威胁情报公司揭秘Sandworm黑客攻击细节

The notorious Russian hackers known as Sandworm targeted an electrical substation in Ukraine last year, causing a brief power outage in October 2022.

去年，臭名昭著的俄罗斯黑客组织Sandworm袭击了乌克兰的一座电站，导致2022年10月发生短暂的停电。

The findings come from Google's Mandiant, which described the hack as a "multi-event cyber attack" leveraging a novel technique for impacting industrial control systems (ICS).

这一发现来自谷歌的Mandiant，该公司将此次攻击描述为一次"多事件网络攻击"，利用了一种影响工业控制系统（ICS）的新技术。

"The actor first used OT-level living-off-the-land (LotL) techniques to likely trip the victim's substation circuit breakers, causing an unplanned power outage that coincided with mass missile strikes on critical infrastructure across Ukraine," the company said.

"攻击者首先使用OT级的"生存即土地"（LotL）技术，可能触发了受害者的变电站断路器，导致计划外的停电，与乌克兰关键基础设施的大规模导弹袭击同时发生，"公司说。

"Sandworm later conducted a second disruptive event by deploying a new variant of CaddyWiper in the victim's IT environment."

"Sandworm随后通过在受害者的IT环境中部署CaddyWiper的新变体进行了第二次破坏性事件。"

The threat intelligence firm did not reveal the location of the targeted energy facility, the duration of the blackout, and the number of people who were impacted by the incident.

威胁情报公司没有透露被攻击能源设施的位置、停电的持续时间以及受事件影响的人数。

The development marks Sandworm's continuous efforts to stage disruptive attacks and compromise the power grid in Ukraine since at least 2015 using malware such as Industroyer.

这标志着Sandworm自至少2015年以来不断努力进行破坏性攻击并妥协乌克兰的电网，使用Industroyer等恶意软件，如连续的尝试，以及2022年大规模的网络攻击，以至今。

The exact initial vector used for the cyber-physical attack is presently unclear, and it's believed that the threat actor's use of LotL techniques decreased the time and resources required to pull it off.

目前尚不清楚用于进行网络物理攻击的确切初始矢量，人们认为威胁行为者使用"生存即土地"技术减少了完成这一攻击所需的时间和资源。

The intrusion is thought to have happened around June 2022, with the Sandworm actors gaining access to the operational technology (OT) environment through a hypervisor that hosted a supervisory control and data acquisition (SCADA) management instance for the victim's substation environment.

入侵被认为发生在2022年6月左右，Sandworm行为者通过一个托管受害者变电站环境的监控和数据采集（SCADA）管理实例的超级管理程序获取了对运营技术（OT）环境的访问权限。

On October 10, 2022, an optical disc (ISO) image file was used to launch malware capable of switching off substations, resulting in an unscheduled power outage.

2022年10月10日，使用光盘（ISO）映像文件启动了能够关闭变电站的恶意软件，导致了计划外的停电。

"Two days after the OT event, Sandworm deployed a new variant of CaddyWiper in the victim's IT environment to cause further disruption and potentially to remove forensic artifacts," Mandiant said.

"在OT事件发生两天后，Sandworm在受害者的IT环境中部署了CaddyWiper的新变体，以进一步引起破坏并可能删除法医学证据，"Mandiant说。

CaddyWiper refers to a piece of data-wiping malware that first came to light in March 2022 in connection with the Russo-Ukrainian war.

CaddyWiper是一种在2022年3月首次曝光，与俄乌战争有关的数据擦除恶意软件。

The eventual execution of the attack, Mandiant noted, coincided with the start of a multi-day set of coordinated missile strikes on critical infrastructure across a number of Ukrainian cities, including the city in which the unnamed victim was situated.

Mandiant注意到，攻击的最终执行时间与对乌克兰多个城市的关键基础设施进行多天协调导弹袭击的开始时间相吻合，包括未公开的受害者所在的城市。

"This attack represents an immediate threat to Ukrainian critical infrastructure environments leveraging the MicroSCADA supervisory control system," the company said.

"这次攻击对乌克兰关键基础设施环境构成了直接威胁，利用MicroSCADA监控系统，"公司表示。

"Given Sandworm's global threat activity and the worldwide deployment of MicroSCADA products, asset owners globally should take action to mitigate their tactics, techniques, and procedures against IT and OT systems."

"鉴于Sandworm的全球威胁活动和MicroSCADA产品的全球部署，全球资产所有者应采取行动，以减轻其对IT和OT系统的战术、技术和程序的影响。"

原文始发于微信公众号（知机安全）：威胁情报公司揭秘Sandworm黑客攻击细节