Fuxnet ICS Malware Deployed by Ukrainian Security Services Against Russia

Claroty, a cybersecurity company specializing in industrial and enterprise IoT, has analyzed Fuxnet, a type of malware utilized by Ukrainian hackers in an attack on a Russian infrastructure company. This attack, attributed to a hacker group called Blackjack linked to Ukraine’s security services, targeted various Russian organizations, including ISPs, utilities, data centers, and the military, causing considerable damage and stealing sensitive data.

Blackjack disclosed an alleged attack on Moscollector, a Moscow-based company managing underground infrastructure like water and communication systems. They claimed to have disabled Russia’s industrial monitoring infrastructure, including the Network Operation Center (NOC) responsible for overseeing gas, water, and fire alarm systems, among others.

The hackers asserted that they wiped databases and servers and disabled thousands of sensors, including those in airports and gas pipelines, using a malware called Fuxnet, described as a potent version of Stuxnet.

Malware Used Against Sensor Arrays

Claroty, although unable to verify the hackers’ claims, analyzed the Fuxnet malware based on information provided by Blackjack. They noted that the physical sensors themselves were likely unaffected but that the malware targeted approximately 500 sensor gateways, crucial for transmitting data to Moscollector's monitoring system. Repairing these gateways, scattered across Moscow and its suburbs, could be challenging, involving either replacement or individual firmware updates.

Claroty’s analysis revealed that Fuxnet was likely deployed remotely, causing extensive damage by deleting files, shutting down remote access services, and disrupting communication with other devices. The malware also attempted to physically destroy memory chips and overload sensors by flooding serial channels with random data.