In June 2022, the Russian-backed hacking group Sandworm launched a large-scale cyberattack against Ukraine’s power grid. By October, the attack had successfully caused a power outage on October 10, followed by a wiper attack on October 12 that erased critical utility network data—likely to eliminate forensic evidence.
Sandworm leveraged a “living off the land” (LOTL) technique commonly associated with industrial and nation-state cyber warfare. However, LOLBins attacks are not exclusive to large-scale operations. They are also frequently used in ransomware and smaller attacks. Since LOLBins utilize built-in Windows features, they can be difficult to detect. But difficult does not mean impossible.
In this article, we analyze Mandiant’s report on the 2022 Sandworm attack to identify key indicators of LOLBins activity in industrial environments.
Sandworm is a notorious Russian cyber threat group indicted by the U.S. Department of Justice in October 2022. The group has targeted Ukraine for over a decade, conducting cyberattacks on critical infrastructure, including the first-ever cyber-induced power outage in 2015.
Beyond industrial attacks, Sandworm has orchestrated major cyber incidents worldwide, including:
The NotPetya malware attack
Interference in the 2017 French presidential election
The 2018 Winter Olympics cyberattack
The group employs a mix of custom malware—such as BlackEnergy and BadRabbit—and widely available tools like Mimikatz to achieve its objectives.
Mandiant’s investigation revealed that the initial intrusion in June 2022 involved installing the Neo-REGEORG webshell and GOGETTER tunneler on a Linux server. Sandworm likely accessed the OT environment via a hypervisor, aligning with a growing trend where virtual machines host SCADA components.
Attack progression:
October 10: A compromised MicroSCADA binary executed via an ISO image triggered the power outage.
October 12: CADDYWIPER was deployed on the IT system, likely to erase forensic evidence and increase disruption.
LOLBins (Living Off the Land Binaries and Scripts) refer to the exploitation of legitimate system tools—like PowerShell and Visual Basic Script (VBS)—to execute malicious actions undetected. Since these tools are allowlisted and commonly used for legitimate purposes, threat actors can blend their activities into normal network traffic.
Because LOLBins use built-in features, traditional allowlisting or blocklisting methods are ineffective. The key challenge is distinguishing between normal and malicious script execution.
Windows event logs, specifically Event ID 4688 (process creation events), can reveal LOLBins activity. However, this level of logging is often disabled on industrial systems, requiring manual activation.
LOLBins attacks often spawn unexpected child processes. Examining parent-child relationships can highlight anomalies, such as PowerShell scripts executing unexpectedly or outside scheduled maintenance windows.
Scripts are typically executed during maintenance, updates, or logic pushes. Anomalous script execution at unusual times may indicate malicious activity.
Memory images can provide deep insight into process hierarchies and network-bound ports, helping identify unusual or suspicious activity at the system level.
Malicious scripts are often stored in unusual locations. Investigating unexpected file placements can help identify unauthorized modifications to critical applications.
Although industrial networks exhibit consistent behavior, minor deviations—such as unexpected logic updates or unusual function codes sent to embedded devices—can serve as red flags for LOLBins activity.
Sophisticated LOLBins attacks in the OT sector are increasing. While they blend in with normal network activity, detection is possible through granular threat analysis and careful investigation.
If monitoring these threats is beyond your team’s capacity, partnering with a trusted cybersecurity provider like Insane Cyber can make all the difference. Our experts continuously track emerging threats, analyze anomalous activities, and provide actionable intelligence to safeguard your OT environment.
Our products are designed to work with
you and keep your network protected.
Insane Cyber © All Rights Reserved 2025
