Sandworm Cyberattackers Down Ukrainian Power Grid During Missile Strikes

A premier Russian APT used living-off-the-land techniques in a major OT hit, raising tough questions about whether or not we can defend against the attack vector.

Russias infamous Sandworm advanced persistent threat (APT) group used living-off-the-land (LotL) techniques to precipitate a power outage in a Ukrainian city in October 2022, coinciding with a barrage of missile strikes.
Sandworm, linked to Russias Main Center for Special Technologies, has a storied history of cyberattacks in Ukraine:
BlackEnergy-induced blackouts
in 2015 and 2016, the infamous NotPetya wiper,
and more recent campaigns
overlapping with the Ukraine war. To some extent, the war has provided a smokescreen for its more recent, comparably sized cyberattacks.
Take one instance from October 2022, described today in
a report by Mandiant
. During a downpour of
84 cruise missiles and 24 drone attacks
across 20 Ukrainian cities, Sandworm cashed in on two months of preparation and forced an unexpected power outage in one affected city.
Unlike with previous Sandworm grid attacks, this one wasnt notable for some piece of advanced cyber weaponry. Instead, the group took advantage of LotL binaries to undermine Ukraines increasingly sophisticated critical infrastructure cyber defenses.
To Mandiant chief analyst John Hultquist, it sets a worrying precedent. Were going to have to ask ourselves some tough questions about whether or not we can defend against something like this, he says.
Though the exact method of intrusion is still unknown researchers dated Sandworms initial breach of the Ukrainian substation to at least June 2022.
Soon after, the group was able to breach the divide between the IT and operational technology (OT) networks, and access a hypervisor hosting a supervisory control and data acquisition (SCADA) management instance (where plant operators manage their machinery and processes).
After up to three months of SCADA access, Sandworm picked its moment. Coinciding (coincidentally or otherwise) with an onslaught of kinetic warfare the same day, it used an optical disc (ISO) image file to execute a binary native to the MicroSCADA control system. The precise commands are unknown, but the group likely used an infected MicroSCADA server to send commands to the substations remote terminal units (RTUs), instructing them to open circuit breakers and thereby cut power.
Two days after the outage, Sandworm came back for seconds, deploying a new version of its CaddyWiper wiper malware. This attack did not touch industrial systems — only the IT network — and may have been intended to wipe forensic evidence of their first attack, or simply cause further disruption.
Sandworms BlackEnergy and NotPetya attacks were seminal events in cybersecurity, Ukrainian, and military history, affecting both how global powers view combination kinetic-cyber warfare, and how cybersecurity defenders protect industrial systems.
As a result of this heightened awareness, in years since, similar attacks by the same group have fallen some ways short of its early standard. There was, for example,
the second Industroyer attack
, not long after the invasion — though the malware was equally powerful, if not more so, than that which took down Ukraines power in 2016, the attack overall failed to cause any serious consequences.
You can look at the history of this actor trying to leverage tools like Industroyer and ultimately failing because they were discovered, Hultquist says, while pondering whether this latest case was a turning point.
I think that this incident demonstrates that theres another way, and, unfortunately, that other way is going to really challenge us as defenders because this is something that were not going to necessarily be able to use signatures against and search for en masse, he says. Were going to have to work really hard to find this stuff.
He also offers another way to look at Russian-Ukrainian cyber history: less that Russias attacks have become tamer and more that Ukraines defenses have become more robust.
If Ukraines networks were under the same pressure that they are under now, with the same defenses that were in place maybe a decade ago, this situation would have been much different, Hultquist concludes. Theyre more experienced than anyone defending against cyberwar, and we have a lot to learn from them.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Sandworm Cyberattackers Down Ukrainian Power Grid During Missile Strikes