A temporary power outage occurred in October 2022 as a result of the notorious Russian cyber organization Sandworm targeting a Ukrainian electrical substation last year. The attack was discovered by Google’s Mandiant, which described it as a “multi-event cyber attack” that used a special technique to affect industrial control systems (ICS).
The hackers most likely set off the substation’s circuit breakers by using living-off-the-land (LotL) techniques at the operational technology (OT) level. This resulted in an unforeseen power outage that coincided with massive missile strikes on Ukraine’s vital infrastructure. Then, Sandworm introduced a fresh version of CaddyWiper into the victim’s IT system, causing a second disruptive incident.
Specifics including the location, length of the blackout, and the number of individuals impacted by the cyberattack on the energy facility have not been made public by the threat intelligence company.
This event demonstrates Sandworm’s ongoing efforts, since 2015, to use malware such as Industroyer to interfere with and infiltrate Ukraine’s electrical grid. Although the cyber-physical attack’s original vector is still unknown, it is thought that the execution was made easier by the application of living-off-the-land (LotL) strategies. Sandworm most likely entered the operational technology (OT) environment in June 2022 by using a hypervisor to host a supervisory control and data acquisition (SCADA) management instance for the victim’s substation.
An unforeseen power outage occurred on October 10, 2022, as a result of the attackers’ exploitation of an optical disc (ISO) image file to distribute malware.
According to Mandiant, two days following the OT event, Sandworm introduced a fresh version of CaddyWiper into the victim’s IT system, aiming to inflict additional damage and possibly eradicate forensic evidence.
CaddyWiper is a data-wiping malware that was first discovered in March 2022 during the Russo-Ukrainian War.
Mandiant noted that the attack’s execution coincided with the start of a multi-day sequence of synchronized missile strikes against critical infrastructure in multiple Ukrainian cities, including the victim’s location.
The company stressed that by taking advantage of the MicroSCADA supervisory control system, this attack poses an immediate threat to critical infrastructure areas in Ukraine. The business recommended asset owners worldwide take action and implement measures to neutralize Sandworm’s tactics, techniques, and procedures against both IT and OT systems, given the threat activity of Sandworm and the global deployment of MicroSCADA solutions.
Read also:
- Iranian Hackers Are Causing Disruptive Cyberattacks Against the Albanian Government
- State-Backed Hackers Hiding Behind Ransomware To Conduct Cyber Espionage Attacks
- A Cyber Group in Iran Targets Middle East Tech Sectors
- A Major APT28 Cyberattack on Critical Energy Infrastructure Thwarted by Ukraine’s CERT