Security News > 2022 > April > Sandworm hackers fail to take down Ukrainian energy provider
The Russian state-sponsored hacking group known as Sandworm tried on Friday to take down a large Ukrainian energy provider by disconnecting its electrical substations with a new variant of the Industroyer malware for industrial control systems and a new version of the CaddyWiper data destruction malware.
The threat actor used a version of the Industroyer ICS malware customized for the target high-voltage electrical substations and then tried to erase the traces of the attack by executing CaddyWiper and other data-wiping malware families tracked as Orcshred, Soloshred, and Awfulshred for Linux and Solaris systems.
Researchers at cybersecurity company ESET collaborating with the Ukrainian Computer Emergency Response Team to remediate and protect the attacked network say that they do not know how the attacker compromised the environment or how they managed to move from the IT network into the ICS environment.
The ICS malware used in the attack is now tracked as Industroyer2 and ESET assesses "Whith high confidence" that it was built using the source code of Industroyer used in 2016 to cut the power in Ukraine and attributed to the state-sponsored Russian hacking group Sandworm.
Sandworm operators created a scheduled task at 15:02:22 UTC to launch the malware at 16:10 UTC and cut power in an Ukrainian region.
The new variant used last week on an Ukrainian energy provider is an evolution of the original malware used in the 2016 power outage attacks in Ukraine.