Power Outage in Ukraine Caused by Russian Hackers Sandworm During Missile Strikes

    Google’s Mandiant Uncovers the Hack

    Google’s threat intelligence firm, Mandiant, has revealed a sophisticated cyber attack by the notorious Russian hacker group Sandworm. Last year, Sandworm targeted a Ukrainian electrical substation, causing a power outage in October 2022. Mandiant described the incident as a “multi-event cyber attack,” employing a novel method to compromise industrial control systems (ICS).

    Techniques and Impact

    The hackers initially used living-off-the-land (LotL) techniques at the operational technology (OT) level. Their actions likely tripped the substation’s circuit breakers, triggering an unplanned outage. This incident coincided with mass missile strikes across Ukraine, targeting critical infrastructure. Later, Sandworm deployed a new variant of the CaddyWiper malware in the victim’s IT environment, causing further disruption.

    Sandworm’s Continuous Threat

    The targeted facility’s location, the blackout’s duration, and the number of affected people remain undisclosed. However, this attack marks Sandworm’s ongoing efforts to disrupt Ukraine’s power grid, a campaign that started in 2015. They have been using malware like Industroyer to execute their attacks.

    Attack Vector and Execution

    The exact method Sandworm used to initiate this cyber-physical attack remains unclear. Using LotL techniques likely reduced the time and resources needed for the attack. Sandworm accessed the OT environment through a hypervisor hosting a SCADA management instance for the substation. In October 2022, they launched malware from an optical disc image file, causing an unscheduled power outage. Two days after this event, Sandworm introduced a new CaddyWiper variant to cause further disruption and erase forensic evidence.

    Global Implications and Recommendations

    Mandiant noted that the execution of this attack coincided with coordinated missile strikes on critical infrastructure in Ukrainian cities. This attack, leveraging the MicroSCADA supervisory control system, immediately threatens Ukrainian infrastructure. Given Sandworm’s global activities and the widespread use of MicroSCADA products, asset owners worldwide should mitigate against their tactics, techniques, and procedures.

    Latest articles

    Related articles