Russian Hackers Utilized Unique OT Attack to Interrupt Ukrainian Power During Widespread Missile Strikes

Mandiant, a prominent cybersecurity firm, has shed light on two sophisticated operational technology (OT) attacks carried out by the Russian hacking group known as “Sandworm” in October last year. These attacks led to unexpected power outages in Ukraine, aligning with a series of missile strikes on the nation's critical infrastructure.

The assaults, which took place over several months, peaked with two significant incidents on October 10 and 12, utilizing what Mandiant refers to as an "unprecedented method" to disrupt industrial control systems (ICS) and OT networks.

According to Mandiant's investigation, Sandworm infiltrated an obsolete MicroSCADA system and executed commands that adversely affected the connected substations. MicroSCADA, developed by Hitachi Energy, is a critical system used globally in over 10,000 substations, crucial for managing and monitoring power in essential sectors like power grids, various industries, healthcare facilities, ports, and data centers.

The cybercriminals reportedly employed OT-specific living off the land (LotL) techniques, likely causing the victim’s substation circuit breakers to trip and triggering a power outage that coincided with Ukraine's broader infrastructural bombardment.

Only two days after the initial OT attack, Sandworm launched a secondary offensive, deploying a novel strain of CADDYWIPER malware within the victim's IT networks to inflict further damage and potentially erase forensic evidence.

Mandiant's report emphasizes the evolving sophistication and capability of Russia's cyber-physical attack apparatus, which now includes identifying new OT threat vectors, developing fresh capabilities, and exploiting various types of OT infrastructure to conduct their attacks.

The Sandworm team, repeatedly implicated in espionage and cyberattacks in support of the Russian GRU, seems to have rapidly developed this OT attack method within two months, signaling their potential to swiftly craft similar threats against other OT systems worldwide.

The initial breach method remains unclear, but the hackers were first spotted in the target's system in June 2022, deploying a webshell on a publicly exposed system.

For the OT attack, the threat actors used an ISO image file as a virtual CD-ROM in a hypervisor running the MicroSCADA SCADA system for the targeted substation network. This ISO contained executables that ran 'scilc.exe', a legitimate MicroSCADA utility, which allowed the hackers to issue arbitrary commands.

Although the precise commands remain unknown, it is suspected that the attackers aimed to open circuit breakers, with the MicroSCADA server relaying these instructions to substation remote terminal units (RTUs) via communication protocols.

Mandiant believes that the attackers had access to the SCADA system for up to three months.

The complexity of the offensive demonstrates Sandworm's swift progression in refining OT attack methods, including features for easier deployment. Mandiant's analysis warns of the significant shift in techniques, with Sandworm's use of OT-based living off the land binaries (LotLBins) to disrupt environments being particularly alarming.

In conversations with SecurityWeek, Mandiant researchers expressed concern that this new class of 'living off the land' OT attacks poses a considerable threat to critical infrastructure defenders.

Mandiant is urging OT asset owners to take proactive measures to counteract this risk, offering detection strategies, investigative guidance, and recommendations for strengthening defenses based on the MITRE ATT&CK framework.

Historically, Russia has deployed OT malware like Industroyer and Industroyer2 to target Ukraine's energy sector, showcasing a continued focus on undermining critical infrastructure through cyber means.