Mandiant Says Sandworm Used Novel Techniques in Ukrainian Cyberattack
Russian military hackers in October 2022 successfully tripped the circuit breakers of a power grid substation in Ukraine in a previously undisclosed cyberattack, researchers from Mandiant said. The outage, caused by a unit of the GRU Main Intelligence Directorate popularly known as Sandworm, coincided with mass missile strikes on critical infrastructure across Ukraine.
Attackers used novel lightweight techniques that likely decreased the time and resources necessary to mount a cyber physical attack, underlying Russia’s sustained investment in attacks against Ukrainian operational technology, the security firm said in a report published Thursday. They followed up with a wiper attack that affected the victim’s IT environment “to cause further disruption and potentially to remove forensic artifacts.”
Sandworm, also known as Seashell Blizzard and Voodoo Bear, has targeted Ukraine with cyberattacks for more than half a decade, including two earlier disruptions of the electricity grid, in 2015 and 2016. Mandiant last year characterized the hacking group as likely posing Kyiv’s “greatest threat for destructive and disruptive attacks.”
The attack was not designed for “practical, military necessity” but rather to “exacerbate the psychological toll of the war,” said John Hultquist, chief analyst at Mandiant. Outside observers have said that Russia has struggled to integrate hacking directly into conventional military operations, reorienting cyberattacks to espionage, wiper attacks against critical infrastructure and bids to generally degrade military readiness (see: Russia-Ukraine War: Cyberattacks Fail to Best Partnerships).
Ukraine anticipates the tempo of Russian critical infrastructure hacks will increase as the weather turns cold. The Kremlin has resumed firing missiles at power facilities after a lull earlier this year (see: Ukrainian Cyber Defenders Prepare for Winter). There have been 60 recent salvos against energy infrastructure, a Ukrainian official told reporters Wednesday, according to Reuters.
Mandiant said Sandworm first penetrated the substation months earlier, around June 2022. Its exact initial access vector is unknown, but it penetrated the operational technology “through a hypervisor that hosted a supervisory control and data acquisition (SCADA) management instance for the victim’s substation environment.” A time stamp on the malware used to execute the attack suggests Sandworm hackers spent two months developing the attack.
Sandworm realized the attack by deploying an
ISO optical disk image that executed a MicroScada binary – an application for remote control in the SCADA environment. The malware used a native SCADA utility,
scilc.exe. Hackers routinely use utilities embedded into Windows operating systems for malicious purposes, a technique known as “living off the land.”
This instance of “OT-level living off the land,” makes detection of malicious actions harder to detect. “We have observed Sandworm adopting LotL tactics across its wider operations to similarly increase the speed and scale,” Mandiant said.
At the time of initial access, Russian hackers deployed a web shell known as neo-regeorg on an internet-facing server, activity “consistent with the group’s prior activity scanning and exploiting internet facing servers for initial access.” They later deployed GoGetter, a custom TCP tunneling tool, for command and control. They obtained persistence by deploying Systemd, a Linux operating system service that allows a program to be run under certain conditions. “In this case, it was used to execute the GoGetter binary on reboot.” With persistence achieved, they were able to access the hypervisor hosting a SCADA instance for the substation.