In light of Sandworm’s attempted attack on Ukraine’s power grid using a new version of Industroyer malware, “Industroyer2”, Nozomi Networks’ Threat Intelligence team created the following rapid update to help facilitate the safety and security of our customers.
The latest Nozomi Networks Threat Intelligence package provides Industroyer2 Indicators of Compromise (IoCs) rules that will detect and alert customers of any known activity linked to the malware. There have been reports of some hardcoded IPs in the malware sample, which is an indication that the threat actors had intimate knowledge of the environment in which they were deploying. Nozomi Networks will provide additional information and coverage once the relevant samples are analyzed in-depth.
Stay Protected and Resilient
Here are some ways companies can increase their protection right now:
- Basic cyber hygiene: reset passwords, check employee and vendor account/network access and permissions, scan the network for any open ports and close/secure them, etc.
- Utilize YARA rules to search for and generate alerts on associated malware activity
- Use anomaly detection tools to detect any changes or variations to malware, as well as any irregular activity occurring in OT environments
- Use an automated firewall in conjunction with an anomaly detection tool to stop further attack commands
- Threat hunt for suspicious activity in your network; this can potentially help to discover attackers early on
We also recommend adhering to CISA’s 2017 advisory if those security measures have not been implemented already.
Nozomi Networks will continue to monitor the situation and provide updates on what we are seeing, as well as recommendations the OT industry can use to protect their networks.