BSidesZagreb 2024
March 1, 2024
Josipa Marohnića 5 (SRCE)
Zagreb, Croatia
web: [ Ссылка ]
Speaker: Daniel Kapellmann Zafra
Subject: Showing Off Their SCILz: Sandworm Disrupts Power in Ukraine Using Novel Attack Against OT
In late 2023, Mandiant released an investigation into an event where Russian-sponsored actor Sandworm targeted a Ukrainian critical infrastructure organization with a layered, disruptive attack that leveraged a novel technique for impacting operational technology (OT) environments. In this attack, Sandworm used OT-level living off the land (LotL) techniques to trip the victim’s substation circuit breakers, causing an unplanned power outage. Sandworm then conducted a second disruptive event by deploying wiper malware in the IT environment.
This attack represents the latest evolution in Russia’s disruptive playbook, which has been increasingly visible since the recent invasion of Ukraine. The techniques leveraged during the incident suggest a growing maturity of Russia’s offensive OT arsenal, including an ability to recognize novel OT threat vectors, develop new capabilities, and leverage different types of OT infrastructure to execute cyber physical attacks.
During this presentation, I will describe this operation and dive deep into the specific components of the attack from a perspective of OT security. I will also discuss what are its implications in terms of the tactical evolution of attacks against physical production systems during the war in Ukraine. Lastly, I will wrap up the presentation by looking at what defenders and researchers should expect from future cyber physical attacks based on our analysis of this and other OT events during the last couple years.
