1. Home
  2. Campaigns
  3. 2022 Ukraine Electric Power Attack

2022 Ukraine Electric Power Attack

The 2022 Ukraine Electric Power Attack was a Sandworm Team campaign that used a combination of GOGETTER, Neo-REGEORG, CaddyWiper, and living of the land (LotL) techniques to gain access to a Ukrainian electric utility to send unauthorized commands from their SCADA system.[1][2]

ID: C0034
First Seen:  June 2022 [1]
Last Seen:  October 2022 [1]
Version: 1.0
Created: 27 March 2024
Last Modified: 10 April 2024
Version Permalink

Groups

ID Name Description
G0034 Sandworm Team

[1][2]

Enterprise Layer
download view
ICS Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

During the 2022 Ukraine Electric Power Attack, Sandworm Team utilized a PowerShell utility called TANKTRAP to spread and launch a wiper using Windows Group Policy.[1]
Enterprise T1543 .002 Create or Modify System Process: Systemd Service

During the 2022 Ukraine Electric Power Attack, Sandworm Team configured Systemd to maintain persistence of GOGETTER, specifying the WantedBy=multi-user.target configuration to run GOGETTER when the system begins accepting user logins.[1]
Enterprise T1485 Data Destruction

During the 2022 Ukraine Electric Power Attack, Sandworm Team deployed CaddyWiper on the victim’s IT environment systems to wipe files related to the OT capabilities, along with mapped drives, and physical drive partitions.[1]
Enterprise T1484 .001 Domain or Tenant Policy Modification: Group Policy Modification

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Group Policy Objects (GPOs) to deploy and execute malware.[1]
Enterprise T1570 Lateral Tool Transfer

During the 2022 Ukraine Electric Power Attack, Sandworm Team used a Group Policy Object (GPO) to copy CaddyWiper's executable msserver.exe from a staging server to a local hard drive before deployment.[1]
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Systemd service units to masquerade GOGETTER malware as legitimate or seemingly legitimate services.[1]
Enterprise T1095 Non-Application Layer Protocol

During the 2022 Ukraine Electric Power Attack, Sandworm Team proxied C2 communications within a TLS-based tunnel.[1]
Enterprise T1572 Protocol Tunneling

During the 2022 Ukraine Electric Power Attack, Sandworm Team deployed the GOGETTER tunneler software to establish a "Yamux" TLS-based C2 channel with an external server(s).[1]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.[1]
Enterprise T1505 .003 Server Software Component: Web Shell

During the 2022 Ukraine Electric Power Attack, Sandworm Team deployed the Neo-REGEORG webshell on an internet-facing server.[1]
ICS T0895 Autorun Image

During the 2022 Ukraine Electric Power Attack, Sandworm Team used existing hypervisor access to map an ISO image named a.iso to a virtual machine running a SCADA server. The SCADA server’s operating system was configured to autorun CD-ROM images, and as a result, a malicious VBS script on the ISO image was automatically executed.[1]
ICS T0807 Command-Line Interface

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged the SCIL-API on the MicroSCADA platform to execute commands through the scilc.exe binary.[1]
ICS T0853 Scripting

During the 2022 Ukraine Electric Power Attack, Sandworm Team utilizes a Visual Basic script lun.vbs to execute n.bat which then executed the MicroSCADA scilc.exe command.[1]
ICS T0894 System Binary Proxy Execution

During the 2022 Ukraine Electric Power Attack, Sandworm Team executed a MicroSCADA application binary scilc.exe to send a predefined list of SCADA instructions specified in a file defined by the adversary, s1.txt. The executed command C:\sc\prog\exec\scilc.exe -do pack\scil\s1.txt leverages the SCADA software to send unauthorized command messages to remote substations.[1]
ICS T0855 Unauthorized Command Message

During the 2022 Ukraine Electric Power Attack, Sandworm Team used the MicroSCADA SCIL-API to specify a set of SCADA instructions, including the sending of unauthorized commands to substation devices.[1]

Software

ID Name Description
S0693 CaddyWiper

[1]

References

  1. Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.
  1. Dragos, Inc.. (2023, December 11). ELECTRUM Targeted Ukrainian Electric Entity Using Custom Tools and CaddyWiper Malware, October 2022. Retrieved March 28, 2024.