Last winter, Russia opened a new chapter in its war in Ukraine. With its battlefield progress stalled and the illegally annexed territories in eastern and southern Ukraine under pressure from Kyiv’s counteroffensive, Moscow set its sights on Ukraine’s energy grid. Hoping to exploit the long winter months and dampen Ukrainian morale, Russia’s military unleashed a carefully planned campaign of attacks intended to systematically degrade the country’s energy infrastructure.

This effort was methodical. Aimed at power distribution components, such as the substations that link Ukraine’s grid together, the attacks were designed to sever critical connections used to stabilise the country’s energy system. The campaign was carefully designed to inflict as much damage as possible.

Ultimately, Russia would fail in its bid to collapse the grid. Ukraine prevailed and its resolve hardened. Yet concealed behind the waves of drone and missile strikes, Russian military hackers known commonly as Sandworm worked in parallel to tilt Ukraine’s energy infrastructure into cascading failure.

Physical effects without malware

As part of its overall support effort, the notorious sabotage unit employed a new class of cyber-physical attack against Ukraine’s energy grid. The attackers honed in on MicroSCADA, a common software used in critical infrastructure systems, and the one used to monitor and control Ukraine’s grid. Sandworm stealthily manipulated controls for multiple substations and disrupted power.

Evidence from a joint investigation by Mandiant and Ukraine’s cyber authorities indicates that Sandworm readied the attack in as little as two months after gaining unauthorised access to the network. Instead of using tailored malware, malicious commands were injected directly into legitimate MicroSCADA software controlling the grid’s operations. Sandworm then covered its tracks, masking the specific commands executed to trip the breakers and cause an unscheduled power outage.

While preparing this operation, the group was also laying the groundwork for a series of other attacks against energy, water, and transportation critical infrastructure. This body of evidence demonstrates that disruptive cyberattacks – even those targeting industrial control systems – can be prepared and deployed in the constrained time horizons of an armed conflict. These observations make Ukraine’s defensive performance all the more impressive.

Innovation and improvement

Sandworm has a long history of sabotaging Ukraine’s energy grid through cyber-physical attacks. In December 2015, the group used a series of cyber tools, including modular malware known as “BlackEnergy 2”, to gain access to operators’ workstations and interactively take substations offline. A year later, in December 2016, they struck again. Demonstrating significant advancements in its capabilities, Sandworm used a new modular malware known as “Industroyer”, a first-of-its-kind tool built specifically to interact with and disrupt the physical control systems operating Ukraine’s grid.

These winter attacks were the first known cases of malware-driven power outages. To this date, they remain key data points in an extremely limited historical record of cyber-physical attacks. Many analysts still point to the technical specifics of the two attacks as evidence of the difficulty of conducting cyber-physical operations in a crisis or conflict. The incidents have fuelled fundamental assumptions about cyber operations in wartime: that they are excessively time intensive to develop, difficult to coordinate with conventional forces, and too slow and unreliable.

These formative events occurred over half a decade ago in an earlier, malware-centric era of cyber operations. In the years since, a radically different operational norm has emerged. Today, government-backed threat actors have moved away from complex, modular malware like Industroyer. Instead, they prioritise operations that forego malware wherever possible to blend in with existing legitimate digital infrastructure.

In this operational paradigm, known as “living off the land”, state cyber programmes are more reserved about using their heavyweight, purpose-built malware frameworks. Instead, they rely on the abuse of built-in tools and protocols already present in the target environment. When malware is required, lightweight open-source components and dual-use defensive tools are favoured over custom modular frameworks, which are more prone to detection and technical countermeasures. This approach provides an arsenal of capabilities that require significantly less lead time to prepare and fly under the radar of security systems. When paired with the surge of vulnerabilities observed in the 2020s so far, the potential for rapid access to sensitive networks is far-reaching.

The incorporation of living-off-the-land tactics through the full spectrum of cyber espionage, influence, and attack operations represents a fundamental shift in cyber competition and conflict. From the perspective of our adversaries, it is a conscious adaptation to overcome the constraints of the malware-centric era of cyber operations. In other words, these new operations provide a way to achieve speed, scale, and stealth simultaneously across campaigns of linked cyber operations that span months if not years.

As research from Gabby Roncone and I showcased, this flexible approach to cyber operations has been central to the Russian military’s ability to keep pace with the demands of its war in Ukraine. Other states are following suit. US cyber authorities and Microsoft warned in May 2023 that suspected Chinese military operators known as Volt Typhoon are using the same tactics to target sensitive critical infrastructure, possibly in preparation for a future conflict. Wider surveys of the threat landscape continue to reveal widespread adoption of these cheaper, faster, and hard-to-detect methods by government-backed hackers seeking political and military advantage.

An unwelcome paradigm shift

Sandworm’s latest grid attack is a watershed moment. It has bucked expectations of a future defined by increasingly tailored malware and has shown that quicker, stealthier, and more generic living-off-the-land methods are better suited for a wartime environment. Most concerningly, the attack method used is flexible and could affect critical infrastructure globally, such as seaports, railways, airports, hospitals, and other power grids that use the same MicroSCADA software. Efforts to build detections and harden systems against this class of attack are of paramount importance.

Stepping back, this attack defies assumptions about cyber conflict. Prevailing theories have overstated the resource and time constraints for readying cyberattacks and have failed to wrestle with the implications of the changed operating environment. Russia and others are rapidly innovating and will almost certainly continue refining their existing cyber-physical attack programmes to capitalise on this generic, fast-paced concept of operations that can be relied upon on short notice.

Russia’s latest attack is a crucial warning to recalibrate our thinking about the character and role of cyber operations in future crises or conflicts. Existing theories must come to terms with the significant changes that have occurred over the past half-decade, culminating in Sandworm’s latest combination of living-off-the-land techniques with physical effects on critical infrastructure. Otherwise, policymakers and military planners risk being unprepared for the cyberattacks most likely to occur today.