Sandworm is one of the main and most capable hacking groups in the Kremlin’s service. We already wrote about them in May 2023, when the same company Mandiant found and analyzed CosmicEnergy software designed to cause power outages, used by criminals for training purposes.

Report details

According to researchers, the incident did not consist of a single attack, but rather several steps. Hackers used a new technique to infect industrial power system control systems (ICS) and operational technology (OT).

• According to the analysis, the intrusion began with the infiltration and inspection of a computer system in or before June 2022 and ended with two disruptive events on October 10 and 12, 2022.
• First, Sandworm caused substation circuit breakers to trip, causing an unplanned power outage that coincided with massive missile attacks on critical infrastructure across Ukraine. An attacker used an optical disk (ISO) image to execute a custom MicroSCADA binary, possibly in an attempt to run malicious control commands to shut down substations. Based on the September 23 timestamp, there was a potentially two-month time lag between when the attacker first gained access to the SCADA system and when they implemented OT capabilities.
• Two days later, the second phase was carried out by deploying a new variant of the CADDYWIPER virus cleaner (designed to delete data) in the victim company’s IT environment. Presumably the aim was to cause further disruption and eliminate traces of oneself. Distribution of the wiper virus was limited to the IT environment and did not affect the hypervisor or SCADA virtual machine. This is unusual because the attacker removed other “criminal artifacts,” as the researchers call them, from the SCADA system, presumably in an attempt to hide traces that might be amplified by the squeegee’s activity. This may indicate a lack of coordination among the various individuals or operational subgroups involved in the attack.

Although we were unable to determine the initial access vector to the IT environment, Sandworm accessed the OT environment via a hypervisor hosting an instance of the SCADA system for the victim’s substation environment. Based on lateral movement traces, it appears that the attacker had access to the SCADA system for up to three months.
– write researchers.

Analysis of the hackers’ working methods and the code they used shows that “Russian capabilities are improving” in the field of cyber attacks. Mandiant experts compared the methods Sandworm used in the INDUSTROYER, INDUSTROYER.V2 attacks and this new attack, saying that each of them has new components that were not found in the previous ones. This shows that Russia continues to invest in “offensive cyber capabilities targeting operating systems.”

This group has been working for Russia’s GRU (General Intelligence Directorate) since at least 2009. For a long time, the group’s focus has been on Ukraine, where over the last decade it has carried out devastating and destructive attacks using malware, including encryption viruses. This group is believed to be behind attacks on the Ukrainian electricity system in 2015 and 2016, which led to mass power outages.