Cyber Week in Review: April 15, 2022

Russia targets Ukrainian power grid 

The Ukrainian Computer Emergency Response Team (CERT-UA) and the cybersecurity firm ESET revealed that Russian-linked Sandworm hackers targeted high-voltage electrical substations in Ukraine with malware. The attackers targeted the substations with a novel variant of the Industroyer malware, dubbed Industroyer2, which interacts with industrial control systems that manage the flow of power. This mirrors 2015 and 2016 campaigns conducted by Sandworm in which attackers used Industroyer malware to cause blackouts in Kyiv. While Ukrainian authorities claimed there was no damage to the power grid in this case, there were some reports of damage in electrical substations. There is evidence that the hackers may have infiltrated the target systems as early as February, lying in wait until the scheduled attack on April 8. The hackers also deployed multiple strains of wiper malware to other systems, including CaddyWiper, which was recently found inside the systems of Ukrainian banks. 

India claims it foiled Chinese cyberattack 

Cybersecurity analysts uncovered an ongoing Chinese campaign targeting components of the Indian power grid. A likely state-sponsored actor used ShadowPad malware to gain access to the networks of Indian State Load Despatch Centers, which are in charge of operations for grid control and electricity dispatch. The targeted centers were mostly located in Northern India, near the disputed Ladakh border. Chinese threat actor RedEcho has targeted Indian power sector organizations in the past, but it is unclear if the group is behind the most recent campaign. One day after details of the campaign were published, India claimed that it had foiled at least two of the attacks. Chinese foreign affairs ministry spokesman Zhao Lijian denied the allegations that the Chinese government was behind the attacks. 

EU officials targeted with Israeli spyware 

NSO Group tools were allegedly used to target at least five senior officials and staffers at the European Commission between February and September 2021. The officials were alerted when Apple warned iPhone users in November that they may be the victim of a state-sponsored hacking campaign. The officials’ devices were infected with ForcedEntry malware, which has been tied to multiple Israeli spyware vendors such as NSO Group and QuaDream in the past, although NSO Group denied any involvement in the incident. It remains unclear who was behind the campaign. This disclosure comes a week before the European Parliament’s April 19 launch of a committee of inquiry tasked with investigating the use of surveillance software in member states. 

Hackers use Conti ransomware code to attack targets in Russia 

A hacking group, known as NB65, began using source code created by the Conti ransomware group to launch ransomware attacks against Russian companies. The Conti source code was leaked in March by a security researcher upset with the group’s stance on the war in Ukraine. NB65 has attacked several prominent targets in Russia, including state television and radio stations before, but the shift to using Conti ransomware is a new development. NB65 say their attacks are motivated by Russian aggression in Ukraine and claim that any ransom paid will be donated to aid organizations in Ukraine. While Russia has not been a traditional target for ransomware, the war in Ukraine has apparently shifted the calculus of some groups. 

New industrial control system malware detected in United States 

The Cybersecurity and Infrastructure Security Agency (CISA) announced that it had detected an advanced persistent threat (APT) targeting industrial control systems with a new malware toolkit, dubbed PIPEDREAM and INCONTROLLER by different cybersecurity companies. The malware could be used to cause physical damages to industrial processes, including those used by liquid natural gas facilities, which officials believe were the target of the malware. Hackers have manipulated industrial control systems to cause physical damage before, most famously through the Stuxnet malware launched against the Natanz nuclear facility in Iran. The Biden administration has issued several warnings about the potential for destructive Russian cyberattacks against U.S. critical infrastructure since the Russian invasion of Ukraine.