{
	"id": "f3a127a6-8b1b-49b3-b2ce-3fe5d371f1de",
	"created_at": "2026-04-06T00:19:19.698352Z",
	"updated_at": "2026-04-10T03:27:56.011897Z",
	"deleted_at": null,
	"sha1_hash": "f0373af8fd6e44cf6b61a15a2f6aa2fa185de97b",
	"title": "Destructive ICS Malware ‘Fuxnet’ Used by Ukraine Against Russian Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 98176,
	"plain_text": "Destructive ICS Malware ‘Fuxnet’ Used by Ukraine Against\r\nRussian Infrastructure\r\nBy Eduard Kovacs\r\nPublished: 2024-04-15 · Archived: 2026-04-05 16:07:46 UTC\r\nIndustrial and enterprise IoT cybersecurity firm Claroty has conducted an analysis of Fuxnet, a piece of\r\nindustrial control system (ICS) malware used recently by Ukrainian hackers in an attack aimed at a\r\nRussian underground infrastructure company.\r\nIn recent months, a hacker group named Blackjack, which is believed to be affiliated with Ukraine’s security\r\nservices, has claimed to have launched attacks against several key Russian organizations. The hackers targeted\r\nISPs, utilities, data centers and Russia’s military, and allegedly caused significant damage and exfiltrated sensitive\r\ninformation. \r\nLast week, Blackjack disclosed the details of an alleged attack aimed at Moscollector, a Moscow-based company\r\nresponsible for underground infrastructure, including water, sewage and communication systems.\r\n“Russia’s industrial sensor and monitoring infrastructure has been disabled,” the hackers claimed. “It includes\r\nRussia’s Network Operation Center (NOC) [that] monitors and controls gas, water, fire alarm and many others,\r\nincluding a vast network of remote sensors and IoT controllers.”\r\nThe hackers claimed to have wiped database, email, internal monitoring and data storage servers. \r\nIn addition, they claimed to have disabled 87,000 sensors, including ones associated with airports, subway\r\nsystems and gas pipelines. To achieve this, they claimed to have used Fuxnet, a malware they described as\r\n“Stuxnet on steroids”, which enabled them to physically destroy sensor equipment.\r\nAdvertisement. Scroll to continue reading.\r\nhttps://www.securityweek.com/destructive-ics-malware-fuxnet-used-by-ukraine-against-russian-infrastructure/\r\nPage 1 of 2\n\n“Fuxnet has now started to flood the RS485/MBus and is sending ‘random’ commands to 87,000 embedded\r\ncontrol and sensory systems (carefully excluding hospitals, airports, and other civilian targets),” the hackers said.\r\nThe hackers’ claims are difficult to verify, but Claroty was able to conduct an analysis of the Fuxnet malware\r\nbased on information and code made available by Blackjack.\r\nThe cybersecurity firm pointed out that the actual sensors deployed by Moscollector, which are used to collect\r\nphysical data such as temperature, were likely not damaged by Fuxnet. Instead, the malware likely targeted\r\nroughly 500 sensor gateways, which communicate with the sensors over a serial bus such as the RS485/Meter-Bus\r\nthat was mentioned by Blackjack. These gateways are also connected to the internet to be able to transmit data to\r\nthe company’s global monitoring system. \r\n“If the gateways were indeed damaged, the repairs could be extensive given that these devices are spread out\r\ngeographically across Moscow and its suburbs, and must be either replaced or their firmware must be individually\r\nreflashed,” Claroty noted.\r\nClaroty’s analysis of Fuxnet showed that the malware was likely deployed remotely. Once on a device, it would\r\nstart deleting important files and directories, shutting down remote access services to prevent remote restoration,\r\nand deleting routing table information to prevent communication with other devices. Fuxnet would then delete the\r\nfile system and rewrite the device’s flash memory.  \r\nOnce it has corrupted the file system and blocked access to the device, the malware attempts to physically destroy\r\nthe NAND memory chip and then rewrites the UBI volume to prevent rebooting. \r\nIn addition, the malware attempts to disrupt the sensors connected to the gateway by flooding the serial channels\r\nwith random data in an effort to overload the serial bus and the sensors. \r\n“During the malware operation, it will repeatedly write arbitrary data over the Meter-Bus channel. This will\r\nprevent the sensors and the sensor gateway from sending and receiving data, rendering the sensor data acquisition\r\nuseless,” Claroty explained. “Therefore, despite the attackers’ claim of compromising 87,000 devices, it seems\r\nthat they actually managed to infect the sensor gateways only and were trying to cause further disruption by\r\nflooding the Meter-Bus channel connecting the different sensors to the gateway, similar to network fuzzing the\r\ndifferent connected sensor equipment. As a result, it appears only the sensor gateways were bricked, and not the\r\nend-sensors.”\r\nRelated: Omron Patches PLC, Engineering Software Flaws Discovered During ICS Malware Analysis\r\nRelated: CosmicEnergy ICS Malware Poses No Immediate Threat, but Should Not Be Ignored\r\nSource: https://www.securityweek.com/destructive-ics-malware-fuxnet-used-by-ukraine-against-russian-infrastructure/\r\nhttps://www.securityweek.com/destructive-ics-malware-fuxnet-used-by-ukraine-against-russian-infrastructure/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.securityweek.com/destructive-ics-malware-fuxnet-used-by-ukraine-against-russian-infrastructure/"
	],
	"report_names": [
		"destructive-ics-malware-fuxnet-used-by-ukraine-against-russian-infrastructure"
	],
	"threat_actors": [
		{
			"id": "1a9c4f3f-2178-4c83-a9b5-d2135d90520a",
			"created_at": "2024-04-19T02:00:03.623733Z",
			"updated_at": "2026-04-10T02:00:03.615238Z",
			"deleted_at": null,
			"main_name": "BlackJack",
			"aliases": [],
			"source_name": "MISPGALAXY:BlackJack",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434759,
	"ts_updated_at": 1775791676,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f0373af8fd6e44cf6b61a15a2f6aa2fa185de97b.pdf",
		"text": "https://archive.orkl.eu/f0373af8fd6e44cf6b61a15a2f6aa2fa185de97b.txt",
		"img": "https://archive.orkl.eu/f0373af8fd6e44cf6b61a15a2f6aa2fa185de97b.jpg"
	}
}