A Russian military hacking unit known as Sandworm orchestrated a coordinated disruptive cyberattack on one of the power plants in Ukraine that coincided with massive missile strikes on the Ukrainian electrical grid and contributed to power outages across the country, according to a new report from Google-owned cybersecurity firm Mandiant.
The energy facility was compromised in June 2022, with a two-day attack following four months later. The attack involved a novel technique for impacting industrial control systems (ICS) / operational technology (OT).
“The actor first used OT-level living off the land (LotL) techniques to likely trip the victim’s substation circuit breakers, causing an unplanned power outage that coincided with mass missile strikes on critical infrastructure across Ukraine. Sandworm later conducted a second disruptive event by deploying a new variant of CADDYWIPER in the victim’s IT environment,” Mandiant said, noting that it was not able to determine how the hackers gained initial access to the victim’s IT environment.
According to the researchers, the threat actor somehow gained access to the OT environment of the power station via a hypervisor hosting a supervisory control and data acquisition (SCADA) management instance for the plant's substations.
The attackers then used an optical disc (ISO) image named “a.iso” to execute a native MicroSCADA binary in a likely attempt to execute malicious control commands to switch off substations.
Two days after the attack the hackers deployed a new variant of the Caddywiper data-wiping malware to cause further disruption and erase all traces of their presence in the victim’s network. However, the wiper deployment was limited to the victim’s IT environment and did not impact the hypervisor or the SCADA virtual machine.
“This is unusual since the threat actor had removed other forensic artifacts from the SCADA system in a possible attempt to cover their tracks, which would have been enhanced by the wiper activity. This could indicate a lack of coordination across different individuals or operational subteams involved in the attack,” Mandiant noted in its report.
