Google's Mandiant has revealed that the notorious Russian hacking group known as Sandworm targeted an electrical substation in Ukraine in October 2022, resulting in a brief power outage. Described as a "multi-event cyber attack," the intrusion involved a novel technique impacting industrial control systems (ICS). Sandworm is infamous for its continuous efforts to compromise Ukraine's power grid since 2015, utilizing malware such as Industroyer.
Details of the Attack:
Sandworm leveraged OT-level living-off-the-land (LotL) techniques to trip the victim's substation circuit breakers, causing an unplanned power outage coinciding with mass missile strikes on critical infrastructure in Ukraine.
A second disruptive event occurred as Sandworm deployed a new variant of CaddyWiper in the victim's IT environment, disrupting operations and potentially removing forensic artifacts.
The cyber-physical attack's initial vector remains unclear, but the use of LotL techniques reduced the time and resources required for execution.
Access to the operational technology (OT) environment was gained around June 2022 through a hypervisor hosting a supervisory control and data acquisition (SCADA) management instance for the victim's substation environment.
Power Outage and Coordinated Missile Strikes:
On October 10, 2022, an optical disc (ISO) image file was employed to launch malware capable of switching off substations, leading to an unscheduled power outage.
Two days after the OT event, Sandworm deployed a new CaddyWiper variant in the victim's IT environment to cause further disruption and potentially erase forensic artifacts.
The attack coincided with a multi-day set of coordinated missile strikes on critical infrastructure across various Ukrainian cities, including the city where the victim was situated.
Global Threat Implications:
Sandworm's global threat activity and the widespread deployment of MicroSCADA supervisory control systems pose an immediate threat to critical infrastructure environments.
Asset owners worldwide are advised to take action to mitigate Sandworm's tactics, techniques, and procedures against both IT and OT systems.
Conclusion:
The cyber attack by Sandworm on a Ukrainian electrical substation highlights the ongoing and evolving threats to critical infrastructure. The use of novel techniques and the coordinated nature of cyber-physical attacks underscore the need for global vigilance and robust cybersecurity measures to safeguard against such sophisticated threats.
