Industroyer2 Targets Ukraine’s Electric Grid: How Companies Can Stay Protected and Resilient

Share This

In light of Sandworm’s attempted attack on Ukraine’s power grid using a new version of Industroyer malware, “Industroyer2”, Nozomi Networks’ Threat Intelligence team created the following rapid update to help facilitate the safety and security of our customers.

The latest Nozomi Networks Threat Intelligence package provides Industroyer2 Indicators of Compromise (IoCs) rules that will detect and alert customers of any known activity linked to the malware. There have been reports of some hardcoded IPs in the malware sample, which is an indication that the threat actors had intimate knowledge of the environment in which they were deploying. Nozomi Networks will provide additional information and coverage once the relevant samples are analyzed in-depth.

Sandworm’s attack on Ukraine’s power grid using Industroyer2 is a reminder for ICS owners and operators to stay vigilant.
Sandworm’s attack on Ukraine’s power grid using Industroyer2 is a reminder for ICS owners and operators to stay vigilant.

Stay Protected and Resilient

Here are some ways companies can increase their protection right now:

  • Basic cyber hygiene: reset passwords, check employee and vendor account/network access and permissions, scan the network for any open ports and close/secure them, etc.
  • Utilize YARA rules to search for and generate alerts on associated malware activity
  • Use anomaly detection tools to detect any changes or variations to malware, as well as any irregular activity occurring in OT environments
  • Use an automated firewall in conjunction with an anomaly detection tool to stop further attack commands
  • Threat hunt for suspicious activity in your network; this can potentially help to discover attackers early on

We also recommend adhering to CISA’s 2017 advisory if those security measures have not been implemented already.

Nozomi Networks will continue to monitor the situation and provide updates on what we are seeing, as well as recommendations the OT industry can use to protect their networks.

WHITE PAPER

Industroyer vs. Industroyer2: Evolution of the IEC 104 Component

Learn about the OT capabilities of Industroyer2, major changes between Industroyer and Industroyer2, and how the codebase has evolved.  

Let's get started

Discover how easy it is to anticipate, diagnose and respond to cyber threats and process issues before they impact your operations.