The infamous Russian hackers acknowledged as Sandworm specific an electrical substation in Ukraine last calendar year, creating a brief energy outage in Oct 2022.
The conclusions arrive from Google’s Mandiant, which explained the hack as a “multi-celebration cyber attack” leveraging a novel approach for impacting industrial manage techniques (ICS).
“The actor very first utilised OT-level residing-off-the-land (LotL) methods to likely trip the victim’s substation circuit breakers, producing an unplanned power outage that coincided with mass missile strikes on critical infrastructure throughout Ukraine,” the corporation said.
“Sandworm afterwards done a next disruptive party by deploying a new variant of CaddyWiper in the victim’s IT natural environment.”
The menace intelligence firm did not reveal the location of the focused vitality facility, the duration of the blackout, and the quantity of people today who were impacted by the incident.
The progress marks Sandworm’s steady attempts to stage disruptive attacks and compromise the electricity grid in Ukraine since at the very least 2015 making use of malware these as Industroyer.
The exact preliminary vector applied for the cyber-physical attack is presently unclear, and it really is believed that the threat actor’s use of LotL methods decreased the time and assets necessary to pull it off.
The intrusion is imagined to have took place around June 2022, with the Sandworm actors gaining accessibility to the operational technology (OT) setting via a hypervisor that hosted a supervisory control and information acquisition (SCADA) administration occasion for the victim’s substation natural environment.
On Oct 10, 2022, an optical disc (ISO) image file was employed to start malware able of switching off substations, resulting in an unscheduled ability outage.
“Two times right after the OT occasion, Sandworm deployed a new variant of CaddyWiper in the victim’s IT surroundings to induce additional disruption and probably to take away forensic artifacts,” Mandiant stated.
CaddyWiper refers to a piece of details-wiping malware that to start with came to mild in March 2022 in link with the Russo-Ukrainian war.
“This attack signifies an rapid menace to Ukrainian critical infrastructure environments leveraging the MicroSCADA supervisory command program,” the corporation mentioned.
“Provided Sandworm’s world-wide menace activity and the worldwide deployment of MicroSCADA items, asset homeowners globally really should consider action to mitigate their ways, methods, and treatments versus IT and OT devices.”
Observed this write-up fascinating? Follow us on Twitter and LinkedIn to study more special content material we submit.
Some pieces of this write-up are sourced from: