From blog.eclecticiq.com
In 2022, Mandiant researchers analyzed a disruptive multistage cyber incident affecting critical infrastructure located in Ukraine. [1] Sandworm was attributed to the incident, possibly lasting up to three months. Analysis of the cyberattack is notable for the APT’s heavy use of native executables and services (living-off-the-land, lol-bins, tools) possibly indicating a shift in tactics. Previous cyberattacks from the same APT targeting the same vertical were categorized by highly customized malware, which is harder to develop and takes longer. While weaponization of native tooling is not novel, in the context of critical infrastructure cyberattacks, the technique importantly allows Sandworm to adapt new cyberattacks more quickly3 since far fewer resources are required. It allows the actor to be more flexible, adapting to different tools rather than developing different malware. Lastly, successful tool adaptation enables better obfuscation of malicious activity by blending in with native traffic. The larger implication of heavy tool usage is expanding intention for operational technology cyberattacks.