Request a Quote

Sandworm, a Russian Threat Actor, Disrupted Power in Ukraine Via Cyberattack

We Keep you Connected

Sandworm, a Russian Threat Actor, Disrupted Power in Ukraine Via Cyberattack

Sandworm, a Russian Threat Actor, Disrupted Power in Ukraine Via Cyberattack
Your email has been sent
Any company that is strategic could be targeted for the same kind of actions as this cyberattack. Follow these tips to mitigate your company’s risk to this cybersecurity threat.
Mandiant, a cybersecurity company owned by Google, has revealed the details of a 2022 cyberattack run by Russian threat actor Sandworm. The threat actor compromised a Ukrainian critical infrastructure organization to manipulate its operational technology environment, resulting in a power outage that coincided with mass missile strikes. Then, Sandworm tried to cause more disruption and remove all evidence of its operation two days later by deploying and running a variant of the CADDYWIPER malware.
This cyberattack is a striking example of evolution in OT targeting during wartime. Any company that is strategic to an attacker could be targeted for the same kind of actions.
Jump to:
It all started around June 2022, when Sandworm gained access to the IT environment of a Ukrainian critical infrastructure organization. The threat actor deployed a known webshell, Neo-reGeorg, on an internet-facing server of the victim. About a month later, the group deployed GOGETTER, a known custom tunneling software previously used by the group. The malware proxied communications between the targeted system and the attacker’s command & control server and was made persistent in case of a server reboot.
The threat group then accessed the OT environment “through a hypervisor that hosted a Supervisory Control And Data Acquisition (SCADA) management instance for the victim’s substation environment,” according to Mandiant researchers, who stated the attacker potentially had access to the SCADA system for up to three months.
On Oct. 10, 2022, the threat actor suddenly executed MicroSCADA commands on the system. The action was done by leveraging an ISO file, a virtual CD-ROM that contained two scripts and one text file. The system was configured to allow inserted CD-ROMs to be launched automatically when inserted. Those files were used to execute a native MicroSCADA binary within the system, scilc.exe (Figure A).
Figure A
The legitimate scilc.exe file from the MicroSCADA software suite allows the execution of commands written in Supervisory Control Implementation Language, which are generally text-based statements. Although Mandiant researchers were unable to identify the SCIL commands executed by Sandoworm, they believe the commands were probably issued to open circuit breakers in the victims’ substation environments, therefore switching off the victim’s substation.
According to Mandiant, the attack resulted in an unscheduled power outage.
Two days after this event, the threat actor installed a new variant of the CADDYWIPER malware in the target’s environment to cause further disruption and potentially remove forensic artifacts that could lead to the discovery of the operation. CADDYWIPER is wiping software that has been previously used against Ukrainian targets by Sandworm and observed in disruptive operations across multiple intrusions. In the reported attack, the wiper did not reach the hypervisor of the SCADA virtual machine that was compromised — which is unusual, according to Mandiant. The security researchers conclude that this failure to remove evidence “might result from a lack of coordination across different individuals or operational subteams involved in the attack.”
SEE: Google Cloud’s Cybersecurity Trends to Watch in 2024 (TechRepublic)
Sandworm is a destructive threat actor that has been attributed to Russia’s Main Intelligence Directorate of the General Staff of the Armed Forces, Military Unit 74455. The group has been active since at least 2009.
Six Unit 74455 officers associated to Sandworm were indicted in 2020 for several operations: Attacks against Ukrainian electrical companies and government organizations; the targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons and attacks against Georgia in 2018 and 2019.
Sandworm’s latest attack, in addition to previous attacks originating from Russia such as the Industroyer incidents, which also targeted OT, show efforts from Russia to streamline OT attack capabilities through simplified deployment features, according to Mandiant. The researchers mentioned “a continued investment in OT-oriented offensive cyber capabilities and overall approach to attacking IT systems” (Figure B).
Figure B
One significant change in the techniques used by Sandworm is the use of native Living Off The Land binary, aka LotLBin, which they now use for OT environments as much as for usual IT environments. This change probably decreased the resources needed for Sandworms attacks while making it harder for defenders to detect the fraudulent activity.
The timing of this Sandworm attack is also intriguing. As revealed by Mandiant, the attackers potentially developed the disruptive capability three weeks prior to the OT incident but may have been waiting for a specific moment to deploy the capability. “The eventual execution of the attack coincided with the start of a multi-day set of coordinated missile strikes on critical infrastructure across several Ukrainian cities, including the city in which the victim was located,” writes Mandiant.
Security admins or IT pros should follow these tips to mitigate the risk of this cybersecurity threat.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
Sandworm, a Russian Threat Actor, Disrupted Power in Ukraine Via Cyberattack
Your email has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
This is a comprehensive list of the best AI art generators. Explore the advanced technology that transforms imagination into stunning artworks.
Find the perfect payroll service for your business without breaking the bank. Discover the top cheap payroll services, features, pricing and pros and cons.
Is NordVPN worth it? How much does it cost and is it safe to use? Read our NordVPN review to learn about pricing, features, security, and more.
Free project management software provides flexibility for managing projects without paying a cent. Check out our list of the top free project management tools.
Australian and New Zealand enterprises in the public cloud are facing pressure to optimize cloud strategies due to a growth in usage and expected future demand, including for artificial intelligence use cases.
The advantages and disadvantages of remote work for both employees and the business are familiar to many. Not having a commute, saving money on gas, vehicle maintenance and parking, and enjoying flexible hours are only a few benefits. The purpose of this Hybrid Work Policy from TechRepublic Premium is to establish guidelines for employees who …
Unmanned aerial vehicles, commonly referred to as drones, have moved from the realm of science fiction to just another fact of modern life. This list of terms and concepts — courtesy of TechRepublic Premium — will help you grasp the vocabulary behind the technology, so that you can deal with the machines themselves and the …
The user experience specialist’s job is to make websites and applications both visually appealing and user-friendly for the target audience. Think of Apple devices, where design and functionality meet, as a good example of user experience. If your company is ready to hire a UX specialist, this hiring kit from TechRepublic Premium can help you …
Due to the rise of the bring your own device movement, the lines have blurred between company and personal owned devices. Business work is now routinely performed on each. Examples include an iPhone set up to receive company email, so employees can stay up-to-date on their inbox while away from their desk or a home …
Get the web’s best business technology news, tutorials, reviews, trends, and analysis—in your inbox. Let’s start with the basics.
* – indicates required fields
Lost your password? Request a new password
Please enter your email adress. You will receive an email message with instructions on how to reset your password.
Check your email for a password reset link. If you didn’t receive an email don’t forgot to check your spam folder, otherwise contact support.
This will help us provide you with customized content.
Thanks for signing up! Keep an eye out for a confirmation email from our team. To ensure any newsletters you subscribed to hit your inbox, make sure to add newsletters@nl.technologyadvice.com to your contacts list.

source

 

Enterprise Guardian (EnGuard) specializes in HIPAA Compliant Email for the Healthcare Industry.
HIPAA Compliant Email, Telehealth & Cloud Made Easy.

 

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE