Connect with us

Hi, what are you looking for?



Russian Hackers Used OT Attack to Disrupt Power in Ukraine Amid Mass Missile Strikes

Mandiant says Russia’s Sandworm hackers used a novel OT attack to cause power outages that coincided with mass missile strikes on critical infrastructure across Ukraine.

Use of OT Cyberattack in Russia Ukraine War

Threat hunters at Mandiant are shining the spotlight on a pair of previously undocumented operational technology (OT) attacks last October by Russia’s “Sandworm” hackers that caused an unplanned power outage and coincided with mass missile strikes on critical infrastructure across Ukraine.

The attacks, which spanned several months and culminated in two disruptive events on October 10 and 12 last year, leveraged what Mandiant is describing as a “novel technique” for impacting industrial control systems (ICS) and OT.

Mandiant said it caught Sandworm executing code within an end-of-life MicroSCADA control system and issuing commands that impacted the victim’s connected substations.  

MicroSCADA, a Hitachi Energy product, is deployed in more than 10,000 substations, managing and monitoring power across critical infrastructure such as power grids, process industries, hospitals, seaports, and data centers.

“The actor first used OT-level living off the land (LotL) techniques to likely trip the victim’s substation circuit breakers, causing an unplanned power outage that coincided with mass missile strikes on critical infrastructure across Ukraine,” Mandiant said in a technical paper with details on the attacks.

Just two days after the OT attack, the Russian hackers conducted a second disruptive event by deploying a new variant of CADDYWIPER in the victim’s IT environment to cause additional damage and potentially to “remove forensic artifacts.”

“This attack represents the latest evolution in Russia’s cyber physical attack capability,” the company warned, noting a “growing maturity of Russia’s offensive OT arsenal that includes the ability to pinpoint novel OT threat vectors, develop new capabilities, and leverage different types of OT infrastructure to execute attacks. 

The Sandworm hacking team, caught several times carrying out espionage, influence and malware attack operations in support of Russia’s Main Intelligence Directorate (GRU), appears to have developed the OT component of the attack in as little as two months, Mandiant said.

Advertisement. Scroll to continue reading.

“This indicates that the threat actor is likely capable of quickly developing similar capabilities against other OT systems from different original equipment manufacturers (OEMs) leveraged across the world,” the company said.

It’s unclear how the hackers gained initial access to the organization’s systems. They were first seen in the target’s environment in June 2022, when they deployed a webshell on an internet-exposed system.

For the OT side of the attack, Sandworm deployed an ISO image file as a virtual CD-ROM in a hypervisor that hosted the MicroSCADA supervisory control and data acquisition (SCADA) instance for the target’s substation environment. This ISO contained files that executed ‘scilc.exe’, a legitimate MicroSCADA utility that enabled the attackers to run arbitrary commands.

While Mandiant was unable to determine exactly which commands were executed by the attackers, they likely attempted to open circuit breakers. The MicroSCADA server would have relayed the commands to substation remote terminal units (RTUs) via either the IEC-60870-5-101 protocol for serial connections or the IEC-60870-5-104 protocol for TCP/IP connections.

Mandiant believes the threat actor had access to the SCADA system for as much as three months. 

OT Cyberattack targeting Ukraine power grid
Execution chain of disruptive OT event (Image Credit: Mandiant)

The Mandiant team said the intricacies of the attack show the Russian hackers are moving quickly to streamline OT attack capabilities through simplified deployment features and cautioned that Sandworm’s use of Living off the Land binary (LotLBin) to disrupt an OT environment “shows a significant shift in techniques.”

Speaking to SecurityWeek on background, a member of the research outfit warned that so-called ‘living off the land’ in OT is a new class of attack that should worry defenders at critical infrastructure installations.

“Given Sandworm’s global threat activity and novel OT capabilities, we urge OT asset owners to take action to mitigate this threat,” Mandiant said. In its report, the security firm shared a range of detections, hunting and hardening guidance, and MITRE ATT&CK mappings.

Russia has used OT malware such as Industroyer and Industroyer2 in previous attacks targeting Ukraine’s energy sector.

Mandiant’s researchers are expected to share additional details on the destructive October attacks at the CYBERWARCON event in Washington, DC on Thursday.

Related: New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids

Related: Sandworm Hackers Hit French Monitoring Software Vendor Centreon

Related: Five Eyes: Russian Malware Targeting Ukrainian Military Android Devices

Related: Leaked Documents Detail Russia’s Cyberwarfare, OT Attack Tools

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...