The actual malware is based on the findings of Eset and the US company Mandiant
on the one that 2016 was used and named Industroyer. That was “the first malware specifically designed to attack the power supply,” says Lipovsky.
Attacks on the power supply are highly complex
As Eset calls it the further development that was used this year, Industroyer2. And although many details of the attack in April are still unclear, Industroyer2 and the previous version show how complex it is to physically damage industrial control systems, such as those of energy suppliers, with malicious code alone.
So should the attack in
But the attack was to become even more insidious: because they then wanted to manipulate a Siemens relay installed by the electricity supplier, which is actually used to trigger a protective fuse in the event of errors. To do this, they wanted to use a prepared file to put the relay into an update mode in which it would get stuck. When the operator tries to restart the power manually because of the hacking attack, the system should be damaged – because the fuse manipulated by the hackers does not kick in.
Eset doesn’t know whether Industroyer2 should try to do the same. “We haven’t seen any evidence of this,” Lipovsky said in an interview with SPIEGEL. What is clear, however, is that additional malicious programs, so-called wipers, were intended to cover up the perpetrators’ tracks in the network this time by overwriting log files and making drives unusable, among other things. Such wipers are a recurring hacking weapon in various attacks on Ukrainian targets in recent months.
The alleged group behind the attack: Sandworm
The attack required in-depth knowledge of the plant and the industrial control systems (ICS) used there. The perpetrators needed a corresponding number of resources and specialists. Lipovsky finds the effort that the perpetrators made to familiarize themselves with the intricacies of the underlying software protocols downright “disturbing”. Because they can’t just be googled.
If someone has this special knowledge, the defenders have a fundamental problem: ICS like those in the Ukrainian substation and the associated protocols » were developed decades ago without paying attention to safety«, says Lipovsky. Accordingly, Sandworm did not have to exploit any previously unknown vulnerabilities in the system. On the contrary, Industroyer2, as the Eset researcher puts it, “uses a protocol exactly as it was intended”.
Which ultimately thwarted the attack, was a quick reaction of the defenders, which included the Ukrainian Computer Emergency Response Team (Cert) as well as the companies Microsoft, Cisco Talos and Eset. A mistake in the hacker’s thinking also helped in the defense, as Zhora explains.
The attack was supposed to take place on Friday at 17.50 Start the clock “assuming most of the employees are still there and their computers are on”. But because most people finish work at four or five o’clock on Fridays, many computers were switched off and were therefore not even paralyzed by the wipers. The defenders were therefore left with more functioning hardware than the perpetrators might have wished for. Someone who has set himself the goal of sabotaging an electricity supplier not only needs special technical knowledge, but also insight into duty rosters.