Ukraine energy facility took unique Sandworm hit on day of missile strikes, report says

Russian state-sponsored hackers launched a sophisticated attack on a Ukrainian energy facility last year, causing a temporary power outage before widespread missile strikes on critical infrastructure throughout the country, researchers said Thursday.

The attack in October 2022, attributed to the notorious Russian group Sandworm, is a rare example of a cyber incident disrupting the physical operation of a targeted facility, according to the cybersecurity firm Mandiant. The intrusion also included a previously unobserved technique for breaching industrial control systems (ICS) and operational technology (OT), the researchers said.

It’s not only the first known public case of cyberattack-driven power outage since the war began, but also the first time such an incident coincided with a missile strike, Mandiant’s head of emerging threats and analytics, Nathan Brubaker, told Recorded Future News.

Ukrainian cyber officials had warned about cyberattacks that Russia coordinated with missile strikes previously but never got into details on how these operations were conducted or what facilities they impacted.

Mandiant did not reveal the location of the targeted energy facility, the length of the blackout, and the number of affected people. Usually, companies and state officials refrain from disclosing this information for security reasons, as it provides Russia with more details about the success of the hack and could encourage further attacks.

It is also difficult to determine the impact of specific incidents during a time of war, Brubaker said. For example, this incident occurred during a mass missile strike, including in the city where the victim was located, which led to intentional emergency shutdowns in Ukraine lasting several hours.

“We are not able to disentangle all of the events to share a specific number or time of an outage associated with the cyber incident,” Brubaker said.

Sandworm’s cyber-physical attack

The Russian operation to breach the energy facility began in June 2022 and culminated in mid-October of that year — a period when Ukraine experienced constant power cuts due to Russian drone and missile strikes on the country's critical infrastructure.

Power outages happened daily, sometimes several times a day, and often left millions of Ukrainians without water, heating and the internet. Most cyberattacks targeting Ukraine's energy sector during that time were not sophisticated and didn't cause significant disruptions.

Sandworm's hack was different. It consisted of two stages, targeting the ICS/OT technology and the regular IT systems of the facility, according to Mandiant. ICS systems are used to control and manage physical processes and machinery and, in the case of power plants, are directly linked to the efficient generation of electricity.

Specifically, the attackers gained access to the OT environment through a part of the network “that hosted a supervisory control and data acquisition (SCADA) management instance for the victim’s substation environment,” the researchers said. SCADA systems involve hardware and software for directly monitoring and running equipment.

Sandworm then interfered with the circuit breakers that protected the facility’s electrical equipment, including transformers and generators, from damage caused by excessive current or faults. The intrusion led to an unplanned power outage.

Sandworm used a “living off the land” approach, where attackers exploit tools already present in a system instead of introducing external malware, Mandiant said. This approach helped them conduct cyber operations faster while making it harder for researchers to detect and respond to such attacks, the researchers said.

After causing the blackout, Sandworm proceeded to the second stage of the attack — deploying a new variant of the CaddyWiper malware, in the regular IT network, that erases user data and overwrites files on the computer, making them unrecoverable. The use of this malware was likely intended to cause further disruption and potentially remove the hackers’ traces, according to Mandiant.

The researchers couldn’t determine how the hackers initially got into the targeted system.

In a report in September, the Ukrainian cybersecurity agency said that the key problem leading to the successful penetration of the energy facility was the lack of proper isolation between OT and corporate IT networks. This means that a breach in one could potentially provide unauthorized access to the other.

“Proper network segmentation between IT and OT systems and networks is a crucial security control in these types of environments,” Brubaker said.

Attacks on Ukraine’s power grid

The attack analyzed by Mandiant represents the latest evolution in Russia’s cyber-physical attack capability, researchers said.

Sandworm, previously linked to Unit 74455 of Russia’s military intelligence service (GRU), is one of the few groups known for attacking energy facilities in Ukraine.

In early September, another Russian threat actor known as Fancy Bear, was caught attempting to attack a critical energy facility in Ukraine. However, the attack was not successful, according to Ukrainian state officials. Fancy Bear is linked with Unit 26165 of the GRU.

In 2015, a series of sophisticated and coordinated cyberattacks attributed to Sandworm disrupted energy supplies in several provinces in western Ukraine for a few hours, impacting at least 200,000 people.

In 2016, Sandworm carried out another attack that resulted in a one-hour power outage in Kyiv. The hackers used malware labeled Industroyer, which they later improved and reused during an unsuccessful attack on Ukraine’s energy provider shortly after Russia’s invasion of Ukraine last February.

Hear more: The scariest piece of malware since Stuxnet

The group’s techniques used during the October 2022 attack show a growing maturity of Russia’s operational technology-oriented offensive cyber capabilities and overall approach to attacking such systems, Mandiant said.

In this attack, the hackers used tools that were more “lightweight and generic” than those observed in prior incidents, according to the report. This likely reflects the increased tempo of wartime cyber operations and suggests that the hackers reduced the time and resources required to conduct such attacks.

There are no public reports about destructive cyberattacks carried out by Russian hackers in 2023 against Ukraine’s energy facilities. However, Ukrainian cyber officials warned during a press conference in September that as winter approaches, the risks of missile strikes and cyberattacks on critical infrastructure are getting higher.

“There's a misconception that Russian cyber actors are not trying, but in reality, the Russian threat groups are absolutely persistent at targeting Ukraine and keep coming back again, and again and again. It’s an absolute testament to the Ukrainian defenders that this cyber incident was so isolated,” Mandiant’s chief analyst, John Hultquist, told Recorded Future News.