Security analysts have discovered that Russian state hackers have adopted a new method known as “LOTL” (living-off-the-land) to infiltrate industrial control systems (ICS) and cause power outages. Unlike previous attacks that relied on sophisticated malware, LOTL techniques enable hackers to reach the final stage of an attack more quickly and with minimal resources. This change in approach makes it harder to detect and defend against these types of cyberattacks.

The Sandworm threat group, believed to be linked to Russia’s General Staff Main Intelligence Directorate, has recently employed this LOTL technique in a disruptive cyberattack targeting a critical infrastructure organization in Ukraine. The attack, which resulted in a power outage and coordinated missile strikes on critical facilities, took less than four months to execute.

Researchers from Google-owned Mandiant, who responded to the attack, revealed that Sandworm gained access to the operational technology (OT) environment through a hypervisor hosting a MicroSCADA server. The hackers used a variety of methods, including deploying the Neo-REGEORG webshell and the Golang-based GOGETTER tunneler, to gain control over the system.

During the attack, Sandworm executed the native MicroSCADA utility, scilc.exe, using an ISO CD-ROM image file. By exploiting the autorun feature of the virtual machine, the hackers were able to remotely control and send malicious commands to the substation’s remote terminal units (RTUs). This attack showcased Sandworm’s use of a native binary (LoLBin) as part of their LOTL technique, which relies on lightweight and generic tools to evade detection.

In addition to the power outage, Sandworm also deployed the CADDYWIPER data-destroying malware to further disrupt the environment and remove traces of the attack. Interestingly, this deployment was limited to the victim’s IT environment and did not impact the hypervisor or the SCADA virtual machine.

Mandiant’s report highlights the growing sophistication of Russia’s offensive arsenal in the OT domain. By combining LOTL techniques with their expanding knowledge of OT systems, Sandworm is now capable of launching attacks against a wide range of vendors’ systems. The researchers note that Sandworm’s choice of using a LoL binary instead of custom malware indicates their agility and adaptability in attacking different environments.

According to Nathan Brubaker, head of emerging threats and analytics at Mandiant, Sandworm’s capability to carry out attacks is not limited to Ukraine but driven by their motivation to target any vulnerable environment. The use of a LoL binary demonstrates that Sandworm can replicate similar attacks in other regions with different industrial technologies.

To help defend against these types of attacks, Mandiant’s report includes indicators of compromise, YARA rules, and guidance on how to strengthen the security of SCADA management hosts. Implementing these recommendations can assist in detecting Sandworm’s activities in ICS environments and mitigating the threat.

FAQ:

Q: What is the LOTL technique?

A: The LOTL (living-off-the-land) technique is a method used by hackers to infiltrate systems without relying on sophisticated malware. It involves using lightweight and generic tools to quickly reach the final stage of an attack with minimal resources.

Q: What is a native binary (LoLBin)?

A: A native binary, or LoLBin, is a legitimate executable file that hackers utilize in cyberattacks. By using native binaries instead of custom malware, attackers can evade detection and take advantage of the existing tools and processes within a system.

Q: Who is Sandworm?

A: Sandworm is a threat group believed to be associated with Russia’s General Staff Main Intelligence Directorate (GRU). Since at least 2009, Sandworm has targeted industrial control systems (ICS) and engaged in espionage and destructive cyberattacks.

Q: How can organizations defend against these attacks?

A: Organizations can implement security measures such as following the recommendations provided by Mandiant, including indicators of compromise, YARA rules, and hardening SCADA management hosts. Regular security audits, employee training, and vigilant monitoring can also help detect and mitigate cyber threats.