C0025 2016 Ukraine Electric Power Attack
2016 Ukraine Electric Power Attack was a Sandworm Team campaign during which they used Industroyer malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by Sandworm Team.12
| Item | Value |
|---|---|
| ID | C0025 |
| Associated Names | |
| First Seen | December 2016 |
| Last Seen | December 2016 |
| Version | 1.0 |
| Created | 31 March 2023 |
| Last Modified | 10 April 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Groups
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team | 54 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1098 | Account Manipulation | During the 2016 Ukraine Electric Power Attack, Sandworm Team used the sp_addlinkedsrvlogin command in MS-SQL to create a link between a created account and other servers in the network.2 |
| enterprise | T1110 | Brute Force | During the 2016 Ukraine Electric Power Attack, Sandworm Team used a script to attempt RPC authentication against a number of hosts.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | During the 2016 Ukraine Electric Power Attack, Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.2 |
| enterprise | T1059.003 | Windows Command Shell | During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL.2 |
| enterprise | T1059.005 | Visual Basic | During the 2016 Ukraine Electric Power Attack, Sandworm Team created VBScripts to run on an SSH server.2 |
| enterprise | T1554 | Compromise Client Software Binary | During the 2016 Ukraine Electric Power Attack, Sandworm Team used a trojanized version of Windows Notepad to add a layer of persistence for Industroyer.1 |
| enterprise | T1136 | Create Account | During the 2016 Ukraine Electric Power Attack, Sandworm Team added a login to a SQL Server with sp_addlinkedsrvlogin.2 |
| enterprise | T1136.002 | Domain Account | During the 2016 Ukraine Electric Power Attack, Sandworm Team created two new accounts, “admin” and “система” (System). The accounts were then assigned to a domain matching local operation and were delegated new privileges.2 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary. 3 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.002 | Disable Windows Event Logging | During the 2016 Ukraine Electric Power Attack, Sandworm Team disabled event logging on compromised systems.2 |
| enterprise | T1570 | Lateral Tool Transfer | During the 2016 Ukraine Electric Power Attack, Sandworm Team used move to transfer files to a network share.2 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.3 |
| enterprise | T1036.008 | Masquerade File Type | During the 2016 Ukraine Electric Power Attack, Sandworm Team masqueraded executables as .txt files.2 |
| enterprise | T1027 | Obfuscated Files or Information | During the 2016 Ukraine Electric Power Attack, Sandworm Team used heavily obfuscated code with Industroyer in its Windows Notepad backdoor.1 |
| enterprise | T1027.002 | Software Packing | During the 2016 Ukraine Electric Power Attack, Sandworm Team used UPX to pack a copy of Mimikatz.2 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | During the 2016 Ukraine Electric Power Attack, Sandworm Team used Mimikatz to capture and use legitimate credentials.2 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.002 | SMB/Windows Admin Shares | During the 2016 Ukraine Electric Power Attack, Sandworm Team utilized net use to connect to network shares.2 |
| enterprise | T1018 | Remote System Discovery | During the 2016 Ukraine Electric Power Attack, Sandworm Team checked for connectivity to resources within the network and used LDAP to query Active Directory, discovering information about computers listed in AD.2 |
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.001 | SQL Stored Procedures | During the 2016 Ukraine Electric Power Attack, Sandworm Team used various MS-SQL stored procedures.2 |
| enterprise | T1047 | Windows Management Instrumentation | During the 2016 Ukraine Electric Power Attack, WMI in scripts were used for remote execution and system surveys. 2 |
| ics | T0807 | Command-Line Interface | During the 2016 Ukraine Electric Power Attack, Sandworm Team supplied the name of the payload DLL to Industroyer via a command line parameter.1 |
| ics | T0867 | Lateral Tool Transfer | During the 2016 Ukraine Electric Power Attack, Sandworm Team used a VBS script to facilitate lateral tool transfer. The VBS script was used to copy ICS-specific payloads with the following command: cscript C:\Backinfo\ufn.vbs C:\Backinfo\101.dll C:\Delta\101.dll2 |
| ics | T0849 | Masquerading | During the 2016 Ukraine Electric Power Attack, Sandworm Team transferred executable files as .txt and then renamed them to .exe, likely to avoid detection through extension tracking.2 |
| ics | T0886 | Remote Services | During the 2016 Ukraine Electric Power Attack, Sandworm Team used MS-SQL access to a pivot machine, allowing code execution throughout the ICS network.2 |
| ics | T0853 | Scripting | During the 2016 Ukraine Electric Power Attack, Sandworm Team utilized VBS and batch scripts for file movement and as wrappers for PowerShell execution.2 |
| ics | T0859 | Valid Accounts | During the 2016 Ukraine Electric Power Attack, Sandworm Team used valid accounts to laterally move through VPN connections and dual-homed systems.2 |
Software
| ID | Name | Description |
|---|---|---|
| S0604 | Industroyer | Within the 2016 Ukraine Electric Power Attack, Industroyer was used to target and disrupt the Ukrainian power grid substation components.21 |
References
-
Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020. ↩↩↩↩↩
-
Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020. ↩↩
-
Joe Slowik 2019, August 15 CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack Retrieved. 2019/10/22 ↩
-
Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. ↩