National security concerns rise as Russian cyber actors employ LOTL in power outages

The evolution of Russian cyber tactics

Sandworm hacker group is focused on targeting industrial control systems

The development of Russian cyber strategies, especially in the context of industrial control systems (ICS), demonstrates a dynamic and complex path. Living-off-the-land (LOTL) tactics are being used by state-sponsored hacking groups, such as the infamous Sandworm threat group associated with Russia's Main Intelligence Directorate (GRU). This represents a deliberate break from traditional approaches.

Cyberattacks on vital infrastructure have traditionally been mostly dependent on the use of complex malware. But the use of native binaries and built-in system tools by Russian state hackers, along with their use of LOTL methods, marks a paradigm change toward a more subtle and covert invasion. This progression adds a layer of complexity that makes these invasions more difficult to identify and attribute, while simultaneously streamlining the attackers' path to the last phases of their attack.

The need for cybersecurity professionals to constantly hone their methods in order to anticipate and counteract the ever-evolving tactics of sophisticated threat actors is highlighted by this change. The shift towards LOTL techniques represents a challenge not just in terms of immediate threat mitigation but also in the broader context of fortifying global cyber defenses against increasingly sophisticated state-sponsored cyber threats.

Sandworm's latest operation unveiled

When the Sandworm group carried out a disruptive cyberattack in Ukraine last year, Mandiant,^[1] a Google company, sent analysts to analyze the event. An October 10, 2022, power outage marked the end of the attack, which demonstrated Sandworm's skillful application of LOTL tactics. The Neo-REGEORG^[2] webshell and the Golang-based GOGETTER tunneler were two of the tools the hackers used to proxy encrypted communications for command and control (C2) servers using the Yamux^[3] open-source library.

The usage of an ISO CD-ROM image file that was put onto a MicroSCADA server and enabled the malicious software scilc.exe to be executed was a key component of the assault. This MicroSCADA software package tool gave the hackers the ability to instruct remote terminal units (RTUs) in the substations using high-level programming language (SCIL), which finally caused a power loss.

Implications and future threat landscape

The attack's use of a native binary (LoLBin) denotes a significant change in Sandworm's approach to incorporating LOTL tactics. The difficulty of detecting threat actions is increased by this method, which relies on generic and lightweight technologies. The usage of a living-off-the-land binary further demonstrates Sandworm's adaptability to various settings without the need for complex malware.

Sandworm was using a sophisticated and adaptable offensive operational technology (OT) arsenal, according to Mandiant's investigation. Defenders face tremendous challenges from the group's capacity to identify novel OT attack vectors, build capabilities, and utilize various OT infrastructure types. Mandiant's head of emerging threats and analytics, Nathan Brubaker, highlights the group's ability to duplicate identical attacks in different environments, emphasizing that motive rather than capabilities limits the threat.

Cybersecurity experts must be alert and adjust to the changing strategies used by threat actors as concerns about national security grow. The Mandiant report offers helpful compromise indications, YARA regulations, and suggestions for bolstering SCADA management hosts. The international community needs to work together to improve cybersecurity defenses so that vital infrastructure is resilient to complex attacks like the ones the Sandworm gang poses. This cross-border cooperation is necessary to create a unified front against the constantly changing cyber threat landscape, one that is stronger than the combined strength of individual states.