Sandworm Industroyer2: Wipers Dressed as Ransomware

Threat Intelligence

Sandworm's Industroyer2 attack on Ukraine's energy grid in 2022 combined ICS-specific destructive malware with Prestige ransomware deployed as cover, masking a state-directed grid disruption as a criminal incident.

By Arjun Raghavan, Security & Systems Lead, BIPI · September 23, 2024 · 11 min read

Sandworm, attributed to Russia's GRU Unit 74455 and tracked by Microsoft as Seashell Blizzard, is the only confirmed threat actor to have successfully caused physical outages to civilian power infrastructure: twice in Ukraine (2015 and 2016) and again in 2022 with Industroyer2. The April 2022 campaign attempted to take down a high-voltage substation serving two million people in Ukraine, combining ICS-targeting malware with commodity wiper tools and Prestige ransomware deployed to obscure the operation's true nature.

Industroyer2: ICS Protocol as Weapon

Industroyer2 is a direct evolution of the 2016 Industroyer malware but is architecturally simpler and more targeted. Rather than supporting multiple ICS protocols, Industroyer2 implements only IEC 104 (IEC 60870-5-104), the protocol used to communicate between control systems and remote terminal units (RTUs) in the Ukrainian energy sector. The malware was hardcoded with the IP addresses and port configurations of the specific substation targeted in the April 2022 attack, indicating significant pre-operation reconnaissance.

• Industroyer2 sends crafted IEC 104 ASDU (Application Service Data Unit) commands to force RTUs into unresponsive states, preventing operators from issuing manual overrides
• The malware was compiled just two weeks before deployment, suggesting rapid weaponization against a confirmed target set
• A scheduled task triggered Industroyer2 at 04:58 local time, timed to maximize the impact on morning peak load startup
• CaddyWiper was simultaneously deployed across IT network hosts at the same utility to destroy forensic evidence and impede recovery

Prestige Ransomware as Operational Cover

The Prestige ransomware, first identified by Microsoft in October 2022, was deployed against Polish and Ukrainian logistics and transportation companies in parallel with Sandworm's infrastructure attacks. Unlike typical ransomware operations, Prestige showed no evidence of a ransom negotiation infrastructure: there were no payment portals, no TOX chat addresses, and no functioning decryption keys provided even to victims who attempted payment. Prestige functioned as a wiper with ransom note aesthetic.

Deploying ransomware branding alongside destructive attacks serves multiple GRU objectives: it creates attribution ambiguity, forces defenders to treat a state-directed operation as a criminal incident, and consumes incident response resources on decryption analysis rather than ICS recovery.

The Full Attack Chain

1. Initial access via compromised VPN credentials for a third-party contractor with access to the utility's IT network
2. Lateral movement across IT network using living-off-the-land techniques: net use, PsExec, and scheduled tasks via Group Policy
3. IT/OT boundary crossing through a Historian server that bridged the corporate and operational technology networks
4. Industroyer2 deployment via a scheduled task on the SCADA engineering workstation with hardcoded substation targets
5. Simultaneous CaddyWiper deployment across IT hosts to destroy logs, backups, and forensic artifacts
6. Prestige ransomware deployed to logistics partners in the same campaign window to create noise and attribution confusion

MITRE ATT&CK for ICS Mapping

• T0855: Unauthorized Command Message via IEC 104 ASDU commands to RTUs
• T0816: Device Restart/Shutdown forcing RTUs offline via crafted IEC 104 stop transmission commands
• T0840: Network Connection Enumeration during IT/OT pivot phase
• T0831: Manipulation of Control via hardcoded substation IP targeting
• T0809: Data Destruction using CaddyWiper on IT network hosts post-attack

Lessons for Critical Infrastructure Defenders

Sandworm's April 2022 campaign demonstrates that ICS attacks are not theoretical: they are operational GRU doctrine. The ransomware cover-story tactic is likely to be repeated in future state-directed attacks against Western infrastructure, making the ability to rapidly distinguish criminal ransomware from state-directed destruction a critical incident response competency.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.