Mandiant Responds to Cyber-Physical Attack on Ukrainian Critical Infrastructure by Russia-Linked Threat Actor ‘Sandworm’

In a recent incident response, Mandiant addressed a disruptive cyber-physical attack targeting a Ukrainian critical infrastructure organisation. The Russia-linked threat actor, Sandworm, executed a multi-event cyber attack employing a novel technique to impact industrial control systems (ICS) and operational technology (OT). The attack involved OT-level living off the land (LotL) techniques, causing an unplanned power outage coinciding with mass missile strikes on critical infrastructure across Ukraine.


This incident showcases the evolving capability of Russia’s cyber-physical attacks since the invasion of Ukraine. Sandworm demonstrated a growing maturity in offensive OT arsenal, recognizing novel threat vectors, developing new capabilities, and leveraging different types of OT infrastructure for attacks. The use of LotL techniques indicated a streamlined approach, potentially enabling the threat actor to develop the OT component in as little as two months.


Sandworm, previously tracked as UNC3810, is a full-spectrum threat actor supporting Russia’s Main Intelligence Directorate (GRU) since 2009. The group’s primary focus has been Ukraine, where it conducted disruptive and destructive attacks, including during the 2022 re-invasion. Beyond Ukraine, Sandworm sustains global espionage operations indicative of Russia’s military ambitions.


Despite the attacker’s deployment of a new CADDYWIPER variant in the victim’s IT environment, the attack did not impact the hypervisor or the SCADA virtual machine, suggesting potential coordination challenges within the attacker’s team. Mandiant urges OT asset owners globally to take proactive measures against this threat, providing a range of detections, hunting, and hardening guidance in the appendices of their detailed blog post.


The intrusion began in June 2022, culminating in disruptive events on October 10 and 12, 2022. Sandworm gained access to the OT environment through a hypervisor hosting a SCADA management instance. The actor potentially had access to the SCADA system for up to three months, leading to the execution of unauthorized MicroSCADA commands causing an unscheduled power outage.


This attack poses an immediate threat to Ukrainian critical infrastructure using MicroSCADA. Given Sandworm’s global threat activity, asset owners worldwide are advised to implement recommended mitigation strategies detailed in Mandiant’s analysis.


For further information and support, please contact Mandiant Consulting. Additional analysis of Sandworm threat activity is available through Mandiant Advantage Threat Intelligence.