Sandworm unveiled as October 2022 Ukraine infrastructure hackers

According to Google-owned US cybersecurity firm Mandiant, Russia-linked hacking group Sandworm were behind hacks on Ukraine energy infrastructure during the October 2022 blackouts.

According to Mandiant’s researchers, the attack represents “the latest evolution in Russia’s cyber physical attack capability,” which they state has been made increasingly visible since the start of the war in Ukraine.

According to the researchers in a blog post, the October 2022 incident was a multi-event cyber-attack.

First, Sandworm used operational technology (OT)-level living off the land (LotL) techniques – which the NPO, Center for Internet Security (CIS), defines as “attacks involving the use of existing tools and tactics (within) targeted systems or networks” – in attempts to trip substation circuit breakers, which then caused an unplanned power outage.

The Sandworm-induced outage coincided with Russia’s mass missile strikes on critical infrastructure across war-torn Ukraine.

Have you read:
‘Living-off-the-land’ used for cyber espionage in US infrastructure hack
Ukraine energy company target of new malware wiper attack

Two days after the OT incident, states the researchers, “Sandworm later conducted a second disruptive event by deploying a new variant of CADDYWIPER in the victim’s IT environment.

“The techniques leveraged during the incident suggest a growing maturity of Russia’s offensive OT (operational technology) arsenal, including an ability to recognise novel OT threat vectors, develop new capabilities and leverage different types of OT infrastructure to execute attacks.”

Mandiant’s researchers add how the LotL techniques were used to decrease time and resources needed to conduct its cyber physical attack.

“While Mandiant was unable to determine the initial intrusion point, our analysis suggests the OT component of this attack may have been developed in as little as two months.

“This indicates that the threat actor is likely capable of quickly developing similar capabilities against other OT systems from different original equipment manufacturers (OEMs) leveraged across the world,” adds Mandiant.

According to Mandiant, Sandworm is a threat actor that has carried out espionage, influence and attack operations in support of Russia’s Main Intelligence Directorate (GRU) since 2009.

“The group’s long-standing centre focus has been Ukraine, where it has carried out a campaign of disruptive and destructive attacks over the past decade using wiper malware, including during Russia’s re-invasion in 2022.”