In October 2022, Russia’s notorious Sandworm cyber group orchestrated a power outage in a Ukrainian city using clever techniques, coinciding with a barrage of missile strikes. Sandworm, associated with Russia’s Main Center for Special Technologies, has a history of cyberattacks in Ukraine, including BlackEnergy-induced blackouts in 2015 and 2016, the infamous NotPetya wiper, and recent campaigns during the Ukraine war. The ongoing conflict has provided cover for its recent cyberattacks.
In a recent report by Mandiant, an incident from October 2022 is detailed. Amidst a downpour of 84 cruise missiles and 24 drone attacks across 20 Ukrainian cities, Sandworm leveraged two months of preparation to cause an unexpected power outage in one city. Unlike previous grid attacks, this one didn’t rely on advanced cyber weaponry but exploited living-off-the-land (LotL) techniques, undermining Ukraine’s sophisticated cyber defenses.
According to Mandiant chief analyst John Hultquist, this sets a concerning precedent, prompting questions about our ability to defend against such tactics.
The initial breach by Sandworm in June 2022 targeted a Ukrainian substation. After breaching the gap between IT and operational technology networks, the group accessed a hypervisor hosting a supervisory control and data acquisition (SCADA) management instance. SCADA is where plant operators oversee machinery and processes. After maintaining SCADA access for up to three months, Sandworm acted during a surge in kinetic warfare.
Using an optical disc (ISO) image file, Sandworm executed a binary native to the MicroSCADA control system, likely instructing infected MicroSCADA servers to command the substation’s remote terminal units (RTUs) to open circuit breakers, causing a deliberate power outage.
Two days later, Sandworm deployed a new version of its CaddyWiper malware, targeting only the IT network. This move may have aimed to erase forensic evidence of the initial attack or cause further disruption. The exact intrusion method remains unknown, leaving researchers to grapple with the complexity of defending against such sophisticated cyber tactics.
Russia vs. Ukraine Hacking
The conflict between Russia and Ukraine is seeing a shift towards a more balanced playing field. Sandworm’s impactful BlackEnergy and NotPetya attacks have left a lasting mark on cybersecurity, Ukrainian history, and military strategies. These events have influenced how global powers perceive the combination of kinetic-cyber warfare and how defenders secure industrial systems.
As awareness has grown, subsequent attacks by Sandworm have not matched the intensity of their earlier actions. Take, for instance, the second Industroyer attack that followed the invasion. Despite the malware being as powerful, if not more so, than the one that disrupted Ukraine’s power in 2016, it failed to inflict serious consequences.
Adam Hultquist, an expert in the field, points out the historical pattern of Sandworm’s attempts to utilize tools like Industroyer, often failing due to discovery. He suggests that this recent incident may mark a turning point, introducing new challenges for defenders. The evolving nature of the threat requires a more proactive approach, as traditional methods like using signatures may prove inadequate.
Hultquist also provides an alternative perspective on the cyber history between Russia and Ukraine. Rather than Russia’s attacks weakening, he suggests that Ukraine’s defenses have strengthened over time. Reflecting on Ukraine’s experience in handling cyber threats, Hultquist emphasizes that if faced with the same pressure and outdated defenses of a decade ago, the recent situation would have unfolded differently. He underscores the need for defenders to learn from Ukraine’s expertise in cyberwarfare, acknowledging that there is much to gain from their experience.
Read the full article
0 Comments