high_confidence

2016 Ukraine Electric Power Attack

[2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [Industroyer](https://attack.mitre.org/software/S0604) malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)

Start date

1 December 2016

End date

1 December 2016

Techniques

Attributed actors

Sandworm Team· primary Sandworm· primary

Techniques (21)

credential-access2

T1110Brute Force

T1003.001LSASS Memory

defense-impairment1

T1685.001Disable or Modify Windows Event Log

discovery1

T1018Remote System Discovery

execution4

T1059.003Windows Command Shell

T1047Windows Management Instrumentation

T1059.001PowerShell

T1059.005Visual Basic

lateral-movement2

T1570Lateral Tool Transfer

T1021.002SMB/Windows Admin Shares

persistence6

T1505.001SQL Stored Procedures

T1098Account Manipulation

T1136Create Account

T1543.003Windows Service

T1554Compromise Host Software Binary

T1136.002Domain Account

privilege-escalation2

T1098Account Manipulation

T1543.003Windows Service

stealth5

T1036.005Match Legitimate Resource Name or Location

T1036.008Masquerade File Type

T1036.010Masquerade Account Name

T1027.002Software Packing

T1027Obfuscated Files or Information

Indicators of compromise

No IOCs linked to this campaign yet.