Attacks targeting critical infrastructure are evolving

News | 10.11.2023

In late 2022, Mandiant responded to a cyber-physical incident involving the Sandworm threat actor targeting a Ukrainian critical infrastructure organization.

The attack utilized a novel technique affecting industrial control systems (ICS) and operational technology (OT), causing an unplanned power outage during missile strikes in Ukraine.

Sandworm deployed a new CADDYWIPER variant in the victim’s IT environment, showcasing evolving cyber-physical attack capability after the Ukraine invasion.

The attack demonstrated maturity in the offensive OT arsenal, revealing the ability to recognize novel threat vectors and rapidly develop capabilities.

The intrusion began in June 2022, with Sandworm gaining OT access through a hypervisor hosting a SCADA management instance. The attacker potentially had SCADA system access for up to three months. On October 10, Sandworm used an ISO image to execute malicious control commands, resulting in an unscheduled power outage. Two days later, a new CADDYWIPER variant was deployed in the victim’s IT environment.

Despite forensic artifact removal, it did not impact the hypervisor or SCADA virtual machine, indicating a potential lack of coordination among attackers…

The attack highlighted Russia's investment in offensive OT cyber capabilities.

Sandworm's shift to streamlined, lightweight Living off the Land techniques suggests increased speed and scale, making detection challenging.

The attack's timing coincided with Russian kinetic operations, suggesting strategic deployment and hybrid war footing.

Sandworm's evolving tactics emphasize Russia's priorities in OT attacks, reflecting a shift from 2015-2016 Ukraine blackout events to more focused, streamlined approaches.

There is also a link between the June 2022 Sandworm attack and the Volt Typhoon attack targeting U.S. critical infrastructure. To achieve its objective, Volt Typhoon also places great emphasis on stealth, relying almost exclusively on the "Living off the Land" method.

More details at the link.

The evolution of cyber attacks and the growing trend of attacks on OT systems threaten the full functioning of critical infrastructure in a hybrid war. IT and OT security is not an identical concept. Protecting critical infrastructure from cyber attacks is a strategically important task that requires the implementation of comprehensive cybersecurity solutions for industrial control systems (ICS) and OT systems.

Solutions from the world's leading manufacturers Claroty, Rhebo, Siga, Waterfall, Nanolock, OPSWAT, Armis are the best choice for critical infrastructure protection.

Software and hardware complexes of these manufacturers are successfully used all over the world and have proven their efficiency in various industries: fuel and energy complex, water supply, mining, healthcare, engineering, food, chemical and pharmaceutical industries, transport infrastructure and others.

Please contact Softprom specialists for consultation on Claroty, Rhebo, Siga, Waterfall, Nanolock, OPSWAT, Armis products.