Recently the group Sandworm attempted to attack the Ukrainian electricity grid using a new version of the Industroyer malware, Industroyer2. Let’s find out the details together.
Ukraine targeted by Industroyer2
Ukraine has succeeded in foil the latest attack to its electrical network, permanently blocking the enhanced malware of the Sandworm group, Industroyer2.
To avoid being in an unpleasant situation, Nozomi Networks explains how to protect yourself from similar malware. The new package Threat Intelligence company offers Industroyer2 IoC rules that will detect e avviseranno customers of any known malware-related activity; also the company that will provide further information once the relevant samples are thoroughly analyzed.
In light of the attack attempt, Nozomi Networks Director Cybersecurity Strategy, Chris Grovecomments:
Anyone operating in the critical infrastructure sector should pay special attention to this attack, because it is among the few that directly hit OT systems. According to Nozomi Networks Labs, there were reports of some hard-coded IPs in the malware sample, indicating that the threat actors had a deep understanding of the environment. Just like in the case of the malware that Sandworm distributed in Ukraine in 2016, this time too ICS operators must monitor their networks to identify any unusual activity as Russian tactics involve staying in the environments for weeks or months before striking.
How to improve system security
- Basic cyber hygiene– Reset passwords, check employee and vendor account / network access and permissions, scan the network for any open door and close it;
- Apply the YARA rules to identify and generate alerts on associated malware activity;
- Use tools of anomaly detection to identify any changes or variations to the malware, as well as any illegitimate activity that occurs in OT environments;
- Make use of a automatic firewall along with an anomaly detection tool to stop further attack commands;
- Look for threats for suspicious activity on the network to detect attackers as early as possible.
The company recommends, among other things, to join theadvisory CISA 2017 in case these security measures have not already been implemented. Nozomi Networks will continue to monitor the situation and the provide updates about what is happening.
Leave a Reply
View Comments