Google Cloud-backed threat intelligence specialist Mandiant has shared details of a disruptive incident late last year, in which the Sandworm advanced persistent threat (APT) group, backed by Russian’s GRU intelligence and special forces agency, deployed novel techniques in a cyber attack on Ukraine’s power infrastructure.
Sandworm is well known for its interest in Ukraine’s critical national infrastructure (CNI), which it has attacked with great frequency over the years, ramping up its harassment during the ongoing war, which is approaching its second anniversary.
Now, for the first time, Mandiant has revealed what it learned during its response to a “multi-event” Sandworm intrusion that leveraged new techniques to impact industrial control systems (ICS) and operational technology (OT), exploiting living-off-the-land techniques to trip substation circuit breakers that caused an unplanned power outage that coincided with mass Russian missile strikes against CNI targets in Ukraine.
Mandiant chief analyst John Hultquist said: “There’s not much evidence that this attack was designed for any practical, military necessity. Civilians are typically the ones who suffer from these attacks and they are probably carried out to exacerbate the psychological toll of the war. It’s important that we not lose sight of the serious threat Ukraine is still facing, especially as winter approaches.”
He added: “There has been a misconception that attacks in Ukraine have not lived up to predictions. The fact is that attacks have been limited by the exceptional work of Ukrainian defenders and their partners, who have worked tirelessly to prevent a hundred scenarios just like this. The fact that this incident is isolated is a testament to their exceptional work.”
Mandiant’s investigators, Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker and Tyler McLellan, said the attack demonstrated a clear evolution in Russia’s cyber-physical capabilities, and suggests the Kremlin’s offensive OT arsenal is increasingly mature.
“This indicates that the threat actor is likely capable of quickly developing similar capabilities against other OT systems from different original equipment manufacturers (OEMs) leveraged across the world,” they said.
How it went down
Mandiant’s team assessed that the incident in question began around June 2022, culminating in final attacks on 10 and 12 October last year. It is known that Sandworm gained access to the victim’s OT environment via a hypervisor that hosted a supervisory control and data acquisition (SCADA) instance for the victim’s substation.
Then, on 10 October, Sandworm used an optical disk (ISO) image to execute a native MicroSCADA binary, probably an attempt to execute malicious control commands to crash the substations. Based on the timestamps of the ISO file’s contents, these OT capabilities were likely developed over the time period from when Sandworm first gained access to when it executed the attack.
Two days later, Sandworm deployed an updated variant of the malware known as Caddywiper to cause further disruption and possibly, according to Mandiant, to remove forensic artifacts. However, this deployment was limited to the victim’s IT environment and impacted neither the hypervisor nor the SCADA instance, which is a little strange and may point to some internal issues within the group.
The Mandiant team said the use of living-off-the-land binaries (LoLBins) – which are legitimate, naturally occurring tools and executables on a system, in this case the native MicroSCADA – was a significant shift for Sandworm.
By using lightweight and generic tools, Sandworm was able to decrease both the time and resources it needed to consume in service of its attack, while also making it harder for defenders to detect it, because since LoLBins are legitimate, they would not necessarily have been looking in the right place.
“This attack represents an immediate threat to Ukrainian critical infrastructure environments leveraging the MicroSCADA supervisory control system. Given Sandworm’s global threat activity and the worldwide deployment of MicroSCADA products, asset owners globally should take action to mitigate their tactics, techniques, and procedures against IT and OT systems,” wrote the team.
“Furthermore, our analysis of the activity suggests Russia would be capable of developing similar capabilities against other SCADA systems and programming languages beyond MicroSCADA and SCIL.”
Mandiant has published more in-depth technical details of the incident, and recommendations to detect and mitigate similar activity, which can be found here.