{ "id": "7d4b98bd-f13a-48c8-b7d4-b35d0b8cea1a", "created_at": "2026-04-06T02:11:07.416868Z", "updated_at": "2026-04-10T03:37:08.737003Z", "deleted_at": null, "sha1_hash": "89cb14e7a461f50795ba36556ae6b810fdf0340b", "title": "Sandworm Team and the Ukrainian Power Authority Attacks | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 159310, "plain_text": "Sandworm Team and the Ukrainian Power Authority Attacks |\r\nMandiant\r\nBy Mandiant\r\nPublished: 2016-01-07 ยท Archived: 2026-04-06 02:05:44 UTC\r\nWritten by: John Hultquist\r\nUpdate 1.11.16 - SANS ICS Team Connects Dots\r\nUpdating the blog entry to bring attention to the recent analysis published by Mike Assante from the SANS ICS team.\r\n\"After analyzing the information that has been made available by affected power companies, researchers, and the\r\nmedia it is clear that cyber attacks were directly responsible for power outages in Ukraine. The SANS ICS team\r\nhas been coordinating ongoing discussions and providing analysis across multiple international community\r\nmembers and companies. We assess with high confidence based on company statements, media reports, and first-hand analysis that the incident was due to a coordinated intentional attack.\"\r\nRead the full SANS post here - and see below for iSIGHT\r\niSIGHT Partners Analyst Comment\r\nThe SANS ICS blog confirms conclusions previously reached by iSIGHT regarding the nature of the Ukrainian\r\nattacks (specifically the role of destructive malware and phone disruption) and attribution to Sandworm Team.\r\niSIGHT Partners believes this incident is a milestone because it is the first major cyber attack to substantially\r\naffect the civilian population and because of the overwhelming importance of the grid to multiple reliant sectors.\r\nFurthermore, Sandworm Team's previous interest in US and European critical systems underscores the threat they\r\npose (see below for more on Sandworm Team.)\r\nSandworm Team - Historical Targeting of Ukraine and Interest in SCADA Systems\r\nhttps://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html\r\nPage 1 of 3\n\nSince last week, iSIGHT Partners has worked to provide details on the power outage in Ukraine to our global\r\ncustomers. We have analyzed the forensic evidence we have been able to obtain from the region, contextualizing it\r\nwithin our knowledge of cyber espionage actors. Many details of the event remain unknown, and given the nature\r\nof the incident, especially the use of destructive malware, we do not anticipate every detail will be exposed.\r\nHowever, we have linked Sandworm Team to the incident, principally based on BlackEnergy 3, the malware that\r\nhas become their calling card.\r\niSiGHT Partners has tracked Sandworm Team for some time - and we publicly reported on some of their activities\r\nin October 2014, when we discovered their use of a zero-day exploit, CVE-2014-4114. In that campaign, we saw\r\ntargeting of Ukrainian government officials, members of the EU and NATO. Shortly after releasing information on\r\ntheir espionage operations, our friends at TrendMicro found evidence that the operators were not only conducting\r\nclassic strategic espionage but targeting SCADA systems as well. Evidence of this accumulated, and iSIGHT\r\nPartners released a follow-up blog were we assessed that activity was reconnaissance for attack - a preparation for\r\ncyber attack to be carried out in the long term. ICS-CERT released a separate advisory as well.\r\nSandworm Team Activity - Late 2014 to Current Day\r\nSandworm Team went to ground shortly after being exposed in October of 2014, and malware with Dune\r\nreferences (the genesis for the 'Sandworm' moniker) which we had previously used to track them disappeared\r\nentirely. However, the unique malware variant, BlackEnergy 3, reemerged in Ukraine early in 2015, where we had\r\nfirst found Sandworm Team. Throughout 2015 we saw increased intrusion activity using BlackEnergy 3. We\r\nwarned our clients of new features suggesting an increased focus on European targets - though verification of\r\ntargets was not possible at the time. Additionally, we warned our customers about the targeting of both media and\r\nregional power authorities in the Ukraine, sectors later affected by cyber attacks. Some of this information was\r\nrecently shared by the folks at ESET, who have also been following Sandworm Team very closely for quite some\r\ntime.\r\nOn the Ukrainian Power Authority Incidents\r\nLast week iSIGHT's sources provided us with the same KillDisk malware published by Rob Lee of SANS and\r\nDragos Security. As ESET has, we place this malware within the greater context of activity tied to BlackEnergy 3,\r\nwhich we believe is Sandworm Team. We believe this KillDisk malware is related to the destructive malware\r\nleveraged during Ukrainian elections in October. At the time, CERT-UA connected that incident to BlackEnergy 3.\r\nSymantec has since verified those claims. Furthermore, iSIGHT's own sources indicate that BlackEnergy 3\r\nmalware was deployed on at least one of the Ukrainian power systems affected by KillDisk.\r\niSIGHT Partners is still collecting information on the mechanics of the power outage and what role the KillDisk\r\nmalware played in the greater event. We cannot confirm that the KillDisk malware caused the outage. It may have\r\nbeen used following steps to manipulate power in order to impede restoration efforts or operator visibility. It is\r\nnoteworthy that technical support numbers associated with the power authorities were allegedly flooded with\r\ncalls, which may have been an effort to further overwhelm responders. On their official website, the Ukrainian\r\nsecurity service, SBU, made this claim.\r\nOutlook\r\nhttps://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html\r\nPage 2 of 3\n\nA cyber attack of this nature is a milestone -although a predictable one. The aggressive nature of Sandworm\r\nTeam's previous activity in Europe and the United States exposed their interest in targeting critical systems and\r\nindicated preparation for cyber attack. Targeting of critical entities in Ukraine throughout 2015, during a time of\r\nwar, further presaged a desire to disrupt infrastructure.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html\r\nhttps://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html" ], "report_names": [ "ukraine-and-sandworm-team.html" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775441467, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/89cb14e7a461f50795ba36556ae6b810fdf0340b.pdf", "text": "https://archive.orkl.eu/89cb14e7a461f50795ba36556ae6b810fdf0340b.txt", "img": "https://archive.orkl.eu/89cb14e7a461f50795ba36556ae6b810fdf0340b.jpg" } }