Power outages at the touch of a button: that’s why Russia’s elite hackers are more dangerous than ever

There are still people, even experts, who underestimate Russia’s elite state hackers.

Just because things have remained relatively quiet on the digital front since the start of the criminal war of aggression against Ukraine, we should not lull ourselves into a false sense of security. This is evident from a detailed report that the IT security company Mandiant, part of the Google Group, published last week (see Resources).

The sobering conclusion of the IT specialists: without the public knowing, Russia is further developing its offensive cyber capabilities and testing the effectiveness of attack instruments under real conditions.

What happened?

Unit 74455, known as Sandworm, assigned to the Russian military intelligence service GRU, has successfully sabotaged Ukraine’s power grid for the third time. The attack took place in October 2022 and was long kept secret by Ukraine and its Western allies.

Now Mandiant has broken the silence.

Tech journalist Andy Greenberg (“Wired”) notes that Sandworm remains the only hacker group in the world to ever cause power outages with cyberattacks. He has been dealing with Russia’s elite hackers for years and published an exciting book about Sandworm in 2019.

Greenberg reminds us that Russian state hackers have “turned off the lights of hundreds of thousands of Ukrainian citizens” not once but twice in the past decade.

And now Sandworm has apparently made another questionable distinction in the history of cyberwar ‘amid the all-out Russian war’:

According to Mandiant, the cyber attack coincided with the start of a series of Russian missile attacks on critical infrastructure across the country. However, there is no evidence that the Kremlin coordinated the attacks.

John Hultquist, head of threat intelligence at Mandiant, who has been tracking Sandworm for nearly a decade and named the group in 2014, says:

One thing is certain: two days after the outage, the hackers used so-called ‘wiper’ malware to delete the hard drives in the entire network of the affected energy company. This was likely a (failed) attempt to destroy evidence that would later be used to analyze their breach.

What makes the latest cyber attack so dangerous?

Mandiant’s detailed technical analysis of the hacker attack shows how hacking of power grids by Russian military intelligence has evolved over time. The attackers were now even more stealthy and clever than in previous attacks on the Ukrainian power supply.

1. New approach

The latest Mandiant report states that Russian hackers have used a new technique or tactic to attack industrial control systems (ICS).

Instead of using their own custom-made malware, they used legitimate tools available on the foreign network to move from computer to computer before ultimately executing an automated script.

Despite stricter security measures, the hackers managed to unknowingly gain access to the software of the factory’s industrial control system, called MicroSCADA, and disabled it at the push of a button.

2. Faster attacks

Mandiant IT security researchers also explain that the cyber attack on the power supply that has now become public was significantly faster than previous attacks. For example, in 2016, the Russian hackers initially lay unnoticed in the IT systems of the Ukrainian electricity supplier for more than six months before they attacked.

But now the hackers apparently only gained access to the industrial control systems three months before the outage. And the actual attack was developed in just two months.

3. More difficult to detect

According to the Mandiant report, Sandworm is moving away from using highly complex, custom attack tools for efficiency reasons. Not only do such tools require enormous development efforts, they also leave telltale traces in someone else’s network – and there is a risk that they will be discovered prematurely.

LOTL attacks, on the other hand, do not install files or leave signatures, meaning the attacks cannot be compared or linked. This makes it harder to prevent them in the future.

According to the Wired report, Ukraine’s cybersecurity agency SSSCIP declined to fully confirm the revelations, but did not deny them either.

Those responsible did not want to name the affected electricity supplier or the city. There is also no reliable information about the duration of the power outage or the number of people affected.

What do we learn from this?

The Mandiant report confirms what IT security experts and Secret Service agents have long warned about: the most dangerous state hacker groups like Sandworm are continuously expanding their arsenal of cyber weapons with so-called OT systems to attack. The abbreviation stands for ‘Operational Technology’ and means industrial IT systems that monitor or control mechanical processes.

The challenge from the defender’s perspective: OT systems can only be protected with enormous effort. Often the associated programs have been in use for decades and installing updates is neglected.

Finally, it is worth repeating what Sandworm observers have long been clear: Russia’s elite hackers should not be underestimated in any way, even if things around them remained relatively quiet during the war in Ukraine.

John Hultquist, Mandiant’s chief analyst:

At the same time, the experienced IT security expert emphasizes that such attacks do not arise from a direct military necessity. They are part of psychological warfare to specifically limit the civilian population. This is of course particularly effective if a cyber attack on the power supply occurs during the winter months.

The good news from Ukraine’s perspective: Like several other technology companies from Europe and North America, Mandiant has been working closely with the Ukrainian government since the beginning of the Russian invasion in February 2022. Joining forces has gotten us there so far managed to repel the attacks and protect the population.

Sitting back is not an option, as Mandiant security experts note in their report:

Sources