Keypoints
- Sandworm maintained presence using Neo-REGEORG webshell and GOGETTER tunneler, persisting GOGETTER via Systemd service units.
- The actor accessed a SCADA hypervisor and leveraged an ISO named “a.iso” (autorun enabled) that contained lun.vbs and n.bat to launch native MicroSCADA utilities.
- Command fragments indicate execution of scilc.exe with “-do packscils1.txt”, implying external SCIL program execution to send unauthorized commands to RTUs.
- The MicroSCADA instance was EOL and exposed the SCIL-API by default, enabling direct execution of SCIL programs via native binaries.
- Two days after the OT disruption, Sandworm deployed a new CADDYWIPER variant across IT using TANKTRAP GPOs that copied msserver.exe to endpoints and scheduled timed execution.
- Mandiant provides detections and hunting artifacts (YARA, SIGMA) and recommends hardening MicroSCADA, monitoring scilc.exe execution, and network segmentation between IT and OT.
MITRE Techniques
- [T0847] Replication Through Removable Media – Sandworm inserted an ISO as a virtual CD-ROM into the SCADA VM where autorun was permitted. [‘Sandworm accessed a hypervisor … leveraged an ISO image named “a.iso” as a logical CD-ROM inserted into the CD-ROM drive of the SCADA virtual machine. The system was configured to permit inserted CD-ROMs to autorun.’]
- [T0807] Command-Line Interface – The ISO launched VBS and batch files which invoked native command lines. [‘wscript.exe “d:packlun.vbs”‘, ‘cmd /c “D:packn.bat”‘, ‘C:scprogexecscilc.exe -do packscils1.txt’]
- [T0871] Execution Through API – The actor used the native MicroSCADA scilc.exe to execute an external SCIL program via the SCIL-API. [‘Sandworm utilized the native MicroSCADA “scilc.exe” binary to execute an external SCIL program via the SCIL-API.’]
- [T0853] Scripting – Visual Basic scripts (lun.vbs) were used to launch the batch script. [‘Set WshShell = CreateObject(“WScript.Shell”) … WshShell.Run chr(34) & “packn.bat” & Chr(34), 0’]
- [T0872] Indicator Removal on Host – The group removed forensic artifacts and deployed destructive tooling. [‘Sandworm deployed CADDYWIPER malware and deleted files to remove forensic artifacts.’]
- [T0809] Data Destruction – CADDYWIPER was used to wipe files, mapped drives, and physical partitions. [‘CADDYWIPER will attempt to wipe all files before proceeding to wipe any mapped drives. It will then attempt to wipe the physical drive partition itself.’]
- [T0855] Unauthorized Command Message – SCIL commands were executed to send unauthorized control messages to RTUs over IEC-60870 protocols. [‘execute unauthorized SCIL commands that would have caused the MicroSCADA server to relay the commands to the substation RTUs via either the IEC-60870-5-104 protocol … or IEC-60870-5-101 protocol …’]
- [T0831] Manipulation of Control – The unauthorized SCIL commands likely opened circuit breakers, manipulating power distribution control. [’caused a manipulation of control of the power distribution system via unauthorized SCIL commands. These were likely commands to open circuit breakers in the victim’s substation environments.’]
Indicators of Compromise
- [IP address] C2 / webshell hosts – 82.180.150[.]197, 190.2.145[.]24 (Neo-REGEORG requests and GOGETTER C2)
- [File hash] Endpoint binaries – 26e2a41f26ab885bf409982cb823ffd1 (lun.vbs), b2557692a63e119af0a106add54950e6 (msserver.exe / CADDYWIPER)
- [File name] Malicious delivery artifacts – a.iso (virtual CD-ROM containing lun.vbs and n.bat), lun.vbs, n.bat, s1.txt (likely SCIL commands)
- [Scheduled task / GPO] TANKTRAP persistence and execution – scheduled tasks running C:Windowsmsserver.exe (examples: Task Name qAWZe / QJKWt scheduled for 2022-10-12)
Sandworm’s technical procedure began with internet-facing compromise activity (Neo-REGEORG webshell) and deployment of GOGETTER to maintain a tunneled C2 channel; GOGETTER persistence used Systemd service units configured with ExecStart and WantedBy=multi-user.target to survive reboots. The actor then laterally accessed a hypervisor hosting an EOL MicroSCADA instance and inserted an autorun-enabled ISO (a.iso) containing lun.vbs and n.bat. Those scripts launched native Windows commands (wscript.exe and cmd) that invoked the native MicroSCADA utility scilc.exe with the -do parameter to execute an external SCIL program file (packscils1.txt), which Mandiant assesses were unauthorized SCIL commands sent to RTUs over IEC-60870 protocols and likely opened substation circuit breakers.
Two days after the OT disruption, Sandworm deployed a newly compiled CADDYWIPER variant in the IT environment via TANKTRAP Group Policy Objects: the GPOs copied the wiper to endpoints as msserver.exe (also seen as lhh.exe) and created scheduled tasks to run it at preset times (examples: C:Windowsmsserver.exe triggered on 2022-10-12). The wiper attempted file and partition wipes and was used alongside explicit indicator removal steps, though in this incident the wiper affected IT hosts and not the SCADA VM/hypervisor.
Defensive actions focus on removing EOL/unsafe configurations (upgrade MicroSCADA and disable SCIL-API), enforcing strict IT/OT segmentation, monitoring for scilc.exe process execution and command lines containing “-do”, hunting for VBS→batch launchers and ISO/autorun file activity, and applying the provided YARA/SIGMA rules and scheduled-task/GPO detections to hunt for GOGETTER, TANKTRAP, and CADDYWIPER behaviors.
Read more: https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology