Google LLC’s Mandiant unit today revealed that a Russian hacking group caused a power outage in Ukraine late last year.

The hacking group, which is tracked as Sandworm, is believed to be a unit of Russia’s GRU military intelligence agency. According to Mandiant, Sandworm caused the power outage by planting malicious code on the infrastructure of a Ukrainian electric utility. The cyberattack coincided with the start of a series of missile strikes that targeted critical infrastructure assets throughout Ukraine.

Mandiant didn’t specify which electric utility was affected in the breach or the scope of the power outage. However, it shared detailed technical information about how the hack unfolded.

The cyberattack began around June 2022, when Sandworm gained access to the utility’s network by breaching an internet-facing server. A month later, the hackers used the compromised machine to install a malicious networking program. That program established a connection to a command and control server, a system used by hackers to remotely carry out malicious actions.

A few weeks after establishing a foothold in the utility’s network, Sandworm gained access to a so-called SCADA application. SCADA, or supervisory control and data acquisition, programs are used by companies to manage their industrial equipment and monitor it for technical issues. The application that Sandworm breached was connected to multiple electric substations.

Last October, around three months after first gaining access to the utility’s infrastructure, the hackers used the breached SCADA application to temper with a number of substation circuit breakers. Those circuit breakers protect the electric grid from sudden current surges. After Sandworm compromised the components, the targeted electric utility’s grid was hit by a power outage.

According to Mandiant, Sandworm used so-called living-off-the-land tactics to carry out the breach.

Typically, hackers carry out cyberattacks by installing malware on an organization’s infrastructure. Living-off-the-land campaigns, in contrast, rely on existing, legitimate programs already installed on the victim’s infrastructure. For example, a configuration tool used by administrators to manage servers could be exploited by hackers to disable those servers’ cybersecurity defenses.

Two days after the living-off-the-land cyberattack against Ukraine’s electric grid, Sandworm reportedly installed a wiper on the affected utility’s network. A wiper is a type of malware that attempts to delete data in the victim’s technology environment. According to Mandiant, Sandworm installed a piece of malware called CADDYWIPER that it had employed in a number of earlier cyberattacks. 

“CADDYWIPER is a disruptive wiper written in C that is focused on making data irrecoverable and causing maximum damage within an environment,” Mandiant’s researchers detailed. “CADDYWIPER will attempt to wipe all files before proceeding to wipe any mapped drives. It will then attempt to wipe the physical drive partition itself.”

Wired reported that the cyberattack marked the third time Russian hackers had caused a power outage in Ukraine. Mandiant researchers and Ukrainian officials told the publication that there are dozens of unsuccessful hacking attempts for every breach of critical infrastructure assets. “It’s an absolute testament to the Ukrainian defenders that this incident was so isolated,” John Hultquist, chief analyst of Mandiant’s threat intelligence group, told Wired. 

Photo: Unsplash