.k.a Crashoverride), a modular backdoor used in a previous attack to Ukraine's power grid in late 2016. At the time, the attack left a fifth of Kiev without power for one hour.

In this incident, the attackers targeted the high-voltage electrical substations, hitting Linux servers with script-based Wipers (Orcshred, Soloshred and Awfulshred), and the Windows-based systems with the Industroyer variant. After the attack attempt, CaddyWiper was used to erase the footprints.

Although they are fairly simple, this incident shows how Wipers can be weaponized. Besides being used to disrupt systems, they can also create diversion, disrupt monitoring systems, and erase footprints.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220413/186ea905/attachment.htm>

More information about the MART mailing list