This article is more than 1 year old
Russia's Sandworm – not just missile strikes – to blame for Ukrainian power blackouts
Online attack coincided with major military action, Mandiant says
Blackouts in Ukraine last year were not just caused by missile strikes on the nation but also by a seemingly coordinated cyberattack on one of its power plants. That's according to Mandiant's threat intel team, which said Russia's Sandworm crew was behind the two-pronged power-outage and data-wiping attack.
In research due to be published today, the Google-owned security shop details a previously unreported cyberattack on a Ukrainian power plant. That facility was compromised around June last year, and a two-day attack followed four months later, which just happened to coincide with massive missile strikes on Ukraine's electrical grid. All in all, this knocked out power to about a third of the country.
Mandiant says it can't determine Sandworm's initial means of intrusion. But somehow the crew – which Western government agencies and private-sector security researchers have previously linked to Russia's GRU military intelligence unit – successfully gained access to the operational technology (OT) environment of the power station via a hypervisor hosting a supervisory control and data acquisition (SCADA) management instance for the plant's substations.
We note that the timing of the attack overlaps with Russian kinetic operations
The intruders snooped around the SCADA system for up to three months and then, on October 10, Sandworm used an optical disc image named "a.iso" to execute a native MicroSCADA binary that included the commands to switch off substations, causing the unplanned power outage.
Two days later on October 12, the Sandworm crew followed up with a data-wiping attack against the same power plant, deploying a variant of CaddyWiper to the IT environment. The wiper did not, however, affect the hypervisor nor the SCADA virtual machine.
Nathan Brubaker, Mandiant head of emerging threats and analytics, declined to comment on how many substations were affected by the OT intrusion, nor how many Ukrainians lost power because of the cyber attack. "It was in Ukraine, but we ultimately aren't sharing any additional details," he told The Register.
Sandworm has used this particular data-wiping malware across multiple sectors – including government and financial institutions – throughout Russia's bloody invasion of Ukraine. Mandiant calls the software nasty the "most frequently used disruptive tool against Ukrainian entities."
The timing of this two-stage attack is interesting. The execution of the malicious code that tripped the substation circuit breakers on October 10, 2022 coincided with the start of a multi-day set of coordinated missile strikes on critical infrastructure across multiple Ukrainian cities – including the one that housed the power plant.
Russian missile strikes between October 10 and October 12, 2022 cut electricity to 1.5 million Ukrainians.
- Ukraine accuses Russian spies of hunting for war-crime info on its servers
- Kremlin-backed Sandworm strikes Android devices with data-stealing Infamous Chisel
- International Criminal Court blames spies for 'targeted and sophisticated attack'
- Ukraine's Victor Zhora: Russia's cyber 'war crimes' will continue after ground invasion ends
While Mandiant says it can't definitively conclude that the cyberattack on the power plant was deliberately timed to the missile attacks, the report – seen by The Register and expected to be published here – notes "the timing of the attack overlaps with Russian kinetic operations."
"Sandworm potentially developed the disruptive capability as early as three weeks prior to the OT event, suggesting the attacker may have been waiting for a specific moment to deploy the capability," it adds.
The report also calls into question the general consensus that fears about Sandworm (or other Kremlin-backed goons) shutting down power grids or other critical infrastructure systems were largely overblown.
"There has been a misconception that attacks in Ukraine have not lived up to predictions," Mandiant chief analyst John Hultquist told The Register.
"The fact is that attacks have been limited by the exceptional work of Ukrainian defenders and their partners, who have worked tirelessly to prevent a hundred scenarios just like this," he said.
"The fact that this incident is isolated is a testament to their exceptional work." ®