Google-owned Mandiant has revealed that Sandowrm, a Russia-backed hacking group, conducted a disruptive cyber-attack targeting a Ukrainian critical infrastructure organization in late 2022.
Mandiant, which was involved in responding to the attack, shared some of the findings of its post-mortem analysis in a report published on November 9, 2023.
The intrusion began on, or before, June 2022. It was a multi-event cyber-attack that leveraged a novel technique for impacting industrial control systems (ICS) and operational technology (OT).
The incident culminated in two disruptive events on October 10 and 12, 2022. The first was a power outage and the second a wiper attack designed to limit any investigation.
Cyber-Attacks Aligned with Missile Strikes
The threat actor, which Mandiant first tracked as UNC3810 before merging the cluster with Sandworm, first used OT-level living off the land (LotL) techniques. This allowed the group to improve its chances of avoiding detection.
“While we were unable to identify the initial access vector into the IT environment, Sandworm gained access to the OT environment through a hypervisor that hosted a supervisory control and data acquisition (SCADA) management instance for the victim’s substation environment,” wrote Mandiant.
Based on evidence of lateral movement, the attacker potentially had access to the SCADA system for up to three months.
On October 10, the actor leveraged an optical disc (ISO) image named “a.iso” to execute a native MicroSCADA binary in a likely attempt to execute malicious control commands to switch off substations. The ISO file contained at least the following:
- “lun.vbs”, which runs n.bat
- “n.bat”, which likely runs the native scilc.exe utility
- “s1.txt”, which likely contains the unauthorized MicroSCADA commands
The intent of this first attack likely was to trip the victim’s substation circuit breakers, causing an unplanned power outage that coincided with mass missile strikes on critical infrastructure across Ukraine.
“While Mandiant does not have enough evidence to conclude the cyber-attack on the power plant was deliberately timed with the missile attacks, they note the timing of the two is very coincidental,” the researchers wrote.
Two days later, Sandworm conducted a second disruptive event by deploying a new variant of CaddyWiper in the victim’s IT environment.
Russia’s Offensive OT Arsenal Matures
These new techniques “suggest a growing maturity of Russia’s offensive OT arsenal, including an ability to recognize novel OT threat vectors, develop new capabilities, and leverage different types of OT infrastructure to execute attacks,” Mandiant wrote.
This attack came a few months after Sandworm reportedly intended to deploy Industroyer 2, a destructive malware targeting ICS, against Ukrainian organizations.
John Hultquist, Mandiant Chief Analyst, highlighted: “There’s not much evidence that this attack was designed for any practical, military necessity. Civilians are typically the ones who suffer from these attacks and they are probably carried out to exacerbate the psychological toll of the war. It’s important that we not lose sight of the serious threat Ukraine is still facing, especially as winter approaches.”
“There has been a misconception that attacks in Ukraine have not lived up to predictions. The fact is that attacks have been limited by the exceptional work of Ukrainian defenders and their partners, who have worked tirelessly to prevent a hundred scenarios just like this. The fact that this incident is isolated is a testament to their exceptional work.”
What is the Sandworm Hacker Group?
Sandworm (aka Telebots, Voodoo Bear, and Iron Viking) is a hacking group that first appeared in 2009. It is believed to be linked to the Main Center for Special Technologies (also known as GTsST and Military Unit 74455), a cyber warfare unit of the GRU, Russia’s military intelligence service.
In the past, Sandworm has become a household name in cyber espionage and cyber-influence operations.
The group’s long-standing focus has been Ukraine, where it has carried out a campaign of disruptive and destructive attacks over the past decade using wiper malware.
“Given Sandworm’s global threat activity and novel OT capabilities, we urge OT asset owners to take action to mitigate this threat,” Mandiant researchers warned.