ESET researchers, in collaboration with CERT-UA, analysed a security incident affecting an energy provider in Ukraine. Their findings were that the malware is a new adapted variant of INDUSTROYER, which they called INDUSTROYER2, used by the APT group Sandworm, and that it was directed at a single target and use case.
In addition to INDUSTROYER2, Sandworm used several malware families such as CaddyWiper (a wipper deployed to slow down the recovery process and prevent the energy company's operators from regaining control, and erase any trace of INDUSTROYER2), ORCSHRED, SOLOSHRED and AWFULSHRED (the latter 3 targeting Linux and Solaris machines). This new version of INDUSTROYER2 was compiled two weeks before use, removes previous functionality and focuses only on the IEC-104 industrial protocol.
Translated with www.DeepL.com/Translator (free version)