{ "id": "5be02fb5-e66b-4fe4-a772-62d022d86e02", "created_at": "2026-04-06T00:15:45.366808Z", "updated_at": "2026-04-10T13:11:21.346516Z", "deleted_at": null, "sha1_hash": "c5145a4d713500abfaf5c9ccad27e03a846d91ba", "title": "ELECTRUM Targeted Ukrainian Electric Entity Using Custom Tools and CaddyWiper Malware, October 2022", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 407953, "plain_text": "ELECTRUM Targeted Ukrainian Electric Entity Using Custom\r\nTools and CaddyWiper Malware, October 2022\r\nBy Dragos, Inc.\r\nPublished: 2023-12-11 · Archived: 2026-04-05 19:15:11 UTC\r\nOn November 9, 2023, Mandiant released new details from forensic investigations following a disruptive attack\r\nagainst Ukraine electric substation which started in June 2022 and culminated in two events on October 10 and 12,\r\n2022. Dragos associates this activity with the ELECTRUM threat group (has technical overlaps with\r\nSANDWORM Advanced Persistent Threat (APT)). ELECTRUM is responsible for several cyber attacks on\r\nUkrainian electric utilities and a 2016 power outage that resulted in the disruption of power to ¼ million homes,\r\nand this newly disclosed attack shares similarities with previous attacks.\r\nUnderstanding the tactics and tools employed by ELECTRUM from an intelligence perspective and the ability to\r\nhunt and monitor for their known behaviors and indicators in OT environments should be prioritized for ICS\r\nassets located in Ukraine, and where the European electric industry is concerned.\r\nELECTRUM Cyber Breach Timeline\r\nIn June of 2022, ELECTRUM gained access to a hypervisor running an end-of-life (EOL) version of\r\nMicroSCADA software in the electric substation’s OT environment. ELECTRUM then attempted to execute a set\r\nof custom living off the land (LOTL) scripts to impact the availability and control of the substation. ELECTRUM\r\nalso utilized a new version of CaddyWiper to remove their operational footprint from the electric substation’s\r\ncompromised IT systems. These actions by ELECTRUM satisfy Stage 1 and Stage 2 of the ICS Cyber Kill Chain.\r\nhttps://www.dragos.com/blog/new-details-electrum-ukraine-electric-sector-compromise-2022/\r\nPage 1 of 3\n\nAt that same time in October, Russia attacked Ukraine with massive missile strikes targeting key energy\r\ninfrastructure, damaging 30 percent of the energy infrastructure in Ukraine with power supply interruptions in\r\nmany locations.\r\nCurrently, Dragos is unsure of exactly what ELECTRUM’s dormancy suggests other than potential system\r\nreconnaissance and collections activities. Dragos cannot confirm whether this attack was successful in interrupting\r\nthe substation and thus impacting power in Ukraine. The initial compromise vector for the June-October events\r\nhas not been identified.\r\nELECTRUM Attacks on the Ukraine Electric Sector\r\nThe State Service of Special Communications and Information Protection of Ukraine (SSSCIP) reported that\r\nUkraine’s Computer Emergency Response Team (CERT-UA) recorded 2,100 cyber incidents in 2022. While only\r\na subset of incidents is associated with ELECTRUM, the energy sector was a particular focus in the region and\r\nELECTRUM has been responsible for several major attacks on the electric sector going back to 2015.\r\nIn April 2022, the security firm ESET identified multiple malware capabilities at a Ukrainian utility provider.\r\nDuring the incident, ELECTRUM remained dormant on the electric entity’s network for at least one month before\r\nthe attack was to occur. This is a consistent pattern for ELECTRUM: gain access to a network, remain dormant,\r\npotentially collect system details, and then build custom scripts and tools prior to executing a destructive cyber\r\nattack. This attack used a new version of CaddyWiper, other custom wipers, and Industroyer2 (a scaled-back\r\nversion of CRASHOVERRIDE). This marked the third time ELECTRUM had attacked a Ukrainian utility\r\nprovider.\r\nGiven ELECTRUM’s destructive history, ELECTRUM’s likely objectives were to execute the commands against\r\nthe MicroSCADA utility to impact the availability and control of the electric substation. It is interesting that\r\nMicroSCADA software, designed for legitimate purposes in operational technology environments, was used\r\nduring this incident. While the effect of use remains unclear, this tactic is noteworthy and should be used to update\r\nand inform threat models for future cyber attacks.\r\nMicroSCADA has been deployed in more than 10,000 substations and monitors the electric supply for more than\r\n10 percent of the world’s population. In addition, the compromised version of MicroSCADA was considered end-of-life (EOL), which means that it was software that the manufacturer or vendor no longer supported. Similarly,\r\nthe creation of the PIPEDREAM ICS-specific malware involved the implementation and use of known industrial\r\nprotocols OPC-UA and Modbus. This reinforces the importance of considering the role of native software and\r\ncapabilities in OT-focused cyber attacks.\r\nRecommendations\r\nDragos recommends referencing the five critical controls for OT cybersecurity identified by the SANS Institute\r\nfor a framework for defending against adversary activity directed against ICS/OT system environments.\r\nAmong the critical controls is ensuring OT network monitoring. In addition to scanning for known indicators of\r\ncompromise (IOCs), Dragos also recommends monitoring in the form of proactive threat hunting to identify\r\npotentially malicious tactics, techniques, and procedures (TTPs) in the environment. If an adversary somehow\r\nhttps://www.dragos.com/blog/new-details-electrum-ukraine-electric-sector-compromise-2022/\r\nPage 2 of 3\n\ngains access to a network, threat hunting serves as an essential last line of defense to find and stop a breach before\r\nsignificant impacts occur, like execution of a wiper or causing physical effects in a process control environment.\r\nAs noted above, ELECTRUM attacks against electric utilities have typically involved long dwell times between\r\ninitial access and finally turning out the lights. In the latest attack reported by Mandiant, threat hunting for the\r\nfollowing types of suspicious behaviors in the OT network during that dwell time could have helped uncover the\r\nadversary before they achieved their objectives:\r\nUnexpected file transfers from the enterprise network (or an external sever) into to the OT/ICS network,\r\nspecifically, the transfer of an .iso file to a “Crown Jewel” SCADA system\r\nTransfer and execution of unexpected scripts like PowerShell (.ps1), Visual Basic (.vbs), and Batch (.bat)\r\nfiles on a SCADA server\r\nUnexpected commands issued from SCADA servers to RTUs\r\nThese are just a few examples of the wide range of behaviors that proactive threat hunting can help reveal to\r\nthwart an intrusion. The Dragos OT Watch team provides managed threat hunting and serves as a force multiplier\r\nfor existing security teams seeking assistance with threat hunting in their OT environments. Threat-based\r\ndetections for ELECTRUM TTPs are codified in the Dragos Platform for enhanced visibility of threats to ICS\r\nassets.\r\nSource: https://www.dragos.com/blog/new-details-electrum-ukraine-electric-sector-compromise-2022/\r\nhttps://www.dragos.com/blog/new-details-electrum-ukraine-electric-sector-compromise-2022/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.dragos.com/blog/new-details-electrum-ukraine-electric-sector-compromise-2022/" ], "report_names": [ "new-details-electrum-ukraine-electric-sector-compromise-2022" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434545, "ts_updated_at": 1775826681, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c5145a4d713500abfaf5c9ccad27e03a846d91ba.pdf", "text": "https://archive.orkl.eu/c5145a4d713500abfaf5c9ccad27e03a846d91ba.txt", "img": "https://archive.orkl.eu/c5145a4d713500abfaf5c9ccad27e03a846d91ba.jpg" } }