Dragos reveals Electrum October attack on Ukrainian electric entity using custom tools, CaddyWiper malware
Industrial cybersecurity company Dragos has linked Mandiant’s recent disclosure of a cyber-physical incident to the Russia-linked threat actor Sandworm. The incident targeted a critical infrastructure organization in Ukraine. Dragos associates this activity with the Electrum threat group, which has technical overlaps with the Sandworm APT (advanced persistent threat).
Electrum has previously been responsible for multiple cyber attacks on Ukrainian electric utilities, including a 2016 power outage that affected 250,000 homes. The newly disclosed attack shares similarities with previous attacks.
“In June of 2022, Electrum gained access to a hypervisor running an end-of-life (EOL) version of MicroSCADA software in the electric substation’s OT environment. Electrum then attempted to execute a set of custom living off the land (LOTL) scripts to impact the availability and control of the substation,” Dragos disclosed in a blog post this week. “Electrum also utilized a new version of CaddyWiper to remove their operational footprint from the electric substation’s compromised IT systems. These actions by Electrum satisfy Stage 1 and Stage 2 of the ICS Cyber Kill Chain.”
At that same time in October, Russia attacked Ukraine with massive missile strikes targeting key energy infrastructure, damaging 30 percent of the energy infrastructure in Ukraine with power supply interruptions in many locations.
Currently, Dragos is unsure of exactly what Electrum’s dormancy suggests other than potential system reconnaissance and collections activities. “Dragos cannot confirm whether this attack was successful in interrupting the substation and thus impacting power in Ukraine. The initial compromise vector for the June-October events has not been identified,” it added.
The State Service of Special Communications and Information Protection of Ukraine (SSSCIP) reported that Ukraine’s Computer Emergency Response Team (CERT-UA) recorded 2,100 cyber incidents in 2022. While only a subset of incidents is associated with Electrum, the energy sector was a particular focus in the region and Electrum has been responsible for several major attacks on the electric sector going back to 2015.
In April 2022, the security firm ESET identified multiple malware capabilities at a Ukrainian utility provider. During the incident, Electrum remained dormant on the electric entity’s network for at least one month before the attack was to occur. This is a consistent pattern for Electrum: gain access to a network, remain dormant, potentially collect system details, and then build custom scripts and tools before executing a destructive cyber attack. This attack used a new version of CaddyWiper, other custom wipers, and Industroyer2 (a scaled-back version of CRASHOVERRIDE). This marked the third time Electrum had attacked a Ukrainian utility provider.
Given Electrum’s destructive history, Electrum’s likely objectives were to execute the commands against the MicroSCADA utility to impact the availability and control of the electric substation. It is interesting that MicroSCADA software, designed for legitimate purposes in operational technology environments, was used during this incident. While the effect of use remains unclear, this tactic is noteworthy and should be used to update and inform threat models for future cyber attacks.
MicroSCADA has been deployed in more than 10,000 substations and monitors the electric supply for more than 10 percent of the world’s population. In addition, the compromised version of MicroSCADA was considered end-of-life (EOL), which means that it was software that the manufacturer or vendor no longer supported.
Similarly, creating the Pipedream ICS-specific malware involved implementing and using known industrial protocols OPC-UA and Modbus. This reinforces the importance of considering the role of native software and capabilities in OT-focused cyber attacks.
Among the critical controls is ensuring OT network monitoring. In addition to scanning for known indicators of compromise (IOCs), Dragos also recommends monitoring in the form of proactive threat hunting to identify potentially malicious tactics, techniques, and procedures (TTPs) in the environment. If an adversary somehow gains access to a network, threat hunting serves as an essential last line of defense. It helps in finding and stopping a breach before significant impacts occur, like the execution of a wiper or causing physical effects in a process control environment.
Electrum attacks against electric utilities typically involve long dwell times between initial access and finally turning out the lights. In the latest attack reported by Mandiant, threat hunting for the following types of suspicious behaviors in the OT network during that dwell time could have helped uncover the adversary before they achieved their objectives.
They also include unexpected file transfers from the enterprise network (or an external server) into the OT/ICS network, specifically, the transfer of an [dot]iso file to a ‘Crown Jewel’ SCADA (supervisory control and data acquisition)system. It also includes the transfer and execution of unexpected scripts like PowerShell ([dot]ps1), Visual Basic ([dot]vbs), and Batch ([dot]bat) files on a SCADA server and unexpected commands issued from SCADA servers to RTUs (remote terminal units).
Last week, Dragos published a comprehensive research analysis on the activities of hacktivist cyber operations since the start of the conflicts between Ukraine-Russia and Israel-Hamas. Several hacktivist groups have come out of the woodwork during the Israel-Hamas conflict, and the Cyber Av3ngers is one such group. The data recognizes that overlaps between cyber threats and regional kinetic events have never been more evident than throughout 2023, as cyber adversaries work towards conducting targeted and opportunistic operations against critical infrastructure.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
