Reviewing The Kiev Power Grid Outage And Notpetya Attack: Is Industroyer Responsible?
Kiev Power Grid Outage And Notpetya Attack–Is Industroyer Responsible?
In the cyber world, coincidences are a rare occurrence. Most times, event is connected to another, even if the link isn’t obvious at the time.
In December 2015, Ukraine’s power grid was taken out by a seeming individual attack orchestrated by Telebots group, who used a BlackEnergy malware toolkit. The malware caused the two time blackout in two years that threw parts of Ukraine’s capital into darkness.
Shortly after that in 2017, another attack called NotPetya ransomware attack hit thousands of computers across the globe, resulting in loss of data across the board, and millions of dollars in financial losses.
The worst part of this ransomware attack was that some of the victims who paid the ransom demanded still lost their data as their hard disks and data were wiped clean, unlike the WannaCry ransomware that would decrypt the data after the ransom is paid.
The interesting connection between the two attacks? It’s the Industroyer Backdoor Threat. While cyber security agencies and companies have always suspected a connection between the two events, computer security company ESET, has uncovered it.
What Is Industroyer
This is a code that’s been targeting Ukrainian infrastructure as well as other industries. Deployed by the Telebots group, this partially succeeded in taking down the Ukrainian capital’s power grid. According to ESET researchers:
“As can be seen from the first line of the configuration, the attackers are grouping their targets based on the security solutions in use. Similar behavior can be found in the Industroyer toolset – specifically some of the Industroyer backdoors were also disguised as an AV-related service (deployed under the name avtask.exe) and used the same grouping.”
While there’s been some sort of doubt about the existence of the group behind the attacks, a recent attempt to deploy a new backdoor in 2018 was detected by ESET, which had been tracking their activities since the last Notpetya attack.
Now that all doubts about Telegroup’s existence have been cleared, it has shone some light on the state of the ransomware distribution industry.
While there are currently only a handful of operators, the industry looks poised to blow up and grow in popularity, resulting in a possibly increased spate of ransomware attacks across multiple industries.
This is quite alarming because no one knows where the next attacks will come from or who the perpetrators of the act will be. This makes the industry quite unpredictable and risky for people who don’t know what to do to protect and prevent any attacks.
In fact, there are schools of thought that believe that crippling Kiev’s power grid followed by the ransomware attack was just a test exercise in preparation for even bigger attacks on the global scale.
While the Telegroup attacks were largely possible as a result of a vulnerability in the M.E.Doc, which is a financial software, these hackers and their colleagues may be looking for even more flaws in software programs used by government agencies and big finance institutions that they can exploit for even more powerful and far reaching attacks in the near future.
With the discovery of the new attempt by TeleBots to hijack a backdoor vulnerability in another software, it is becoming increasingly clear that these groups are upping their game and improving on their previous attacks.
Companies and organization need to pay attention to their security as well as their software vulnerabilities. These entities and hacking groups may be poised to launch a major attack in coming months and years.
Companies and organizations without protective measures are most likely, going to be major victims if they aren’t careful about these possible risks.