Russian Hacker Sandworms Cause Power Outages in Ukraine Amid Missile Attacks

Nov 10, 2023NewsroomCyber ​​Warfare / Network Security

Power outages in Ukraine

The notorious Russian hackers known as Sandworm targeted an electrical substation in Ukraine last year, causing a brief blackout in October 2022.

The findings come from Google’s Mandiant, which describes the hack as a “multi-event cyber attack” that uses a novel technique for affecting industrial control systems (ICS).

“The actor first used OT-level living-off-the-land (LotL“) techniques likely to trip the victim’s substation circuit breakers, causing unplanned power outages coinciding with missile attacks on critical infrastructure across Ukraine, “the company SAYS.


“Sandworm later conducted a second disruptive event by deploying a new variant of CaddyWiper in the victim’s IT environment.”

The threat intelligence firm did not disclose the location of the targeted energy facility, the duration of the blackout, and the number of people affected by the incident.

The development marks Sandworm’s continued efforts to conduct disruptive attacks and compromise Ukraine’s power grid since at least 2015 using malware such as Industroyer.

Power outages in Ukraine

The exact initial vector used for the cyber-physical attack is currently unclear, and it is believed that the threat actor’s use of LotL techniques reduces the time and resources needed to pull it off.

The intrusion is believed to have occurred around June 2022, where Sandworm actors gained access to the operational technology (OT) environment through the hypervisor hosting supervisory control and data acquisition (SCADA) example of managing the environment of the victim’s substation.

On October 10, 2022, an optical disc (ISO) image file was used to launch malware capable of shutting down substations, resulting in an unscheduled power outage.


“Two days after the OT event, Sandworm deployed a new variant of CaddyWiper in the victim’s IT environment to cause further disruption and potentially remove forensic artifacts,” said Mandiant.

CaddyWiper refers to a piece of data-wiping malware that first appeared in March 2022 in connection with the Russo-Ukrainian war.

“This attack represents an immediate threat to Ukrainian critical infrastructure environments that use the MicroSCADA supervisory control system,” the company said.

“Due to the global activity of the Sandworm threat and the worldwide deployment of MicroSCADA products, asset owners around the world must act to mitigate their tactics, techniques, and procedures against in IT and OT systems.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment