Mandiant, a cybersecurity company owned by Google, has revealed the details of a 2022 cyberattack run by Russian threat actor Sandworm. The threat actor compromised a Ukrainian critical infrastructure organization to manipulate its operational technology environment, resulting in a power outage that coincided with mass missile strikes. Then, Sandworm tried to cause more disruption and remove all evidence of its operation two days later by deploying and running a variant of the CADDYWIPER malware.

This cyberattack is a striking example of evolution in OT targeting during wartime. Any company that is strategic to an attacker could be targeted for the same kind of actions.

Timeline of this cybersecurity attack

It all started around June 2022, when Sandworm gained access to the IT environment of a Ukrainian critical infrastructure organization. The threat actor deployed a known webshell, Neo-reGeorg, on an internet-facing server of the victim. About a month later, the group deployed GOGETTER, a known custom tunneling software previously used by the group. The malware proxied communications between the targeted system and the attacker’s command & control server and was made persistent in case of a server reboot.

The threat group then accessed the OT environment “through a hypervisor that hosted a Supervisory Control And Data Acquisition (SCADA) management instance for the victim’s substation environment,” according to Mandiant researchers, who stated the attacker potentially had access to the SCADA system for up to three months.

On Oct. 10, 2022, the threat actor suddenly executed MicroSCADA commands on the system. The action was done by leveraging an ISO file, a virtual CD-ROM that contained two scripts and one text file. The system was configured to allow inserted CD-ROMs to be launched automatically when inserted. Those files were used to execute a native MicroSCADA binary within the system, scilc.exe (Figure A).

Figure A

Execution chain in the target's SCADA environment.
Execution chain in the target’s SCADA environment. Image: Mandiant

The legitimate scilc.exe file from the MicroSCADA software suite allows the execution of commands written in Supervisory Control Implementation Language, which are generally text-based statements. Although Mandiant researchers were unable to identify the SCIL commands executed by Sandoworm, they believe the commands were probably issued to open circuit breakers in the victims’ substation environments, therefore switching off the victim’s substation.

According to Mandiant, the attack resulted in an unscheduled power outage.

Two days after this event, the threat actor installed a new variant of the CADDYWIPER malware in the target’s environment to cause further disruption and potentially remove forensic artifacts that could lead to the discovery of the operation. CADDYWIPER is wiping software that has been previously used against Ukrainian targets by Sandworm and observed in disruptive operations across multiple intrusions. In the reported attack, the wiper did not reach the hypervisor of the SCADA virtual machine that was compromised — which is unusual, according to Mandiant. The security researchers conclude that this failure to remove evidence “might result from a lack of coordination across different individuals or operational subteams involved in the attack.”

SEE: Google Cloud’s Cybersecurity Trends to Watch in 2024 (TechRepublic)

Who is Sandworm?

Sandworm is a destructive threat actor that has been attributed to Russia’s Main Intelligence Directorate of the General Staff of the Armed Forces, Military Unit 74455. The group has been active since at least 2009.

Six Unit 74455 officers associated to Sandworm were indicted in 2020 for several operations: Attacks against Ukrainian electrical companies and government organizations; the targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons and attacks against Georgia in 2018 and 2019.

Sandworm exposes Russia’s OT-oriented offensive cyber capabilities

Sandworm’s latest attack, in addition to previous attacks originating from Russia such as the Industroyer incidents, which also targeted OT, show efforts from Russia to streamline OT attack capabilities through simplified deployment features, according to Mandiant. The researchers mentioned “a continued investment in OT-oriented offensive cyber capabilities and overall approach to attacking IT systems” (Figure B).

Figure B

Historical Russia-nexus activity impacting OT.
Historical Russia-nexus activity impacting OT. Image: Mandiant

One significant change in the techniques used by Sandworm is the use of native Living Off The Land binary, aka LotLBin, which they now use for OT environments as much as for usual IT environments. This change probably decreased the resources needed for Sandworms attacks while making it harder for defenders to detect the fraudulent activity.

The timing of this Sandworm attack is also intriguing. As revealed by Mandiant, the attackers potentially developed the disruptive capability three weeks prior to the OT incident but may have been waiting for a specific moment to deploy the capability. “The eventual execution of the attack coincided with the start of a multi-day set of coordinated missile strikes on critical infrastructure across several Ukrainian cities, including the city in which the victim was located,” writes Mandiant.

How to protect from this cybersecurity threat

Security admins or IT pros should follow these tips to mitigate the risk of this cybersecurity threat.

  • Harden MicroSCADA and other SCADA management hosts. These systems need to be up to date and patched, and configured to require authentication and restrict access to only mandatory users for the systems.
  • Put network segmentation in place between the SCADA systems and the rest of the organization’s network.
  • Aggregate log files to a central server and carefully analyze them constantly to detect possible fraudulent use or alteration of the SCADA systems.
  • Monitor and analyze any file transfer related to the SCADA systems. Any suspicious change in SCADA configuration or data needs to be investigated.
  • Conduct regular security audits on SCADA systems to identify possible vulnerabilities or misconfigurations that could affect the security of the systems.
  • Do regular backups to facilitate recovery in case of a security incident or cyberattack on SCADA systems.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday