Skip to content

C0025 2016 Ukraine Electric Power Attack

2016 Ukraine Electric Power Attack was a Sandworm Team campaign during which they used Industroyer malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by Sandworm Team.12

Item Value
ID C0025
Associated Names
First Seen December 2016
Last Seen December 2016
Version 1.0
Created 31 March 2023
Last Modified 10 April 2023
Navigation Layer View In ATT&CK® Navigator

Groups

ID Name References
G0034 Sandworm Team 54

Techniques Used

Domain ID Name Use
enterprise T1098 Account Manipulation During the 2016 Ukraine Electric Power Attack, Sandworm Team used the sp_addlinkedsrvlogin command in MS-SQL to create a link between a created account and other servers in the network.2
enterprise T1110 Brute Force During the 2016 Ukraine Electric Power Attack, Sandworm Team used a script to attempt RPC authentication against a number of hosts.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell During the 2016 Ukraine Electric Power Attack, Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.2
enterprise T1059.003 Windows Command Shell During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL.2
enterprise T1059.005 Visual Basic During the 2016 Ukraine Electric Power Attack, Sandworm Team created VBScripts to run on an SSH server.2
enterprise T1554 Compromise Client Software Binary During the 2016 Ukraine Electric Power Attack, Sandworm Team used a trojanized version of Windows Notepad to add a layer of persistence for Industroyer.1
enterprise T1136 Create Account During the 2016 Ukraine Electric Power Attack, Sandworm Team added a login to a SQL Server with sp_addlinkedsrvlogin.2
enterprise T1136.002 Domain Account During the 2016 Ukraine Electric Power Attack, Sandworm Team created two new accounts, “admin” and “система” (System). The accounts were then assigned to a domain matching local operation and were delegated new privileges.2
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary. 3
enterprise T1562 Impair Defenses -
enterprise T1562.002 Disable Windows Event Logging During the 2016 Ukraine Electric Power Attack, Sandworm Team disabled event logging on compromised systems.2
enterprise T1570 Lateral Tool Transfer During the 2016 Ukraine Electric Power Attack, Sandworm Team used move to transfer files to a network share.2
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.3
enterprise T1036.008 Masquerade File Type During the 2016 Ukraine Electric Power Attack, Sandworm Team masqueraded executables as .txt files.2
enterprise T1027 Obfuscated Files or Information During the 2016 Ukraine Electric Power Attack, Sandworm Team used heavily obfuscated code with Industroyer in its Windows Notepad backdoor.1
enterprise T1027.002 Software Packing During the 2016 Ukraine Electric Power Attack, Sandworm Team used UPX to pack a copy of Mimikatz.2
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory During the 2016 Ukraine Electric Power Attack, Sandworm Team used Mimikatz to capture and use legitimate credentials.2
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares During the 2016 Ukraine Electric Power Attack, Sandworm Team utilized net use to connect to network shares.2
enterprise T1018 Remote System Discovery During the 2016 Ukraine Electric Power Attack, Sandworm Team checked for connectivity to resources within the network and used LDAP to query Active Directory, discovering information about computers listed in AD.2
enterprise T1505 Server Software Component -
enterprise T1505.001 SQL Stored Procedures During the 2016 Ukraine Electric Power Attack, Sandworm Team used various MS-SQL stored procedures.2
enterprise T1047 Windows Management Instrumentation During the 2016 Ukraine Electric Power Attack, WMI in scripts were used for remote execution and system surveys. 2
ics T0807 Command-Line Interface During the 2016 Ukraine Electric Power Attack, Sandworm Team supplied the name of the payload DLL to Industroyer via a command line parameter.1
ics T0867 Lateral Tool Transfer During the 2016 Ukraine Electric Power Attack, Sandworm Team used a VBS script to facilitate lateral tool transfer. The VBS script was used to copy ICS-specific payloads with the following command: cscript C:\Backinfo\ufn.vbs C:\Backinfo\101.dll C:\Delta\101.dll2
ics T0849 Masquerading During the 2016 Ukraine Electric Power Attack, Sandworm Team transferred executable files as .txt and then renamed them to .exe, likely to avoid detection through extension tracking.2
ics T0886 Remote Services During the 2016 Ukraine Electric Power Attack, Sandworm Team used MS-SQL access to a pivot machine, allowing code execution throughout the ICS network.2
ics T0853 Scripting During the 2016 Ukraine Electric Power Attack, Sandworm Team utilized VBS and batch scripts for file movement and as wrappers for PowerShell execution.2
ics T0859 Valid Accounts During the 2016 Ukraine Electric Power Attack, Sandworm Team used valid accounts to laterally move through VPN connections and dual-homed systems.2

Software

ID Name Description
S0604 Industroyer Within the 2016 Ukraine Electric Power Attack, Industroyer was used to target and disrupt the Ukrainian power grid substation components.21

References