Sandworm hackers incapacitated Ukrainian power grid amid missile strike

Russia-backed ATP group Sandworm is behind the cyberattack that caused disruption of parts of the Ukrainian power grid in late 2022, according to Mandiant.

About Sandworm

Sandworm is a threat actor that has carried out cyber operations in support of Russia’s Main Intelligence Directorate (GRU) since at least 2009.

While they are primarily focused on carrying out cyber attacks targeting entities in Ukraine (e.g., with disk wipers), they have also been conducting cyber espionage campaigns European Union government organizations, NATO, and others throughout the years.

In this particular “multi-event cyber attack” described by Mandiant, they used living off the land (LotL) techniques to target OT systems and trigger a power outage, which happened simultaneously with missile strikes on Ukrainian critical infrastructure.

Ukrainian power grid disrupted

Even though researchers could not identify the initial vector to the target organization’s IT environment, they believe the intrusion started around June 2022.

“Sandworm gained access to the OT environment through a hypervisor that hosted a supervisory control and data acquisition (SCADA) management instance for the victim’s substation environment. Based on evidence of lateral movement, the attacker potentially had access to the SCADA system for up to three months,” they said.

On October 10, Sandworm used an optical disc image (a.iso) to execute a native MicroSCADA binary whose control commands switched off substations, resulting in an unscheduled power outage.

Execution chain of disruptive OT event. (Source: Mandiant)

Two days later, Sandworm deployed a new variant of CaddyWiper to cause additional disruption to the IT environment and remove forensic evidence. The wiper did not impact the hypervisor or the SCADA virtual machine.

A shift in tactics

In April 2022, the Computer Emergency Response Team of Ukraine (CERT-UA), with the help of ESET and Microsoft security experts, managed to prevent a cyberattack by Sandworm on a Ukrainian energy provider.

This time around, the group was successful.

Mandiant researchers noted that Sandworm “potentially developed the disruptive capability as early as three weeks prior to the OT event” and apparently waited to deploy it during missile strikes on critical infrastructure across several Ukrainian cities.

“Sandworm’s use of a native Living off the Land binary (LotLBin) to disrupt an OT environment shows a significant shift in techniques. Using tools that are more lightweight and generic than those observed in prior OT incidents, the actor likely decreased the time and resources required to conduct a cyber physical attack,” they added.

“While Mandiant was unable to determine the initial intrusion point, our analysis suggests the OT component of this attack may have been developed in as little as two months. This indicates that the threat actor is likely capable of quickly developing similar capabilities against other OT systems from different original equipment manufacturers (OEMs) leveraged across the world.”