In late 2022, Mandiant responded to a cyber physical incident where the Russia-linked threat actor Sandworm targeted a Ukrainian critical infrastructure organization. This incident was a multi-event cyber attack that impacted industrial control systems (ICS) and operational technology (OT) using a novel technique. The actor first used living off the land (LotL) techniques to cause an unplanned power outage and later deployed a new variant of CADDYWIPER in the victim’s IT environment.
This attack represents the latest evolution in Russia’s cyber physical attack capability, which has been increasingly visible since Russia’s invasion of Ukraine. The techniques used during the incident suggest a growing maturity of Russia’s offensive OT arsenal, including an ability to recognize novel OT threat vectors, develop new capabilities, and leverage different types of OT infrastructure to execute attacks. The actor likely decreased the time and resources required to conduct its cyber physical attack by using LotL techniques. Sandworm’s global threat activity and novel OT capabilities pose an immediate threat to critical infrastructure environments, urging asset owners to take action to mitigate this threat.
Based on analysis, the intrusion began on or prior to June 2022 and culminated in two disruptive events on October 10 and 12, 2022. Sandworm gained access to the OT environment through a hypervisor that hosted a supervisory control and data acquisition (SCADA) management instance for the victim’s substation environment. The attacker potentially had access to the SCADA system for up to three months, indicating a significant compromise.
Sandworm’s substation attack reveals notable insights into Russia’s continued investment in OT-oriented offensive cyber capabilities and overall approach to attacking OT systems. The evolution of suspected GRU-sponsored OT attacks shows a decrease in the scope of disruptive activities per attack, reflecting the increased tempo of wartime cyber operations and revealing the GRU’s priority objectives in OT attacks.
Sandworm’s use of a native Living off the Land binary (LotLBin) to disrupt an OT environment shows a significant shift in techniques, making it difficult for defenders to detect threat activity. The timing of the attack overlaps with Russian kinetic operations, suggesting a coordinated effort. Sandworm’s deployment of a new variant of CADDYWIPER in the victim’s IT environment further disrupted the infrastructure, indicating a lack of coordination across different individuals or operational subteams involved in the attack.
This attack represents an immediate threat to critical infrastructure environments, urging asset owners globally to take action to mitigate their tactics, techniques, and procedures against IT and OT systems. The research was made possible thanks to the hard work of many people not listed on the byline, and the incident response engagement was funded through the UK’s Ukraine Cyber Programme and delivered by the United Kingdom’s Foreign, Commonwealth and Development Office.
For more details on the attack lifecycle and OT capability, refer to the Technical Analysis section of the blog post.
+ There are no comments
Add yours