In October 2022, Russia’s notorious Sandworm cyber group orchestrated a power outage in a Ukrainian city using clever techniques, coinciding with a barrage of missile strikes. Sandworm, associated with Russia’s Main Center for Special Technologies, has a history of cyberattacks in Ukraine, including BlackEnergy-induced blackouts in 2015 and 2016, the infamous NotPetya wiper, and recent campaigns during the Ukraine war. The ongoing conflict has provided cover for its recent cyberattacks.
In a recent report by Mandiant, an incident from October 2022 is detailed. Amidst a downpour of 84 cruise missiles and 24 drone attacks across 20 Ukrainian cities, Sandworm leveraged two months of preparation to cause an unexpected power outage in one city. Unlike previous grid attacks, this one didn’t rely on advanced cyber weaponry but exploited living-off-the-land (LotL) techniques, undermining Ukraine’s sophisticated cyber defenses.
According to Mandiant chief analyst John Hultquist, this sets a concerning precedent, prompting questions about our ability to defend against such tactics.
The initial breach by Sandworm in June 2022 targeted a Ukrainian substation. After breaching the gap between IT and operational technology networks, the group accessed a hypervisor hosting a supervisory control and data acquisition (SCADA) management instance. SCADA is where plant operators oversee machinery and processes. After maintaining SCADA access for up to three months, Sandworm acted during a surge in kinetic warfare.
Using an optical disc (ISO) image file, Sandworm executed a binary native to the MicroSCADA control system, likely instructing infected MicroSCADA servers to command the substation’s remote terminal units (RTUs) to open circuit breakers, causing a deliberate power outage.
Two days later, Sandworm deployed a new version of its CaddyWiper malware, targeting only the IT network. This move may have aimed to erase forensic evidence of the initial attack or cause further disruption. The exact intrusion method remains unknown, leaving researchers to grapple with the complexity of defending against such sophisticated cyber tactics.