Cyber defender Mandiant reported last week that Sandworm, the Russian military-backed cyber operatives, orchestrated and carried out the devastating attack on Ukraine’s power grid late last year.
But there is more to it than naming the perpetrators and its tactics. It was an attack with potential for worldwide impact, security specialist Mandiant suggested. The Ukraine strike is a hint of cyber warfare power that could reach globally, Mandiant said, while serve as an warning to owners and operators of critical infrastructure facilities worldwide.
“The techniques leveraged during the incident suggest a growing maturity of Russia’s offensive OT arsenal, including an ability to recognize novel OT threat vectors, develop new capabilities, and leverage different types of OT infrastructure to execute attacks,” Mandiant said.
Speeding Time of the Attack
By using living off the land techniques, the actor likely decreased the time and resources required to conduct its cyber physical attack to as short as two months. “This indicates that the threat actor is likely capable of quickly developing similar capabilities against other OT systems from different original equipment manufacturers (OEMs) leveraged across the world," according to Mandiant.
Such techniques are difficult for defenders to detect threats because not only do they have to watch for newly introduced files but also modifications to existing ones.
Sandworm continues its espionage operations that are “global in scope and illustrative of the Russian military's far-reaching ambitions and interests in other regions,” the Mandiant report said. Given Sandworm’s global threat activity and novel OT capabilties, we urge OT asset owners to take action to mitigate this threat.”
Mandiant Examines Energy Grid Attack
In the 2022 Ukraine energy grid instance, according to Mandiant, the attack was a “multi-event cyber attack that leveraged a novel technique for impacting industrial control systems (ICS)/ operational technology (OT).” Sandworm used native, legitimate tools to likely trip the victim’s substation circuit breakers, causing a power outage that aligned with a physical attack on energy infrastructure across Ukraine.
Sandworm later conducted a follow-on event by deploying a new variant of Caddywiper in the victim’s IT environment.
“Given Sandworm's global threat activity and the worldwide deployment of MicroSCADA products (a system that integrates remote control of power networks) asset owners globally should take action to mitigate their tactics, techniques, and procedures against IT and OT systems,” Mandiant said.
Ukraine's SBU, the country's main intelligence agency, confirmed in a statement to Reuters that Russian hackers had struck a key energy facility last year, calling it “the latest evolution in Russia's cyber physical attack capability.” It’s not known which of Ukraine’s power facilities the attackers hit.
The SBU said that the Sandworm crew was staffed by GRU officers, Reuters reported.
Indeed, the cyber assault marked one of the few successful attacks on industrial controls systems, intended to sow discord among Ukraine’s citizens deprived of energy.
Infamous Chisel Malware Targets Ukraine's Military
This past September, the Russian cyber crew is believed to have orchestrated a new malware campaign, dubbed Infamous Chisel, directed at the Ukrainian military, according to a joint report by the Five Eyes intelligence alliance.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and cyber agencies in Australia, Canada, United Kingdom and New Zealand collaborated to produce the advisory that provides technical details of the new malware variant used to target Android devices used by Ukrainian military personnel.
The campaign, which was publicly uncovered by Ukraine’s security agency earlier this month, is also believed to be the work of Sandworm, which is reportedly behind earlier attacks on Ukraine’s power grid in 2017 and the NotPetya malware operation.
Earlier last year, Microsoft warned that Sandworm could hit Ukrainian government facilities soon with a series of cyber strikes.