Cyber Attack Causing Power Outage in Ukraine Attributed to Russian Hackers
In a significant cybersecurity breach, the notorious Russian hacking group known as Sandworm has been linked to an attack on an electrical substation in Ukraine, resulting in a power outage in October 2022. This revelation comes from the cybersecurity firm Google’s Mandiant, which characterized the incident as a "multi-event cyber attack" utilizing innovative methods to disrupt industrial control systems.
According to Mandiant’s analysis, the attackers initially employed operational technology (OT) living-off-the-land (LotL) techniques to trip circuit breakers at the targeted substation. This disruption occurred in close timing with extensive missile strikes on critical infrastructure throughout Ukraine, underscoring a strategic approach to causing operational chaos. The attack occurred in a context where mass cyber warfare continues to be a component of the ongoing conflict in the region.
In addition to instigating downtime at the substation, Sandworm executed a follow-up cyber intrusion using a new variant of CaddyWiper malware within the victim’s information technology (IT) environment, amplifying the impact of their initial actions. The exact location of the compromised facility, the duration of the outage, and the number of individuals affected have not been disclosed, likely due to the sensitive nature of the operational details.
Mandiant highlighted that this incident marks an ongoing effort by Sandworm to target Ukraine’s critical infrastructure, echoing previous disruptions since at least 2015. This continued with the use of sophisticated malware such as Industroyer, showcasing a pattern of malicious intent aimed at destabilizing national utilities.
While the specific entry point of the attack remains undetermined, it is suggested that the use of LotL techniques allowed the attackers to minimize the time and resources needed to execute the sophisticated assault. The breach likely took place around June 2022, with Sandworm gaining access via a hypervisor that managed the supervisory control and data acquisition (SCADA) systems associated with the substation.
The actual execution of malware on October 10, 2022, involved the utilization of an optical disc image file that deployed software capable of powering down substations—resulting in an unscheduled power outage. Mandiant noted that this attack coincided with a series of calculated missile strikes launched against critical infrastructure across various Ukrainian cities, including areas close to the affected substation.
Mandiant’s report emphasizes the immediate threat posed to Ukrainian infrastructure using the MicroSCADA supervisory control system, a worrying sign given Sandworm’s history and global tendencies. Current operations employing MicroSCADA products outside Ukraine underscore a necessity for global asset owners to implement defensive measures against similar tactics and techniques employed by the adversary.
In summary, the Ukraine power outage incident illustrates the multifaceted approach taken by Sandworm, combining a blend of direct cyber actions with real-world implications on critical infrastructure. As business owners and cybersecurity professionals analyze this event, understanding the relevant techniques from the MITRE ATT&CK framework, such as initial access, privilege escalation, and persistence, can inform preparatory and response strategies to mitigate potential threats to their own operations in an ever-evolving digital landscape.
