November 9, 2023 at 03:07AM
Russian cyberattack group Sandworm was responsible for the coordinated cyberattack and power outage in Ukraine last year, according to Mandiant’s threat intel team. The attack targeted a power plant, compromising its operational technology (OT) environment through a hypervisor hosting a supervisory control and data acquisition (SCADA) management instance. Sandworm executed a native MicroSCADA binary to switch off substations, followed by a data-wiping attack using a variant of CaddyWiper. The attack coincided with missile strikes on Ukraine’s critical infrastructure. Mandiant commended Ukrainian defenders for their exceptional work in limiting the impact of the attack.
Key takeaways from the meeting notes:
– Last year, there were blackouts in Ukraine caused by both missile strikes and a coordinated cyberattack on a power plant.
– The cyberattack was conducted by Russia’s Sandworm crew, which had previously been linked to Russia’s GRU military intelligence unit.
– Sandworm gained access to the power station’s operational technology (OT) environment via a hypervisor hosting a supervisory control and data acquisition (SCADA) management instance.
– The attackers snooped around the SCADA system for up to three months before executing a native MicroSCADA binary to switch off substations.
– Two days later, the same power plant was targeted with a data-wiping attack using a variant of CaddyWiper.
– The cyber attack coincided with missile strikes on critical infrastructure in multiple Ukrainian cities.
– While it cannot be definitively concluded that the cyberattack was deliberately timed, the timing overlaps with Russian kinetic operations.
– The report emphasizes the exceptional work of Ukrainian defenders and their partners in mitigating the impact of such attacks.