^[2][3]

During the2015 Ukraine Electric Power Attack,Sandworm Team usedBlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests.^[1]

During the2015 Ukraine Electric Power Attack,Sandworm Team installed a VBA script calledvba_macro.exe. This macro droppedFONTCACHE.DAT, the primaryBlackEnergy implant;rundll32.exe, for executing the malware;NTUSER.log, an empty file; and desktop.ini, the default file used to determine folder displays on Windows machines.^[1]

During the2015 Ukraine Electric Power Attack,Sandworm Team created privileged domain accounts to be used for further exploitation and lateral movement.^[1]

During the2015 Ukraine Electric Power Attack,Sandworm Team installed a modified Dropbear SSH client as the backdoor to target systems.^[1]

During the2015 Ukraine Electric Power Attack,Sandworm Team modified in-registry internet settings to lower internet security.^[1]

During the2015 Ukraine Electric Power Attack, vba_macro.exe deletes itself afterFONTCACHE.DAT,rundll32.exe, and the associated .lnk file is delivered.^[1]

During the2015 Ukraine Electric Power Attack,Sandworm Team pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data.^[1]

During the2015 Ukraine Electric Power Attack,Sandworm Team gathered account credentials via aBlackEnergy keylogger plugin.^[1][4]

During the2015 Ukraine Electric Power Attack,Sandworm Team moved their tools laterally within the corporate network and between the ICS and corporate network.^[1]

During the2015 Ukraine Electric Power Attack,Sandworm Team modified in-registry Internet settings to lower internet security before launchingrundll32.exe, which in-turn launches the malware and communicates with C2 servers over the Internet.^[1].

During the2015 Ukraine Electric Power Attack,Sandworm Team usedBlackEnergy’s network sniffer module to discover user credentials being sent over the network between the local LAN and the power grid’s industrial control systems.^[5]

During the2015 Ukraine Electric Power Attack,Sandworm Team obtained their initial foothold into many IT systems using Microsoft Office attachments delivered through phishing emails.^[4]

During the2015 Ukraine Electric Power Attack,Sandworm Team loadedBlackEnergy into svchost.exe, which then launched iexplore.exe for their C2.^[1]

During the2015 Ukraine Electric Power Attack,Sandworm Team remotely discovered systems over LAN connections. OT systems were visible from the IT network as well, giving adversaries the ability to discover operational assets.^[5]

During the2015 Ukraine Electric Power Attack,Sandworm Team used a backdoor which could execute a supplied DLL usingrundll32.exe.^[1]

During the2015 Ukraine Electric Power Attack,Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them.^[4]

During the2015 Ukraine Electric Power Attack,Sandworm Team used valid accounts on the corporate network to escalate privileges, move laterally, and establish persistence within the corporate network.^[4]

During the2015 Ukraine Electric Power Attack,Sandworm Team blocked command messages by using malicious firmware to render serial-to-ethernet converters inoperable.^[4]

During the2015 Ukraine Electric Power Attack,Sandworm Team blocked reporting messages by using malicious firmware to render serial-to-ethernet converters inoperable.^[4]

During the2015 Ukraine Electric Power Attack,Sandworm Team overwrote the serial-to-ethernet converter firmware, rendering the devices not operational. This meant that communication to the downstream serial devices was either not possible or more difficult.^[1]

During the2015 Ukraine Electric Power Attack,Sandworm Team used port 443 to communicate with their C2 servers.^[1]

During the2015 Ukraine Electric Power Attack,Sandworm Team established an internal proxy prior to the installation of backdoors within the network.^[1]

During the2015 Ukraine Electric Power Attack,KillDisk rendered devices that were necessary for remote recovery unusable, including at least one RTU. Additionally,Sandworm Team overwrote the firmware for serial-to-ethernet converters, denying operators control of the downstream devices.^[1][4]

During the2015 Ukraine Electric Power Attack, power company phone line operators were hit with a denial of service attack so that they couldn’t field customers’ calls about outages. Operators were also denied service to their downstream devices when their serial-to-ethernet converters had their firmware overwritten, which bricked the devices.^[4]

During the2015 Ukraine Electric Power Attack,Sandworm Team scheduled the uninterruptable power supplies (UPS) to shutdown data and telephone servers via the UPS management interface.^[4][1]

During the2015 Ukraine Electric Power Attack,Sandworm Team used Valid Accounts taken from the Windows Domain Controller to access the control system Virtual Private Network (VPN) used by grid operators.^[1]

During the2015 Ukraine Electric Power Attack,Sandworm Team utilized HMI GUIs in the SCADA environment to open breakers.^[4]

During the2015 Ukraine Electric Power Attack,Sandworm Team moved their tools laterally within the ICS network.^[1]

During the2015 Ukraine Electric Power Attack,Sandworm Team opened the breakers at the infected sites, shutting the power off for thousands of businesses and households for around 6 hours.^[4][1]

During the2015 Ukraine Electric Power Attack, operators were shut out of their equipment either through the denial of peripheral use or the degradation of equipment. Operators were therefore unable to recover from the incident through their traditional means. Much of the power was restored manually.^[4]

During the2015 Ukraine Electric Power Attack, power breakers were opened which caused the operating companies to be unable to deliver power, and left thousands of businesses and households without power for around 6 hours.^[4][1]

During the2015 Ukraine Electric Power Attack,Sandworm Team opened live breakers via remote commands to the HMI, causing blackouts.^[4]

During the2015 Ukraine Electric Power Attack,Sandworm Team used an IT helpdesk software to move the mouse on ICS control devices to maliciously release electricity breakers.^[2]

During the2015 Ukraine Electric Power Attack,Sandworm Team remotely discovered operational assets once on the OT network.^[5][1]

During the2015 Ukraine Electric Power Attack,Sandworm Team overwrote the serial-to-ethernet gateways with custom firmware to make systems either disabled, shutdown, and/or unrecoverable.^[4]

During the2015 Ukraine Electric Power Attack,Sandworm Team issued unauthorized commands to substation breaks after gaining control of operator workstations and accessing a distribution management system (DMS) application.^[4]

During the2015 Ukraine Electric Power Attack,Sandworm Team used valid accounts to laterally move through VPN connections and dual-homed systems. Sandworm Team used the credentials of valid accounts to interact with client applications and access employee workstations hosting HMI applications.^[4][1]

^[1]

^[1]