The infamous Russian hackers often called Sandworm focused {an electrical} substation in Ukraine final yr, inflicting a short energy outage in October 2022.
The findings come from Google’s Mandiant, which described the hack as a “multi-event cyber assault” leveraging a novel approach for impacting industrial management techniques (ICS).
“The actor first used OT-level living-off-the-land (LotL) strategies to doubtless journey the sufferer’s substation circuit breakers, inflicting an unplanned energy outage that coincided with mass missile strikes on important infrastructure throughout Ukraine,” the corporate stated.
“Sandworm later performed a second disruptive occasion by deploying a brand new variant of CaddyWiper within the sufferer’s IT setting.”
The risk intelligence agency didn’t reveal the situation of the focused vitality facility, the period of the blackout, and the quantity of people that had been impacted by the incident.
The event marks Sandworm’s steady efforts to stage disruptive assaults and compromise the energy grid in Ukraine since no less than 2015 utilizing malware resembling Industroyer.
The precise preliminary vector used for the cyber-physical assault is presently unclear, and it is believed that the risk actor’s use of LotL strategies decreased the time and assets required to tug it off.
The intrusion is assumed to have occurred round June 2022, with the Sandworm actors getting access to the operational expertise (OT) setting by a hypervisor that hosted a supervisory management and knowledge acquisition (SCADA) administration occasion for the sufferer’s substation setting.
On October 10, 2022, an optical disc (ISO) picture file was used to launch malware able to switching off substations, leading to an unscheduled energy outage.
“Two days after the OT occasion, Sandworm deployed a brand new variant of CaddyWiper within the sufferer’s IT setting to trigger additional disruption and probably to take away forensic artifacts,” Mandiant stated.
CaddyWiper refers to a chunk of data-wiping malware that first got here to mild in March 2022 in reference to the Russo-Ukrainian battle.
“This assault represents a direct risk to Ukrainian important infrastructure environments leveraging the MicroSCADA supervisory management system,” the corporate stated.
“Given Sandworm’s world risk exercise and the worldwide deployment of MicroSCADA merchandise, asset house owners globally ought to take motion to mitigate their techniques, strategies, and procedures towards IT and OT techniques.”
