{"description": "ICS techniques used by 2015 Ukraine Electric Power Attack, ATT&CK campaign C0028 (v1.0)", "name": "2015 Ukraine Electric Power Attack (C0028)", "domain": "ics-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1695", "showSubtechniques": true}, {"techniqueID": "T1695.001", "comment": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) overwrote the serial-to-ethernet converter firmware, rendering the devices not operational. This meant that communication to the downstream serial devices was either not possible or more difficult. (Citation: Booz Allen Hamilton)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1691", "showSubtechniques": true}, {"techniqueID": "T1691.001", "comment": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked command messages by using malicious firmware to render serial-to-ethernet converters inoperable. (Citation: Ukraine15 - EISAC - 201603)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1691.002", "comment": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked reporting messages by using malicious firmware to render serial-to-ethernet converters inoperable. (Citation: Ukraine15 - EISAC - 201603)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T0885", "comment": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used port 443 to communicate with their C2 servers. (Citation: Booz Allen Hamilton)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0884", "comment": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) established an internal proxy prior to the installation of backdoors within the network. (Citation: Booz Allen Hamilton)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0813", "comment": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [KillDisk](https://attack.mitre.org/software/S0607) rendered devices that were necessary for remote recovery unusable, including at least one RTU. Additionally, [Sandworm Team](https://attack.mitre.org/groups/G0034) overwrote the firmware for serial-to-ethernet converters, denying operators control of the downstream devices. (Citation: Booz Allen Hamilton)(Citation: Ukraine15 - EISAC - 201603)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0814", "comment": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), power company phone line operators were hit with a denial of service attack so that they couldn\u2019t field customers\u2019 calls about outages. Operators were also denied service to their downstream devices when their serial-to-ethernet converters had their firmware overwritten, which bricked the devices. (Citation: Ukraine15 - EISAC - 201603)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0816", "comment": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) scheduled the uninterruptable power supplies (UPS) to shutdown data and telephone servers via the UPS management interface. (Citation: Ukraine15 - EISAC - 201603)(Citation: Booz Allen Hamilton)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0822", "comment": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used Valid Accounts taken from the Windows Domain Controller to access the control system Virtual Private Network (VPN) used by grid operators. (Citation: Booz Allen Hamilton)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0823", "comment": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) utilized HMI GUIs in the SCADA environment to open breakers. (Citation: Ukraine15 - EISAC - 201603)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0867", "comment": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) moved their tools laterally within the ICS network. (Citation: Booz Allen Hamilton)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0826", "comment": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) opened the breakers at the infected sites, shutting the power off for thousands of businesses and households for around 6 hours. (Citation: Ukraine15 - EISAC - 201603)(Citation: Booz Allen Hamilton)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0827", "comment": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), operators were shut out of their equipment either through the denial of peripheral use or the degradation of equipment. Operators were therefore unable to recover from the incident through their traditional means. Much of the power was restored manually. (Citation: Ukraine15 - EISAC - 201603)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0828", "comment": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), power breakers were opened which caused the operating companies to be unable to deliver power, and left thousands of businesses and households without power for around 6 hours. (Citation: Ukraine15 - EISAC - 201603)(Citation: Booz Allen Hamilton)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0831", "comment": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) opened live breakers via remote commands to the HMI, causing blackouts. (Citation: Ukraine15 - EISAC - 201603)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1693", "showSubtechniques": true}, {"techniqueID": "T1693.001", "comment": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) overwrote the serial-to-ethernet gateways with custom firmware to make systems either disabled, shutdown, and/or unrecoverable. (Citation: Ukraine15 - EISAC - 201603)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T0886", "comment": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used an IT helpdesk software to move the mouse on ICS control devices to maliciously release electricity breakers. (Citation: Andy Greenberg June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0846", "comment": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) remotely discovered operational assets once on the OT network. (Citation: Charles McLellan March 2016) (Citation: Booz Allen Hamilton)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1692", "showSubtechniques": true}, {"techniqueID": "T1692.001", "comment": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) issued unauthorized commands to substation breaks after gaining control of operator workstations and accessing a distribution management system (DMS) application. (Citation: Ukraine15 - EISAC - 201603)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T0859", "comment": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used valid accounts to laterally move through VPN connections and dual-homed systems. Sandworm Team used the credentials of valid accounts to interact with client applications and access employee workstations hosting HMI applications.  (Citation: Ukraine15 - EISAC - 201603)(Citation: Booz Allen Hamilton)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by 2015 Ukraine Electric Power Attack", "color": "#66b1ff"}]}