In a recent incident response, Mandiant dealt with a disruptive cyber-physical attack targeted at a critical infrastructure entity in Ukraine. The threat, they reported, came from the Russian-linked faction known as Sandworm, which utilised a contemporary method to influence industrial control systems and operational technology (OT).
The complex assault executed by Sandworm encompassed multiple events, including the use of innovative operational technology-level "living off the land" (LotL) techniques. These subsequently led to an unintentional power cut, synchronized with mass missile attacks on vital structures throughout Ukraine.
This incident illustrates the growing evolution and capability of Russia's cyber-physical offences since the invasion of Ukraine. Mandiant observed that Sandworm showed an increased maturity in their offensive OT arsenal, identifying new threat vectors, developing additional abilities, and exploiting various aspects of OT infrastructure. Their efficient use of LotL techniques suggests that the threat actor might have been able to devise the OT component in around two months.
Sandworm, previously identified as UNC3810, has been supporting Russia's Main Intelligence Directorate (GRU) since 2009 and primarily targets Ukraine. The group has orchestrated numerous disruptive and destructive attacks, most notably during the 2022 re-incursion. Besides Ukraine, Sandworm also executes worldwide espionage actions reflective of Russia's military aspirations.
Despite the implementation of a new CADDYWIPER variant into the victim’s IT environment, the attack didn't influence the hypervisor or the SCADA virtual machine. This indicated potential coordination struggles within the offender's group. To prevent this type of attack, Mandiant is urging OT asset owners across the globe to take preventative measures following their provided detections, hunting and hardening guidance.
The invasion began in June 2022 and resulted in disruptive incidences on October 10 and 12, 2022. Sandworm infiltrated the OT environment through a hypervisor hosting a SCADA management instance, potentially having access to the SCADA system for as long as three months. This subsequently led to the execution of unauthorised MicroSCADA commands, resulting in an unexpected power outage.
This attack poses a direct threat to Ukrainian critical infrastructure utilising MicroSCADA. Considering Sandworm's universal threat activity, Mandiant is advising asset owners worldwide to implement their recommended mitigation strategies detailed in their analysis.
Mandiant Consulting offers additional information and support, while Mandiant Advantage Threat Intelligence provides a more detailed analysis of Sandworm threat activity.