{
	"id": "3844f2ba-1958-496f-8f3b-5ad54654dd48",
	"created_at": "2026-04-06T00:10:25.622691Z",
	"updated_at": "2026-04-10T03:37:09.179374Z",
	"deleted_at": null,
	"sha1_hash": "402bc7ab2fabe2523faa30e4fbe490ed6d86b3bd",
	"title": "New wave of cyberattacks against Ukrainian power industry",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 253987,
	"plain_text": "New wave of cyberattacks against Ukrainian power industry\r\nBy Robert Lipovsky\r\nArchived: 2026-04-02 10:59:47 UTC\r\nCybercrime\r\nESET has discovered a new wave of cyberattacks attacks against Ukraine's electric power industry. Interesting, the\r\nmalware that was used is not BlackEnergy.\r\n20 Jan 2016  •  , 4 min. read\r\nThe cyberattacks against the Ukrainian electric power industry continue. Background information on this story\r\ncan be found in our recent publications:\r\nBlackEnergy trojan strikes again: Attacks Ukrainian electric power industry\r\nBlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry\r\nBlackEnergy and the Ukrainian power outage: What we really know\r\nYesterday (January 19th) we discovered a new wave of these attacks, where a number of electricity distribution\r\ncompanies in Ukraine were targeted again following the power outages in December. What’s particularly\r\ninteresting is that the malware that was used this time is not BlackEnergy, which poses further questions about the\r\nperpetrators behind the ongoing operation. The malware is based on a freely-available open-source backdoor –\r\nsomething no one would expect from an alleged state-sponsored malware operator.\r\nDetails of the cyberattacks\r\nThe attack scenario itself hasn't changed much from what we described in our previous blog post. The attackers\r\nsent spearphishing emails to potential victims yesterday. The email contained an attachment with a malicious XLS\r\nfile.\r\nhttps://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-industry/\r\nPage 1 of 5\n\nSpearphishing email from January 19, 2016\r\nThe email contains HTML content with a link to a .PNG file located on a remote server so that the attackers will\r\nget a notification that the email was delivered and opened by the target. We have observed the same interesting\r\ntechnique used by the BlackEnergy group in the past.\r\nHTML content of email with PNG file on remote server\r\nJust as interestingly, the name of PNG file is the base64-encoded string “mail_victim’s_email”.\r\nhttps://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-industry/\r\nPage 2 of 5\n\nThe XLS file used in attacks\r\nThe malicious macro-enabled XLS file is similar to the ones we’ve seen in previous attack waves. It tries, by\r\nsocial engineering, to trick the recipient into ignoring the built-in Microsoft Office Security Warning, thereby\r\ninadvertently executing the macro. The text in the document, translated from Ukrainian reads: Attention! This\r\ndocument was created in a newer version of Microsoft Office. Macros are needed to display the contents of the\r\ndocument.\r\nExecuting the macro leads to the launch of a malicious trojan-downloader that attempts to download and execute\r\nthe final payload from a remote server.\r\nDisassembled code from dropped executable\r\nhttps://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-industry/\r\nPage 3 of 5\n\nThe server hosting the final payload is located in Ukraine and was taken offline after a notification from CERT-UA and CyS-CERT.\r\nWe expected to see the BlackEnergy malware as the final payload, but a different malware was used this time. The\r\nattackers used modified versions of an open-source gcat backdoor written in the Python programming language.\r\nThe python script was converted into a stand-alone executable using PyInstaller program.\r\nObfuscated code of GCat backdoor\r\nThis backdoor is able to download executables and execute shell-commands. Other GCat backdoor functionality,\r\nsuch as making screenshots, keylogging, or uploading files, was removed from the source code. The backdoor is\r\ncontrolled by attackers using a GMail account, which makes it difficult to detect such traffic in the network.\r\nESET security solutions detect the threat as:\r\nVBA/TrojanDropper.Agent.EY\r\nWin32/TrojanDownloader.Agent.CBC\r\nPython/Agent.N\r\nThoughts and conclusions\r\nEver since the first blogposts following our discovery of these cyberattacks, they have gained widespread media\r\nattention. The reasons for that are twofold:\r\nIt is probably the first case where a mass-scale electrical power outage has been caused by a malware\r\ncyberattack.\r\nMainstream media have popularly attributed the attacks to Russia, based on claims of several security\r\ncompanies that the organization using BlackEnergy, a.k.a. Sandworm, a.k.a. Quedagh, is Russian state-sponsored.\r\nThe first point has been a subject of debate as to whether the malware actually caused the power outage or\r\nwhether it only “enabled” it. While there is a difference in the technical aspects between the two, and while we’re\r\nnaturally interested in the smallest details when conducting malware analysis, on a higher level, it doesn’t really\r\nmatter. As a matter of fact, it is the very essence of malicious backdoors – to grant attackers remote access to an\r\ninfected system.\r\nThe second point is even more controversial. As we have stated before, great care should be taken before accusing\r\na specific actor, especially a nation state. We currently have no evidence that would indicate who is behind these\r\ncyberattacks and to attempt attribution by simple deduction based on the current political situation might bring us\r\nto the correct answer, or it might not. In any case, it is speculation at best. The current discovery suggests that the\r\npossibility of false flag operations should also be considered.\r\nhttps://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-industry/\r\nPage 4 of 5\n\nTo sum it up, the current discovery does not bring us any closer to uncovering the origins of the attacks in\r\nUkraine. On the contrary, it reminds us to avoid jumping to rash conclusions.\r\nWe continue to monitor the situation for future developments. For any inquiries or to make sample submissions\r\nrelated to the subject, contact us at: threatintel@eset.com\r\nIndicators of compromise\r\nIP-addresses:\r\n193.239.152.131\r\n62.210.83.213\r\nMalicious XLS SHA-1s:\r\n1DD4241835BD741F8D40BE63CA14E38BBDB0A816\r\nExecutables SHA-1s:\r\n920EB07BC8321EC6DE67D02236CF1C56A90FEA7D\r\nBC63A99F494DE6731B7F08DD729B355341F6BF3D\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-industry/\r\nhttps://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-industry/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-industry/"
	],
	"report_names": [
		"new-wave-attacks-ukrainian-power-industry"
	],
	"threat_actors": [
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7bd810cb-d674-4763-86eb-2cc182d24ea0",
			"created_at": "2022-10-25T16:07:24.1537Z",
			"updated_at": "2026-04-10T02:00:04.883793Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"APT 44",
				"ATK 14",
				"BE2",
				"Blue Echidna",
				"CTG-7263",
				"FROZENBARENTS",
				"G0034",
				"Grey Tornado",
				"IRIDIUM",
				"Iron Viking",
				"Quedagh",
				"Razing Ursa",
				"Sandworm",
				"Sandworm Team",
				"Seashell Blizzard",
				"TEMP.Noble",
				"UAC-0082",
				"UAC-0113",
				"UAC-0125",
				"UAC-0133",
				"Voodoo Bear"
			],
			"source_name": "ETDA:Sandworm Team",
			"tools": [
				"AWFULSHRED",
				"ArguePatch",
				"BIASBOAT",
				"Black Energy",
				"BlackEnergy",
				"CaddyWiper",
				"Colibri Loader",
				"Cyclops Blink",
				"CyclopsBlink",
				"DCRat",
				"DarkCrystal RAT",
				"Fobushell",
				"GOSSIPFLOW",
				"Gcat",
				"IcyWell",
				"Industroyer2",
				"JaguarBlade",
				"JuicyPotato",
				"Kapeka",
				"KillDisk.NCX",
				"LOADGRIP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"ORCSHRED",
				"P.A.S.",
				"PassKillDisk",
				"Pitvotnacci",
				"PsList",
				"QUEUESEED",
				"RansomBoggs",
				"RottenPotato",
				"SOLOSHRED",
				"SwiftSlicer",
				"VPNFilter",
				"Warzone",
				"Warzone RAT",
				"Weevly"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa",
			"created_at": "2022-10-25T16:47:55.919702Z",
			"updated_at": "2026-04-10T02:00:03.618194Z",
			"deleted_at": null,
			"main_name": "IRON VIKING",
			"aliases": [
				"APT44 ",
				"ATK14 ",
				"BlackEnergy Group",
				"Blue Echidna ",
				"CTG-7263 ",
				"ELECTRUM ",
				"FROZENBARENTS ",
				"Hades/OlympicDestroyer ",
				"IRIDIUM ",
				"Qudedagh ",
				"Sandworm Team ",
				"Seashell Blizzard ",
				"TEMP.Noble ",
				"Telebots ",
				"Voodoo Bear "
			],
			"source_name": "Secureworks:IRON VIKING",
			"tools": [
				"BadRabbit",
				"BlackEnergy",
				"GCat",
				"NotPetya",
				"PSCrypt",
				"TeleBot",
				"TeleDoor",
				"xData"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6",
			"created_at": "2022-10-25T15:50:23.339976Z",
			"updated_at": "2026-04-10T02:00:05.27483Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"Sandworm Team",
				"ELECTRUM",
				"Telebots",
				"IRON VIKING",
				"BlackEnergy (Group)",
				"Quedagh",
				"Voodoo Bear",
				"IRIDIUM",
				"Seashell Blizzard",
				"FROZENBARENTS",
				"APT44"
			],
			"source_name": "MITRE:Sandworm Team",
			"tools": [
				"Bad Rabbit",
				"Mimikatz",
				"Exaramel for Linux",
				"Exaramel for Windows",
				"GreyEnergy",
				"PsExec",
				"Prestige",
				"P.A.S. Webshell",
				"AcidPour",
				"VPNFilter",
				"Neo-reGeorg",
				"Cyclops Blink",
				"SDelete",
				"Kapeka",
				"AcidRain",
				"Industroyer",
				"Industroyer2",
				"BlackEnergy",
				"Cobalt Strike",
				"NotPetya",
				"KillDisk",
				"PoshC2",
				"Impacket",
				"Invoke-PSImage",
				"Olympic Destroyer"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434225,
	"ts_updated_at": 1775792229,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/402bc7ab2fabe2523faa30e4fbe490ed6d86b3bd.pdf",
		"text": "https://archive.orkl.eu/402bc7ab2fabe2523faa30e4fbe490ed6d86b3bd.txt",
		"img": "https://archive.orkl.eu/402bc7ab2fabe2523faa30e4fbe490ed6d86b3bd.jpg"
	}
}