Sandworm Industroyer2
Sandworm deployment of Industroyer2 ICS malware against Ukrainian high-voltage electrical substation, timed to coincide with kinetic operations.
Start date
1 April 2022
End date
—
Techniques
22
Attributed actors
Techniques (22)
command-and-control3
T1105Ingress Tool Transfer
T1071.001Web Protocols
T1571Non-Standard Port
defense-impairment1
T1070.001Clear Windows Event Logs
discovery3
T1018Remote System Discovery
T1082System Information Discovery
T1083File and Directory Discovery
execution4
T1059.003Windows Command Shell
T1047Windows Management Instrumentation
T1059.001PowerShell
T1053.005Scheduled Task
impact4
T1489Service Stop
T1485Data Destruction
T1561.001Disk Content Wipe
T1561.002Disk Structure Wipe
initial-access2
T1078Valid Accounts
T1190Exploit Public-Facing Application
lateral-movement2
T1021.002SMB/Windows Admin Shares
T1021.006Windows Remote Management
persistence3
T1078Valid Accounts
T1543.003Windows Service
T1053.005Scheduled Task
privilege-escalation4
T1078Valid Accounts
T1055Process Injection
T1543.003Windows Service
T1053.005Scheduled Task
stealth3
T1078Valid Accounts
T1055Process Injection
T1027Obfuscated Files or Information
Indicators of compromise
No IOCs linked to this campaign yet.