The Russia-based Sandworm APT group has been observed interrupting electricity supplies in Ukraine by targeting electric transformers. The group is using an updated version of Industroyer, along with several new worms and wipers targeting Windows, Linux, and Solaris OS.

What's happening?

  • ESET researchers, in collaboration with CERT-UA, have spotted an updated Industroyer variant, dubbed Industroyer2.
  • Besides, the Sandworm group also uses other malware families such as CaddyWiper, AwfulShred, OrcShred, and SoloShred in the attack campaign.
  • At present, it's not known how attackers compromise the targeted systems and moved from the IT network to the ICS network of high-voltage electrical substations in Ukraine.

Industroyer2, the new variant

Industroyer-2 is deployed as a single Windows executable and executed using a scheduled task on April 8. It was compiled on March 23, suggesting the attack was planned for more than two weeks.
  • Industroyer2 implements only the IEC-104 protocol for communicating with industrial equipment. It shares a number of code similarities with the payload 104[.]dll of Industroyer.
  • Additionally, Industroyer2 is highly configurable and has a detailed configuration hardcoded in its body, and attackers are required to recompile the malware for every new victim.

Additional info

Attackers deploy a new version of CaddyWiper, which includes a new loader named ArguePatch. The loader is a patched version of a genuine component of Hex-Rays IDA Pro software.


There’s a new story on the Ukraine-Russia cyberwar every day. With the introduction of new threats, such as modified Industroyer, Ukrainian organizations could be at greater threat. Concerned organizations are suggested to follow the recommendation provided by CERT-UA to stay protected.
Cyware Publisher