The infamous Russian hackers often known as Sandworm focused {an electrical} substation in Ukraine final 12 months, inflicting a quick energy outage in October 2022.
The findings come from Google’s Mandiant, which described the hack as a “multi-event cyber assault” leveraging a novel method for impacting industrial management programs (ICS).
“The actor first used OT-level living-off-the-land (LotL) strategies to probably journey the sufferer’s substation circuit breakers, inflicting an unplanned energy outage that coincided with mass missile strikes on vital infrastructure throughout Ukraine,” the corporate mentioned.
“Sandworm later carried out a second disruptive occasion by deploying a brand new variant of CaddyWiper within the sufferer’s IT atmosphere.”
The menace intelligence agency didn’t reveal the situation of the focused vitality facility, the length of the blackout, and the quantity of people that had been impacted by the incident.
The event marks Sandworm’s steady efforts to stage disruptive assaults and compromise the energy grid in Ukraine since not less than 2015 utilizing malware corresponding to Industroyer.
The precise preliminary vector used for the cyber-physical assault is presently unclear, and it is believed that the menace actor’s use of LotL strategies decreased the time and sources required to tug it off.
The intrusion is believed to have occurred round June 2022, with the Sandworm actors having access to the operational expertise (OT) atmosphere by means of a hypervisor that hosted a supervisory management and information acquisition (SCADA) administration occasion for the sufferer’s substation atmosphere.
On October 10, 2022, an optical disc (ISO) picture file was used to launch malware able to switching off substations, leading to an unscheduled energy outage.
“Two days after the OT occasion, Sandworm deployed a brand new variant of CaddyWiper within the sufferer’s IT atmosphere to trigger additional disruption and probably to take away forensic artifacts,” Mandiant mentioned.
CaddyWiper refers to a bit of data-wiping malware that first got here to mild in March 2022 in reference to the Russo-Ukrainian warfare.
“This assault represents a right away menace to Ukrainian vital infrastructure environments leveraging the MicroSCADA supervisory management system,” the corporate mentioned.
“Given Sandworm’s world menace exercise and the worldwide deployment of MicroSCADA merchandise, asset homeowners globally ought to take motion to mitigate their techniques, strategies, and procedures in opposition to IT and OT programs.”
