(SecurityWeek) – Threat hunters at Mandiant are shining the spotlight on a pair of previously undocumented operational technology (OT) attacks last October by Russia’s “Sandworm” hackers that caused an unplanned power outage and coincided with mass missile strikes on critical infrastructure across Ukraine.
The attacks, which spanned several months and culminated in two disruptive events on October 10 and 12 last year, leveraged what Mandiant is describing as a “novel technique” for impacting industrial control systems (ICS) and OT.
Mandiant said it caught Sandworm executing code within an end-of-life MicroSCADA control system and issuing commands that impacted the victim’s connected substations.
MicroSCADA, a Hitachi Energy product, is deployed in more than 10,000 substations, managing and monitoring power across critical infrastructure such as power grids, process industries, hospitals, seaports, and data centers.
“The actor first used OT-level living off the land (LotL) techniques to likely trip the victim’s substation circuit breakers, causing an unplanned power outage that coincided with mass missile strikes on critical infrastructure across Ukraine,” Mandiant said in a technical paper with details on the attacks.
Just two days after the OT attack, the Russian hackers conducted a second disruptive event by deploying a new variant of CADDYWIPER in the victim’s IT environment to cause additional damage and potentially to “remove forensic artifacts.”
“This attack represents the latest evolution in Russia’s cyber physical attack capability,” the company warned, noting a “growing maturity of Russia’s offensive OT arsenal that includes the ability to pinpoint novel OT threat vectors, develop new capabilities, and leverage different types of OT infrastructure to execute attacks.
The Sandworm hacking team, caught several times carrying out espionage, influence and malware attack operations in support of Russia’s Main Intelligence Directorate (GRU), appears to have developed the OT component of the attack in as little as two months, Mandiant said.
“This indicates that the threat actor is likely capable of quickly developing similar capabilities against other OT systems from different original equipment manufacturers (OEMs) leveraged across the world,” the company said.
It’s unclear how the hackers gained initial access to the organization’s systems. They were first seen in the target’s environment in June 2022, when they deployed a webshell on an internet-exposed system.
For the OT side of the attack, Sandworm deployed an ISO image file as a virtual CD-ROM in a hypervisor that hosted the MicroSCADA supervisory control and data acquisition (SCADA) instance for the target’s substation environment. This ISO contained files that executed ‘scilc.exe’, a legitimate MicroSCADA utility that enabled the attackers to run arbitrary commands.
While Mandiant was unable to determine exactly which commands were executed by the attackers, they likely attempted to open circuit breakers. The MicroSCADA server would have relayed the commands to substation remote terminal units (RTUs) via either the IEC-60870-5-101 protocol for serial connections or the IEC-60870-5-104 protocol for TCP/IP connections.
Mandiant believes the threat actor had access to the SCADA system for as much as three months.
The Mandiant team said the intricacies of the attack show the Russian hackers are moving quickly to streamline OT attack capabilities through simplified deployment features and cautioned that Sandworm’s use of Living off the Land binary (LotLBin)to disrupt an OT environment “shows a significant shift in techniques.”
Speaking to SecurityWeek on background, a member of the research outfit warned that so-called ‘living off the land’ in OT is a new class of attack that should worry defenders at critical infrastructure installations.
“Given Sandworm’s global threat activity and novel OT capabilities, we urge OT asset owners to take action to mitigate this threat,” Mandiant said. In its report, the security firm shared a range of detections, hunting and hardening guidance, and MITRE ATT&CK mappings.
Russia’s Sandworm hackers disrupted power in Ukraine using a novel attack against operational technology (OT) coordinated with missile strikes.
Industrial giant Rockwell Automation announced on Monday that it has signed a definitive agreement to acquire Verve Industrial Protection, a cybersecurity company specializing in industrial control systems (ICS) and operational technology (OT). Verve’s managed OT/ICS security platform provides asset inventory, vulnerability management, patch management, configuration management, SIEM, incident response, and backup and restore capabilities. In addition, the company provides network segmentation, vulnerability assessment, system hardening, automation engineering, and consulting services. The deal enables Rockwell Automation to expand and strengthen its offering. Financial details have
Radiflow and Cyolo partnership will allow organizations implement a seamless, single sign-on experience for remote and third-party vendors, while significantly enhancing network security.
CISA announced a new vulnerability scanning service designed to help water utilities identify and address security holes that could expose their systems to remote attacks.
Yokogawa will offer Unidirectional Gateway cybersecurity products from Waterfall Security Solutions under a new collaboration
All ICS vendors impacted by the recently-disclosed OT:Icefall vulnerabilities have released advisories to inform customers about the impact of the flaws and to provide mitigations.
OT cybersecurity firm Waterfall Security Solutions has opened an office in Singapore to support industrial customers in the APAC region