Discussion on a Complex Incident Targeting Critical Infrastructure

Guest:

• Sandra Joyce, VP at Mandiant Intelligence

Topics:

• Could you give us a brief overview of what this power disruption incident was about?

• This incident involved both Living Off the Land and attacks on operational technology (OT). Could you explain to our audience what these mean and what the attacker did here?

• We also saw a wiper used to hide forensics, is that common these days?

• Did the attacker risk tipping their hand about upcoming physical attacks? If we’d seen this intrusion earlier, might we have understood the attacker’s next moves?

• How did your team establish robust attribution in this case, and how they do it in general? How sure are we, really? 

• Could you share how this came about and maybe some of the highlights in our relationship helping defend that country?

Resources:

• Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology | Mandiant

• Andy Greenberg’s book Sandworm 

• EP155 Cyber, Geopolitics, AI, Cloud - All in One Book?