Sandworm cyberattackers down Ukrainian power grid during missile strikes

Russia’s infamous Sandworm advanced persistent threat (APT) group used living-off-the-land (LotL) techniques to precipitate a power outage in a Ukrainian city in October 2022, coinciding with a barrage of missile strikes.Russia’s infamous Sandworm advanced persistent threat (APT) group used living-off-the-land (LotL) techniques to precipitate a power outage in a Ukrainian city in October 2022, coinciding with a barrage of missile strikes.

Sandworm, linked to Russia’s Main Center for Special Technologies, has a storied history of cyberattacks in Ukraine: BlackEnergy-induced blackouts in 2015 and 2016, the infamous NotPetya wiper, and more recent campaigns overlapping with the Ukraine war. To some extent, the war has provided a smokescreen for its more recent, comparably sized cyberattacks.

Take one instance from October 2022, described today in a report by Mandiant. During a downpour of 84 cruise missiles and 24 drone attacks across 20 Ukrainian cities, Sandworm cashed in on two months of preparation and forced an unexpected power outage in one affected city.

Unlike with previous Sandworm grid attacks, this one wasn’t notable for some piece of advanced cyber weaponry. Instead, the group took advantage of LotL binaries to undermine Ukraine’s increasingly sophisticated critical infrastructure cyber defenses.

To Mandiant chief analyst John Hultquist, it sets a worrying precedent. “We’re going to have to ask ourselves some tough questions about whether or not we can defend against something like this,” he says.

Yet Another Sandworm Power Outage

Though the exact method of intrusion is still unknown researchers dated Sandworm’s initial breach of the Ukrainian substation to at least June 2022.

Soon after, the group was able to breach the divide between the IT and operational technology (OT) networks, and access a hypervisor hosting a supervisory control and data acquisition (SCADA) management instance (where plant operators manage their machinery and processes).

After up to three months of SCADA access, Sandworm picked its moment. Coinciding (coincidentally or otherwise) with an onslaught of kinetic warfare the same day, it used an optical disc (ISO) image file to execute a binary native to the MicroSCADA control system. The precise commands are unknown, but the group likely used an infected MicroSCADA server to send commands to the substation’s remote terminal units (RTUs), instructing them to open circuit breakers and thereby cut power.

To read the complete article, visit Dark Reading.