November 9, 2023 at 04:15AM
In October, Russia’s “Sandworm” hackers carried out two previously undocumented attacks on operational technology (OT), causing a power outage and coinciding with missile strikes on critical infrastructure in Ukraine, according to cybersecurity firm Mandiant. The attacks targeted a control system called MicroSCADA and used a “novel technique” to impact industrial control systems. Mandiant warns that Russia’s offensive OT capabilities are growing and advises OT asset owners to take action to mitigate the threat.
Key Takeaways from the Meeting Notes:
1. The Sandworm hacking team, associated with Russia’s Main Intelligence Directorate (GRU), executed previously undocumented operational technology (OT) attacks in Ukraine in October last year. These attacks caused an unplanned power outage and coincided with mass missile strikes on critical infrastructure.
2. The attacks leveraged a “novel technique” that impacted industrial control systems (ICS) and OT. Sandworm targeted the end-of-life MicroSCADA control system, which is deployed in over 10,000 substations across various critical infrastructure sectors.
3. Sandworm used living off the land (LotL) techniques to trip the victim’s substation circuit breakers, causing the power outage. The attack also involved deploying a new variant of CADDYWIPER in the victim’s IT environment to cause additional damage.
4. The Sandworm hacking team demonstrated a growing maturity in Russia’s offensive OT capabilities. They quickly developed the OT component of the attack within two months and showed the ability to develop similar capabilities against other OT systems from different original equipment manufacturers (OEMs) worldwide.
5. It remains unclear how the hackers initially gained access to the organization’s systems. They were first detected in June 2022 when they deployed a webshell on an internet-exposed system.
6. Sandworm deployed an ISO image file as a virtual CD-ROM in a hypervisor to host the MicroSCADA supervisory control and data acquisition (SCADA) instance. This ISO contained files that allowed the attackers to run arbitrary commands.
7. The attack likely attempted to open circuit breakers, and the MicroSCADA server relayed the commands to substation remote terminal units (RTUs) using specific protocols.
8. Mandiant believes the threat actor had access to the SCADA system for up to three months, indicating a prolonged presence within the target’s environment.
9. Sandworm’s use of living off the land binary (LotLBin) in disrupting an OT environment marks a significant shift in their techniques and highlights the need for increased defense measures at critical infrastructure installations.
10. Mandiant recommends OT asset owners take action to mitigate this threat. They provided a range of detections, hunting, and hardening guidance, as well as MITRE ATT&CK mappings in their report.
11. Russia has previously used OT malware like Industroyer and Industroyer2 in attacks targeting Ukraine’s energy sector.
12. Additional details on the October attacks will be shared by Mandiant researchers at the CYBERWARCON event in Washington, DC.