Russian Sandworm Behind Operational Disruption of Ukraine Energy Facility in October 2022

November 14, 2023


According to Google-owned US cybersecurity firm Mandiant, Russia-linked hacking group Sandworm were behind hacks on Ukraine energy infrastructure during the October 2022 blackouts. The attack is a rare example of a cyber incident disrupting the physical operation of a targeted facility, according to Mandiant. There was potentially a two-month time period from when the attacker gained initial access to the SCADA system to when they developed the OT capability. Two days after the OT event, Sandworm deployed a new variant of CADDYWIPER in the victim’s IT environment to cause further disruption and potentially to remove forensic artifacts.

The techniques used during the attack show a growing maturity of Russia’s operational technology-oriented offensive cyber capabilities and overall approach to attacking such systems, Mandiant said.

Incident Date

October 12, 2022



Estimated Cost

2 separate power outages (Oct. 12, 14, 2022)


Type of Malware

No Malware identified

Threat Source