In late 2022, a notable incident disrupted power supply in Ukraine when the Russia-associated hacker group, Sandworm, launched a sophisticated cyberattack on a critical infrastructure organization. This incident, characterized as a multi-phase attack, employed innovative techniques against industrial control systems (ICS) and operational technology (OT).
"The attack was orchestrated with a level of complexity that reflects Sandworm's evolving capabilities," said Ken Proska, an analyst at Mandiant. The group's first move involved using operational technology-level living off the land (LotL) techniques to reportedly trigger the substation circuit breakers, leading to an unplanned power outage that happened concurrently with widespread missile strikes on Ukrainian infrastructure.
"The attack was orchestrated with a level of complexity that reflects Sandworm's evolving capabilities,"
Following this initial disruption, Sandworm struck again, deploying a new variant of CADDYWIPER in the target's IT environment. This two-pronged assault showcases a significant advancement in Russia's cyber physical attack strategies, particularly since the country’s ongoing military actions in Ukraine.
"The techniques utilized in this incident highlight a sophisticated understanding of operational technology threats and a capacity to rapidly deploy new tactics," noted John Wolfram from Mandiant. The capability demonstrated an increased maturity in Russia's offensive OT strategy, showing their ability to identify new vulnerabilities and leverage various OT infrastructures to execute these attacks efficiently.
"The techniques utilized in this incident highlight a sophisticated understanding of operational technology threats and a capacity to rapidly deploy new tactics,"
Speculation about the initial intrusion point remains, but analysis suggests that the OT component of this cyberattack was potentially developed within just two months. This realization poses a concerning prospect: Sandworm’s ability to replicate similar capabilities against other OT systems worldwide.
Initially, this activity was tracked under the name UNC3810 before being reclassified with Sandworm. Known for its espionage and disruptive operations, Sandworm has been linked to the Russian military's Main Intelligence Directorate (GRU) since at least 2009, concentrating its efforts primarily on Ukraine. "The threat group has not only targeted Ukraine over the last decade, but their espionage activities extend globally, highlighting the expansive ambitions of the Russian military's cyber initiatives," remarked Jared Wilson, another Mandiant analyst.
"The threat group has not only targeted Ukraine over the last decade, but their espionage activities extend globally, highlighting the expansive ambitions of the Russian military's cyber initiatives,"
The timeline of this incident indicates that Sandworm gained access to the target’s OT environment via a hypervisor that managed a supervisory control and data acquisition (SCADA) system. Subsequent access to the SCADA system may have lasted for several months, allowing for extensive lateral movement within the network.
On October 10, 2022, the attacker employed an optical disc named "a.iso," utilizing it to execute malicious commands intended to disrupt the power supply by shutting down substations. Among the contents of this ISO image were files such as "s1.txt," containing likely unauthorized SCADA commands, alongside scripts designed to execute these commands.
According to Dan Black, a cybersecurity expert at Mandiant, “While we could not recover all specific ICS commands executed during this incident, the outcomes were clear: the attack led to a significant, unscheduled power outage.” The implications of such capabilities warrant serious attention from operational technology asset owners.
Given Sandworm’s extensive global threat activity and innovative offensive capabilities, Mandiant is urging organizations involved in OT operations to strengthen their defenses. Detailed recommendations for detection, threat hunting, and organizational hardening efforts, as well as a mapping to MITRE ATT&CK frameworks, have been included in the appendices of their report.
"For those facing threats like this, immediate and preemptive steps are essential," emphasized Keith Lunden from Mandiant Consulting. Organizations are encouraged to seek assistance from cybersecurity professionals to prepare adequately against evolving threats. Mandiant's ongoing analysis of the Sandworm threat activity is available through their Advantage Threat Intelligence platform.
"For those facing threats like this, immediate and preemptive steps are essential,"
Reflecting on this incident, it might become a pivotal case study in the field of cyber warfare, particularly in the context of operational technology. The sophistication displayed by Sandworm not only outlines the current landscape of cyber threats but underlines the need for robust defense mechanisms in an increasingly interconnected world.