The infamous Russian hackers often called Sandworm focused {an electrical} substation in Ukraine final yr, inflicting a quick energy outage in October 2022.
The findings come from Google’s Mandiant, which described the hack as a “multi-event cyber assault” leveraging a novel approach for impacting industrial management techniques (ICS).
“The actor first used OT-level living-off-the-land (LotL) methods to probably journey the sufferer’s substation circuit breakers, inflicting an unplanned energy outage that coincided with mass missile strikes on important infrastructure throughout Ukraine,” the corporate mentioned.
“Sandworm later carried out a second disruptive occasion by deploying a brand new variant of CaddyWiper within the sufferer’s IT atmosphere.”
The risk intelligence agency didn’t reveal the situation of the focused power facility, the length of the blackout, and the quantity of people that have been impacted by the incident.
The event marks Sandworm’s steady efforts to stage disruptive assaults and compromise the facility grid in Ukraine since no less than 2015 utilizing malware reminiscent of Industroyer.
The precise preliminary vector used for the cyber-physical assault is presently unclear, and it is believed that the risk actor’s use of LotL methods decreased the time and assets required to tug it off.
The intrusion is assumed to have occurred round June 2022, with the Sandworm actors having access to the operational know-how (OT) atmosphere by a hypervisor that hosted a supervisory management and information acquisition (SCADA) administration occasion for the sufferer’s substation atmosphere.
On October 10, 2022, an optical disc (ISO) picture file was used to launch malware able to switching off substations, leading to an unscheduled energy outage.
“Two days after the OT occasion, Sandworm deployed a brand new variant of CaddyWiper within the sufferer’s IT atmosphere to trigger additional disruption and doubtlessly to take away forensic artifacts,” Mandiant mentioned.
CaddyWiper refers to a bit of data-wiping malware that first got here to mild in March 2022 in reference to the Russo-Ukrainian warfare.
The eventual execution of the assault, Mandiant famous, coincided with the beginning of a multi-day set of coordinated missile strikes on important infrastructure throughout various Ukrainian cities, together with town wherein the unnamed sufferer was located.
“This assault represents an instantaneous risk to Ukrainian important infrastructure environments leveraging the MicroSCADA supervisory management system,” the corporate mentioned.
“Given Sandworm’s international risk exercise and the worldwide deployment of MicroSCADA merchandise, asset house owners globally ought to take motion to mitigate their ways, methods, and procedures in opposition to IT and OT techniques.”
