The notorious Sandworm APT group has continued to refine its capabilities around attacking operational technology (OT). This week, researchers at Mandiant published a research blog detailing a 2022 attack against an energy provider in Ukraine that targeted an Hitachi MicroSCADA control system. The attack used to trip a breaker at a substation leaving parts of Ukraine without electricity in the heart of its ongoing war with Russia.
While Sandworm's attack against Ukrainian critical infrastructure are not new, this one had several unique wrinkles to it, according to the Mandiant report. Namely, the outage coincided with a missile attack against critical infrastructure across Ukraine; it also featured no sophisticated malware or exploits. Instead, the attackers used so-called Living-off-the-Land techniques to move laterally on the provider's network before carrying out its mission. Sandworm did, however, deploy wiper malware in the IT environment, likely as a means of covering its tracks forensically.
In this episode of the Nexus podcast, Mandiant and Google Cloud Head of Emerging Threats and Analytics Nathan Brubaker joins to discuss his team's findings and provide more context on the growing capabilities of Sandworm and its targeting of OT.
"We are seeing the group using more lean kinds of attacks," Brubaker said, referring to the Living-off-the-Land technique. "They used native binaries, tools, and whatnot to carry out their attack. Because of the way that they're evolving their their tactics, they're able to be a bit more agile, reduce the time and resources needed to achieve their goals. Obviously during a time of war, this is probably pretty critical for for the group. They can't spend a year building a piece of malware and then have it be found, or that malware needs to be tailored to a specific target environment and they don't have that year lead time. It's definitely Interesting from that perspective."
The concerning part of this evolution of Sandworm's TTPs is that they're likely to be able to use a similar approach against other targets, regardless of the control systems in place.
"The criticality of this kind of attack is that Sandworm could pretty easily replicate this this attack in some other environment with some other technology," Brubaker explained. "It's not the technology itself, which is kind of secondary to their ability to understand the environment they're in to be able to pivot and act in a more agile way and carry out and get to the the outcome they want without some sophisticated malware."
Sandworm has been linked to numerous OT-related attacks, including both Industroyer variants and the Black Energy malware. Wiper malware has part-and-parcel of its repertoire, and has been central to a number of disruptive attacks against Ukraine's power infrastructure. Sandworm has been linked to hacks causing outages in the country prior to the war.
"With Sandworm, their capability and sophistication was never really the thing holding them back from carrying on an attack outside of of Ukraine. I think it's more a question of motivation and obviously if they carried out some attack in and Europe or the United States or something like that, there would be a significant blowback in a way that it would not happen in Ukraine," Brubaker said. "So I think we should keep this all in perspective. Certainly there's probably some amount of signaling going on here. But it's definitely concerning when you don't need a piece of malware to cause a power outage."
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.