Cyber Incident Victim: Ukrenergo
Date:
Apr 2022
Location:
Ukraine
Summary
A Russian state-sponsored hacking group known as Sandworm attempted to disrupt a Ukrainian energy provider by deploying customized Industroyer2 malware targeting high-voltage electrical substations, alongside data-wiping tools including CaddyWiper on Windows systems and OrcShred, Soloshred, and AwfulShred on Linux and Solaris servers. The attack aimed to decommission critical infrastructure elements and erase forensic evidence, leveraging additional utilities like PowerGap PowerShell scripts and Impacket for lateral movement. Despite the malware's high configurability and weeks of preparation, the intrusion ultimately failed to achieve its operational objective of causing a widespread outage.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 8, 2022, the Russian state-sponsored hacking group Sandworm attempted to disrupt operations at a major Ukrainian energy provider, later identified as Ukrenergo, by deploying a multi-stage attack targeting both IT and industrial control systems. The attackers used a new variant of the Industroyer malware, dubbed Industroyer2, specifically tailored to manipulate high-voltage electrical substations. This malware was compiled on March 23, 2022, indicating weeks of preparation. Simultaneously, the threat actor deployed CaddyWiper, a data destruction tool targeting Windows systems, alongside Linux and Solaris-compatible wipers tracked as Orcshred, Soloshred, and Awfulshred. These wipers were executed at 16:20 UTC to erase forensic evidence. Additional tools included PowerGap PowerShell scripts and the Impacket framework for remote command execution. Sandworm’s objective, as noted by Ukraine’s CERT-UA, was the “decommissioning of several infrastructural elements” through coordinated substation disconnections. Researchers from ESET and CERT-UA confirmed the malware’s configuration targeted specific substations with unique operational parameters, though the initial compromise vector and lateral movement from IT to ICS networks remained undetermined.
The attack failed to achieve its intended disruption, with Ukrenergo maintaining operational continuity. Industroyer2’s design allowed direct control over industrial equipment, reflecting an evolution of the original 2016 Industroyer malware used in prior Ukrainian grid attacks. Sandworm’s use of Impacket suggested reliance on legitimate tools for stealth, while the multi-platform wipers indicated thorough evidence suppression across Windows, Linux, and Solaris environments. ESET’s analysis highlighted the malware’s high configurability but did not identify the delivery mechanism or persistence methods. No collateral damage or secondary impacts were reported. The incident underscored Sandworm’s continued focus on Ukrainian critical infrastructure, aligning with its historical tactics, including the 2015 and 2016 grid attacks and the 2022 Viasat KA-SAT compromise. CERT-UA and ESET’s collaboration enabled rapid malware analysis and attribution but did not disclose defensive measures taken by the energy provider. Sandworm’s affiliation with Russia’s GRU military intelligence agency was referenced in relation to prior campaigns against French IT providers using Centreon software exploits.