| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.001 |
PowerShell |
During the 2022 Ukraine Electric Power Attack, Sandworm Team utilized a PowerShell utility called TANKTRAP to spread and launch a wiper using Windows Group Policy. |
| enterprise |
T1543 |
Create or Modify System Process |
- |
| enterprise |
T1543.002 |
Systemd Service |
During the 2022 Ukraine Electric Power Attack, Sandworm Team configured Systemd to maintain persistence of GOGETTER, specifying the WantedBy=multi-user.target configuration to run GOGETTER when the system begins accepting user logins. |
| enterprise |
T1485 |
Data Destruction |
During the 2022 Ukraine Electric Power Attack, Sandworm Team deployed CaddyWiper on the victim’s IT environment systems to wipe files related to the OT capabilities, along with mapped drives, and physical drive partitions. |
| enterprise |
T1484 |
Domain or Tenant Policy Modification |
- |
| enterprise |
T1484.001 |
Group Policy Modification |
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Group Policy Objects (GPOs) to deploy and execute malware. |
| enterprise |
T1570 |
Lateral Tool Transfer |
During the 2022 Ukraine Electric Power Attack, Sandworm Team used a Group Policy Object (GPO) to copy CaddyWiper’s executable msserver.exe from a staging server to a local hard drive before deployment. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.004 |
Masquerade Task or Service |
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Systemd service units to masquerade GOGETTER malware as legitimate or seemingly legitimate services. |
| enterprise |
T1095 |
Non-Application Layer Protocol |
During the 2022 Ukraine Electric Power Attack, Sandworm Team proxied C2 communications within a TLS-based tunnel. |
| enterprise |
T1572 |
Protocol Tunneling |
During the 2022 Ukraine Electric Power Attack, Sandworm Team deployed the GOGETTER tunneler software to establish a “Yamux” TLS-based C2 channel with an external server(s). |
| enterprise |
T1053 |
Scheduled Task/Job |
- |
| enterprise |
T1053.005 |
Scheduled Task |
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time. |
| enterprise |
T1505 |
Server Software Component |
- |
| enterprise |
T1505.003 |
Web Shell |
During the 2022 Ukraine Electric Power Attack, Sandworm Team deployed the Neo-REGEORG webshell on an internet-facing server. |
| ics |
T0895 |
Autorun Image |
During the 2022 Ukraine Electric Power Attack, Sandworm Team used existing hypervisor access to map an ISO image named a.iso to a virtual machine running a SCADA server. The SCADA server’s operating system was configured to autorun CD-ROM images, and as a result, a malicious VBS script on the ISO image was automatically executed. |
| ics |
T0807 |
Command-Line Interface |
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged the SCIL-API on the MicroSCADA platform to execute commands through the scilc.exe binary. |
| ics |
T0853 |
Scripting |
During the 2022 Ukraine Electric Power Attack, Sandworm Team utilizes a Visual Basic script lun.vbs to execute n.bat which then executed the MicroSCADA scilc.exe command. |
| ics |
T0894 |
System Binary Proxy Execution |
During the 2022 Ukraine Electric Power Attack, Sandworm Team executed a MicroSCADA application binary scilc.exe to send a predefined list of SCADA instructions specified in a file defined by the adversary, s1.txt. The executed command C:\sc\prog\exec\scilc.exe -do pack\scil\s1.txt leverages the SCADA software to send unauthorized command messages to remote substations. |
| ics |
T0855 |
Unauthorized Command Message |
During the 2022 Ukraine Electric Power Attack, Sandworm Team used the MicroSCADA SCIL-API to specify a set of SCADA instructions, including the sending of unauthorized commands to substation devices. |