Russia’s infamous Sandworm advanced persistent threat (APT) group used living-off-the-land (LotL) techniques to precipitate a power outage in a Ukrainian city in October 2022, coinciding with a barrage of missile strikes.
Sandworm, linked to Russia’s Main Center for Special Technologies, has a storied history of cyberattacks in Ukraine: BlackEnergy-induced blackouts in 2015 and 2016, the infamous NotPetya wiper, and more recent campaigns overlapping with the Ukraine war. To some extent, the war has provided a smokescreen for its more recent, comparably sized cyberattacks.
Take one instance from October 2022, described today in a report by Mandiant. During a downpour of 84 cruise missiles and 24 drone attacks across 20 Ukrainian cities, Sandworm cashed in on two months of preparation and forced an unexpected power outage in one affected city.
Unlike with previous Sandworm grid attacks, this one wasn’t notable for some piece of advanced cyber weaponry. Instead, the group took advantage of LotL binaries to undermine Ukraine’s increasingly sophisticated critical infrastructure cyber defenses.
To Mandiant chief analyst John Hultquist, it sets a worrying precedent. “We’re going to have to ask ourselves some tough questions about whether or not we can defend against something like this,” he says.
Yet Another Sandworm Power Outage
Though the exact method of intrusion is still unknown researchers dated Sandworm’s initial breach of the Ukrainian substation to at least June 2022.
Soon after, the group was able to breach the divide between the IT and operational technology (OT) networks, and access a hypervisor hosting a supervisory control and data acquisition (SCADA) management instance (where plant operators manage their machinery and processes).
After up to three months of SCADA access, Sandworm picked its moment. Coinciding (coincidentally or otherwise) with an onslaught of kinetic warfare the same day, it used an optical disc (ISO) image file to execute a binary native to the MicroSCADA control system. The precise commands are unknown, but the group likely used an infected MicroSCADA server to send commands to the substation’s remote terminal units (RTUs), instructing them to open circuit breakers and thereby cut power.
Two days after the outage, Sandworm came back for seconds, deploying a new version of its CaddyWiper wiper malware. This attack did not touch industrial systems — only the IT network — and may have been intended to wipe forensic evidence of their first attack, or simply cause further disruption.
Russia vs. Ukraine Is Becoming More Even
Sandworm’s BlackEnergy and NotPetya attacks were seminal events in cybersecurity, Ukrainian, and military history, affecting both how global powers view combination kinetic-cyber warfare, and how cybersecurity defenders protect industrial systems.
As a result of this heightened awareness, in years since, similar attacks by the same group have fallen some ways short of its early standard. There was, for example, the second Industroyer attack, not long after the invasion — though the malware was equally powerful, if not more so, than that which took down Ukraine’s power in 2016, the attack overall failed to cause any serious consequences.
“You can look at the history of this actor trying to leverage tools like Industroyer and ultimately failing because they were discovered,” Hultquist says, while pondering whether this latest case was a turning point.
“I think that this incident demonstrates that there’s another way, and, unfortunately, that other way is going to really challenge us as defenders because this is something that we’re not going to necessarily be able to use signatures against and search for en masse,” he says. “We’re going to have to work really hard to find this stuff.”
He also offers another way to look at Russian-Ukrainian cyber history: less that Russia’s attacks have become tamer and more that Ukraine’s defenses have become more robust.
“If Ukraine’s networks were under the same pressure that they are under now, with the same defenses that were in place maybe a decade ago, this situation would have been much different,” Hultquist concludes. “They’re more experienced than anyone defending against cyberwar, and we have a lot to learn from them.”