{ "id": "b82942d8-cae9-4fce-8289-396f4cc03ae0", "created_at": "2026-04-06T00:13:36.980325Z", "updated_at": "2026-04-10T13:12:17.768422Z", "deleted_at": null, "sha1_hash": "d45bd99f281d4556aa9aaf19b4f47678d193c965", "title": "Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1263842, "plain_text": "Sandworm Disrupts Power in Ukraine Using a Novel Attack\r\nAgainst Operational Technology\r\nBy Mandiant\r\nPublished: 2023-11-09 · Archived: 2026-04-05 18:36:34 UTC\r\nWritten by: Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra,\r\nNathan Brubaker, Tyler McLellan, Chris Sistrunk\r\nIn late 2022, Mandiant responded to a disruptive cyber physical incident in which the Russia-linked threat actor\r\nSandworm targeted a Ukrainian critical infrastructure organization. This incident was a multi-event cyber attack\r\nthat leveraged a novel technique for impacting industrial control systems (ICS) / operational technology (OT). The\r\nactor first used OT-level living off the land (LotL) techniques to likely trip the victim’s substation circuit breakers,\r\ncausing an unplanned power outage that coincided with mass missile strikes on critical infrastructure across\r\nUkraine. Sandworm later conducted a second disruptive event by deploying a new variant of CADDYWIPER in\r\nthe victim’s IT environment.\r\nThis attack represents the latest evolution in Russia’s cyber physical attack capability, which has been increasingly\r\nvisible since Russia’s invasion of Ukraine. The techniques leveraged during the incident suggest a growing\r\nmaturity of Russia’s offensive OT arsenal, including an ability to recognize novel OT threat vectors, develop new\r\ncapabilities, and leverage different types of OT infrastructure to execute attacks. By using LotL techniques, the\r\nactor likely decreased the time and resources required to conduct its cyber physical attack. While Mandiant was\r\nunable to determine the initial intrusion point, our analysis suggests the OT component of this attack may have\r\nbeen developed in as little as two months. This indicates that the threat actor is likely capable of quickly\r\ndeveloping similar capabilities against other OT systems from different original equipment manufacturers (OEMs)\r\nleveraged across the world.\r\nWe initially tracked this activity as UNC3810 before merging the cluster with Sandworm. Sandworm is a full-spectrum threat actor that has carried out espionage, influence and attack operations in support of Russia's Main\r\nIntelligence Directorate (GRU) since at least 2009. The group's long-standing center focus has been Ukraine,\r\nwhere it has carried out a campaign of disruptive and destructive attacks over the past decade using wiper\r\nmalware, including during Russia's re-invasion in 2022. Beyond Ukraine, the group continues to sustain espionage\r\noperations that are global in scope and illustrative of the Russian military's far-reaching ambitions and interests in\r\nother regions. Government indictments have linked the group to the Main Center for Special Technologies (also\r\nknown as GTsST and Military Unit 74455). Given Sandworm’s global threat activity and novel OT capabilties, we\r\nurge OT asset owners to take action to mitigate this threat. We include a range of detections, hunting and\r\nhardening guidance, MITRE ATT\u0026CK mappings and more in the appendices of this blog post.\r\nIf you need support responding to related activity, please contact Mandiant Consulting. Further analysis of\r\nSandworm threat activity is available as part of Mandiant Advantage Threat Intelligence.\r\nhttps://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology\r\nPage 1 of 19\n\nIncident Summary\r\nBased on our analysis, the intrusion began on, or prior to, June 2022 and culminated in two disruptive events on\r\nOctober 10 and 12, 2022. While we were unable to identify the initial access vector into the IT environment,\r\nSandworm gained access to the OT environment through a hypervisor that hosted a supervisory control and data\r\nacquisition (SCADA) management instance for the victim’s substation environment. Based on evidence of lateral\r\nmovement, the attacker potentially had access to the SCADA system for up to three months.\r\nOn October 10, the actor leveraged an optical disc (ISO) image named “a.iso” to execute a native MicroSCADA\r\nbinary in a likely attempt to execute malicious control commands to switch off substations. The ISO file contained\r\nat least the following:\r\n“lun.vbs”, which runs n.bat\r\n“n.bat”, which likely runs the native scilc.exe utility\r\n“s1.txt”, which likely contains the unauthorized MicroSCADA commands\r\nBased on a September 23 timestamp of “lun.vbs”, there was potentially a two-month time period from when the\r\nattacker gained initial access to the SCADA system to when they developed the OT capability. Although we were\r\nnot able to fully recover the ICS command execution implemented by the binary, we are aware that the attack\r\nresulted in an unscheduled power outage. Figure 1 contains a visualization of the execution chain resulting in the\r\ndisruptive OT event.\r\nFigure 1: Execution chain of disruptive OT event\r\nhttps://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology\r\nPage 2 of 19\n\nTwo days after the OT event, Sandworm deployed a new variant of CADDYWIPER in the victim’s IT\r\nenvironment to cause further disruption and potentially to remove forensic artifacts. However, we note that the\r\nwiper deployment was limited to the victim’s IT environment and did not impact the hypervisor or the SCADA\r\nvirtual machine. This is unusual since the threat actor had removed other forensic artifacts from the SCADA\r\nsystem in a possible attempt to cover their tracks, which would have been enhanced by the wiper activity. This\r\ncould indicate a lack of coordination across different individuals or operational subteams involved in the attack.\r\nA deeper dive on the attack lifecycle and OT capability can be found in the Technical Analysis section of the blog\r\npost.\r\nSandworm’s Threat Activity Reveals Insights into Russia’s Offensive Cyber\r\nCapabilities\r\nSandworm’s substation attack reveals notable insights into Russia’s continued investment in OT-oriented offensive\r\ncyber capabilities and overall approach to attacking OT systems. This incident and last year’s\r\nINDUSTROYER.V2 incident both show efforts to streamline OT attack capabilities through simplified\r\ndeployment features. We observed the same efforts in our analysis of a series of documents detailing project\r\nrequirements to enhance Russian offensive cyber capabilities.\r\nSimilarly, the evolution of suspected GRU-sponsored OT attacks shows a decrease in the scope of disruptive\r\nactivities per attack. The 2015 and 2016 Ukraine blackout events each featured several discrete disruptive events\r\nagainst the OT environment (e.g., disabling UPS systems, bricking serial-to-ethernet converters, conducting a DoS\r\nattack against a SIPROTEC relay, wiping OT systems, etc.). By comparison, the INDUSTROYER.V2 incidents\r\nlacked many of those same disruptive components and the malware did not feature the wiper module from the\r\noriginal INDUSTROYER. Likewise, Sandworm’s activity in the OT network appears streamlined to only\r\nexecuting unauthorized ICS command messages, with the wiper activity limited to the IT environment. While this\r\nshift likely reflects the increased tempo of wartime cyber operations, it also reveals the GRU’s priority objectives\r\nin OT attacks.\r\nSandworm’s use of a native Living off the Land binary (LotLBin) to disrupt an OT environment shows a\r\nsignificant shift in techniques. Using tools that are more lightweight and generic than those observed in prior OT\r\nincidents, the actor likely decreased the time and resources required to conduct a cyber physical attack. LotLBin\r\ntechniques also make it difficult for defenders to detect threat activity as they need to not only remain vigilant for\r\nnew files introduced to their environments, but also for modifications to files already present within their installed\r\nOT applications and services. As outlined in recent research detailing the GRU's disruptive playbook, we have\r\nobserved Sandworm adopting LotL tactics across its wider operations to similarly increase the speed and scale at\r\nwhich it can operate while minimizing the odds of detection.\r\nWhile we lack sufficient evidence to assess a possible link, we note that the timing of the attack overlaps with\r\nRussian kinetic operations. Sandworm potentially developed the disruptive capability as early as three weeks prior\r\nto the OT event, suggesting the attacker may have been waiting for a specific moment to deploy the capability.\r\nThe eventual execution of the attack coincided with the start of a multi-day set of coordinated missile strikes on\r\ncritical infrastructure across several Ukrainian cities, including the city in which the victim was located.\r\nhttps://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology\r\nPage 3 of 19\n\nFigure 2: Historical Russia-nexus activity impacting OT\r\nOutlook\r\nThis attack represents an immediate threat to Ukrainian critical infrastructure environments leveraging the\r\nMicroSCADA supervisory control system. Given Sandworm's global threat activity and the worldwide\r\ndeployment of MicroSCADA products, asset owners globally should take action to mitigate their tactics,\r\ntechniques, and procedures against IT and OT systems. Furthermore, our analysis of the activity suggests Russia\r\nwould be capable of developing similar capabilities against other SCADA systems and programming languages\r\nbeyond MicroSCADA and SCIL. We urge asset owners to review and implement the following recommendations\r\nto mitigate and detect this activity.\r\nAcknowledgements\r\nThis research was made possible thanks to the hard work of many people not listed on the byline. Mandiant would\r\nlike to acknowledge the Security Service of Ukraine (SBU) for their continued partnership and contributions to\r\nthis report as well as their on-going collaboration. This incident response engagement was funded through the\r\nUK’s Ukraine Cyber Programme (cross-government Conflict, Stability and Security Fund) and delivered by the\r\nUnited Kingdom’s Foreign, Commonwealth and Development Office.\r\nTechnical Analysis: Sandworm Attack Against Ukrainian Substations\r\nhttps://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology\r\nPage 4 of 19\n\nFigure 3: Incident targeted attack lifecycle\r\nInitial Compromise and Maintaining Presence\r\nAt this time, it is unknown how Sandworm gained initial access to the victim. Sandworm was first observed in the\r\nvictim’s environment in June 2022, when the actor deployed the Neo-REGEORG webshell on an internet-facing\r\nserver. This is consistent with the group’s prior activity scanning and exploiting internet facing servers for initial\r\naccess. Roughly one month later, Sandworm deployed GOGETTER, which is a tunneler written in Golang that\r\nproxies communications for its command and control (C2) server using the open-source library Yamux over TLS.\r\nWhen leveraging GOGETTER, Sandworm utilized a Systemd service unit to maintain persistence on systems. A\r\nSystemd service unit allows for a program to be run under certain conditions, and in this case, it was used to\r\nexecute the GOGETTER binary on reboot.\r\nFigure 4: Sandworm GOGETTER Systemd configuration location\r\nThe Systemd configuration file leveraged by Sandworm enabled the group to maintain persistence on systems.\r\nThe value “WantedBy” defines when the program should be run; in the configuration used by Sandworm, the\r\nsetting “multi-user.target” means that the program will be run when the host has reached a state when it will\r\naccept users logging on, for example after successful power on. This enables GOGETTER to maintain persistence\r\nacross reboots. The “ExecStart” value specifies the path of the program to be run, which in this case was\r\nGOGETTER.\r\nhttps://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology\r\nPage 5 of 19\n\nFigure 5: Sandworm GOGETTER Systemd configuration\r\nWhen deploying GOGETTER, Mandiant observed Sandworm leverage Systemd service units designed to\r\nmasquerade as legitimate or seemingly legitimate services.\r\nLateral Movement to SCADA Hypervisor and OT Attack Execution\r\nSandworm utilized a novel technique to impact the OT environment by executing code within an End-of-Life\r\n(EOL) MicroSCADA control system and issuing commands that impacted the victim’s connected substations.\r\nTable 1 summarizes the malicious files containing the new OT capability. We note that given the attacker’s use of\r\nanti-forensics techniques, we were not able to recover all the artifacts from the intrusion.\r\nFilename Hash Purpose\r\na.iso Unknown Contains attacker’s files\r\nlun.vbs 26e2a41f26ab885bf409982cb823ffd1 Runs n.bat\r\nn.bat Unknown Likely runs native scilc.exe utility\r\ns1.txt Unknown Likely contains SCIL commands\r\nTable 1: Malicious OT files\r\nhttps://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology\r\nPage 6 of 19\n\nTo impact the OT systems, Sandworm accessed the hypervisor that hosted a SCADA management instance for the\r\nvictim’s substation environment and leveraged an ISO image named \"a.iso\" as a virtual CD-ROM. The system\r\nwas configured to permit inserted CD-ROMs to autorun. The ISO file, at minimum, contained the following files:\r\n\"lun.vbs\" and \"n.bat\" as both files are referenced within the D volume and therefore contained within “a.iso”. The\r\ninserted ISO led to at least the following command lines execution:\r\nwscript.exe \"d:\\pack\\lun.vbs\"\r\ncmd /c \"D:\\pack\\n.bat\"\r\nBased on forensic analysis, we believe “lun.vbs” contents are the following (Figure 6):\r\nFigure 6: “lun.vbs” contents\r\nThe contents in Figure 6 indicate that “lun.vbs” executes “n.bat”. Additional fragments recovered include text\r\nconsistent with Windows command line execution (Figure 7). This fragment was identified by analyzing images\r\nfrom the host. Reconstruction of the host’s anti-virus logs indicates “lun.vbs” and “n.bat” were executed in close\r\ntime proximity. Because of this and the reference to the attacker’s ISO folder path, we believe that the command\r\nfragment in Figure 7 is likely the contents of “n.bat”.\r\nFigure 7: Command fragment\r\nThe syntax of the command fragment includes “scilc.exe”, a native utility that is part of the MicroSCADA\r\nsoftware suite. The utility is located in the “\\sc\\prog\\exec” folder within the MicroSCADA installation directory,\r\namongst other utilities, libraries, and resources used by MicroSCADA. The impacted MicroSCADA system was\r\nrunning an EOL software version that allowed default access to the SCIL-API. The “-do” flag specifies a SCIL\r\nprogram file to execute (Figure 8). Lastly, the command supplies a file named “s1.txt” in the \"pack\\scil\\\" folder of\r\nthe attacker's ISO. We assess \"pack\\scil\\s1.txt\" is likely a file containing SCIL commands the attackers executed in\r\nMicroSCADA. This file was unrecoverable at the time of analysis.\r\nhttps://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology\r\nPage 7 of 19\n\nFigure 8: Scilc.exe usage example\r\nAccording to Hitachi Energy’s documentation, SCIL is a high level programming language designed for\r\nMicroSCADA control systems and can operate the system and its features (Figure 9). SCIL programs are\r\ngenerally text-based statements that can be composed of commands, objects, variables, calls to predefined\r\nfunctions, and expressions. There are several methods in which SCIL programs can execute, such as an\r\nengineer/operator clicking a button or image within the MicroSCADA system, scheduled or process derived\r\nchanges, or in this case manual execution.\r\nWhile we were unable to identify the SCIL commands executed, we believe they were probably commands to\r\nopen circuit breakers in the victim’s substation environments. The SCIL commands would have caused the\r\nhttps://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology\r\nPage 8 of 19\n\nMicroSCADA server to relay the commands to the substation RTUs via either the IEC-60870-5-104 protocol for\r\nTCP/IP connections or the IEC-60870-5-101 protocol for serial connections.\r\nSandworm Deployed New CADDYWIPER Variant to Further Disrupt the Victim’s IT\r\nEnvironment\r\nTwo days following the OT activity, Sandworm deployed a new variant of CADDYWIPER throughout the IT\r\nenvironment. This CADDYWIPER variant, compiled in October 2022, contains some minor functionality\r\nimprovements that allow threat actors to resolve functions at runtime. We have observed CADDYWIPER\r\ndeployed across several verticals in Ukraine, including the government and financial sectors, throughout Russia’s\r\ninvasion of Ukraine.\r\nCADDYWIPER is a disruptive wiper written in C that is focused on making data irrecoverable and causing\r\nmaximum damage within an environment. CADDYWIPER will attempt to wipe all files before proceeding to\r\nwipe any mapped drives. It will then attempt to wipe the physical drive partition itself. Notably, CADDYWIPER\r\nhas been the most frequently used disruptive tool against Ukrainian entities during the war and has seen consistent\r\noperational use since March 2022, based on public reporting. We have observed Sandworm utilize\r\nCADDYWIPER in disruptive operations across multiple intrusions.\r\nSandworm deployed CADDYWIPER in this operation via two Group Policy Objects (GPO) from a Domain\r\nController using TANKTRAP. TANKTRAP is a utility written in PowerShell that utilizes Windows group policy\r\nto spread and launch a wiper. We have observed TANKTRAP being used with other disruptive tools including\r\nNEARMISS, SDELETE, PARTYTICKET, and CADDYWIPER. These group policies contained instructions to\r\ncopy a file from a server to the local hard drive and to schedule a task to run the copied file at a particular time.\r\nFigure 10: Sandworm TANKTRAP GPO 1\r\nFigure 11: Sandworm TANKTRAP GPO 2\r\nhttps://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology\r\nPage 9 of 19\n\nBoth TANKTRAP GPOs deployed CADDYWIPER from a staged directory to systems as msserver.exe.\r\nCADDYWIPER was then executed as a scheduled task at a predetermined time.\r\nItem Value\r\nTask Name qAWZe\r\nLegacy Task Name QcWBX\r\nCommand to Run C:\\Windows\\msserver.exe\r\nTrigger Run at 2022-10-12 16:50:40\r\nTable 2: Sandworm TANKTRAP GPO 1 Scheduled Task\r\nItem Value\r\nTask Name QJKWt\r\nLegacy Task Name zJMwY\r\nCommand to Run C:\\Windows\\msserver.exe\r\nTrigger Run at 2022-10-12 17:15:59\r\nTable 3: Sandworm TANKTRAP GPO 2 Scheduled Task\r\nAppendix A: Discovery and Hardening Guidance\r\nIn this incident, the attacker leveraged an EOL version of the MicroSCADA supervisory control system. The\r\nSCIL-API interface in MicroSCADA has been disabled-by-default since the release of MicroSCADA 9.4 in 2014.\r\nIf required to continue using the interface, asset owners can refer to MRK511518 MicroSCADA X Cyber Security\r\nhttps://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology\r\nPage 10 of 19\n\nDeployment Guideline on how to harden the MicroSCADA. Please contact the Hitachi Energy MicroSCADA\r\nsupport team to obtain the documentation.\r\nWe note that the MicroSCADA control system became a Hitachi Energy product in 2022 after a divestiture from\r\nABB. Asset owners should reference both vendors in asset inventories and manual asset inspections to determine\r\nif the product is present in any OT environments.\r\nHarden MicroSCADA and other SCADA management hosts:\r\nUpdate MicroSCADA to supported versions.\r\nConfigure MicroSCADA to require authentication and establish a least privilege design for user\r\npermissions.\r\nEstablish robust network segmentation between MicroSCADA hosts and IT networks.\r\nEnable robust application logging for MicroSCADA and aggregate logs to a central location.\r\nIf/where feasible, configure the base system in “read-only” mode and ensure no external SCIL-API\r\nprograms (such as scilc.exe) are allowed.\r\nConsult with OEMs for installed SCADA software to identify similar methods of code execution within\r\ntheir software and to obtain guidance on mitigations.\r\nMonitor MicroSCADA systems and other SCADA management systems for:\r\nCommand-line execution of MicroSCADA “Scilc.exe” binary and other native MicroSCADA binaries that\r\nmay be leveraged to execute unauthorized SCIL program/commands.\r\nNetwork traffic and process related telemetry to/from host(s) operating the MicroSCADA software.\r\nInvestigate anomalous activity and correlate findings with process telemetry.\r\nFiles transferred or moved onto MicroSCADA hosts.\r\nNewly created files with MicroSCADA or SCIL programming language references.\r\nUnauthorized changes in MicroSCADA system configuration and data.\r\nAppendix B: Indicators of Compromise (IOCs)\r\nIndicator Description\r\n82.180.150[.]197\r\nSource IP address for requests to Neo-REGEORG \r\n176.119.195[.]113\r\nSource IP address for requests to Neo-REGEORG \r\nhttps://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology\r\nPage 11 of 19\n\n176.119.195[.]115\r\nSource IP address for requests to Neo-REGEORG\r\n185.220.101[.]58\r\nSource IP address for requests to Neo-REGEORG\r\n190.2.145[.]24 C2 for GOGETTER \r\nMozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101\r\nFirefox/38.0\r\nUser agent for requests to Neo-REGEORG \r\nMozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101\r\nFirefox/91.0\r\nUser agent for requests to Neo-REGEORG\r\nFile Name MD5 Hash Type\r\nFunctions.php 3290cd8f948b8b15a3c53f8e7190f9b0 Neo-REGEORG\r\ncloud-online cea123ebf54b9d4f8811a47134528f12 GOGETTER\r\nlun.vbs 26e2a41f26ab885bf409982cb823ffd1 Runs n.bat\r\nn.bat UNKNOWN Likely runs scilc.exe\r\na.iso UNKNOWN Likely contains attacker files\r\nmsserver.exe /\r\nlhh.exe\r\nb2557692a63e119af0a106add54950e6 CADDYWIPER\r\nhttps://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology\r\nPage 12 of 19\n\nFiles.xml Not Applicable\r\nPart of TANKTRAP Group Policy; File\r\nCopy\r\nScheduledTasks.xml 61c245a073bdb08158a3c9ad0219dc23 Part of TANKTRAP Group Policy; Task\r\nScheduledTasks.xml 82ab2c7e4d52bb2629aff200a4dc6630 Part of TANKTRAP Group Policy; Task\r\ns1.txt UNKNOWN Likely contains SCIL commands\r\nTable 5: Endpoint IOCs\r\nAppendix C: YARA Rules\r\nrule M_Methodology_MicroSCADA_SCILC_Strings\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n date = \"2023-02-13\"\r\n description = \"Searching for files containing strings associated with the MicroSCADA Supervisory Contr\r\n disclaimer = \"This rule is for hunting purposes only and has not been tested to run in a production en\r\n strings:\r\n $s1 = \"scilc.exe\" ascii wide\r\n $s2 = \"Scilc.exe\" ascii wide\r\n $s3 = \"SCILC.exe\" ascii wide\r\n $s4 = \"SCILC.EXE\" ascii wide\r\n condition:\r\n filesize \u003c 1MB and\r\n any of them\r\n}\r\nrule M_Hunting_MicroSCADA_SCILC_Program_Execution_Strings\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n date = \"2023-02-13\"\r\n description = \"Searching for files containing strings associated with execution of the MicroSCADA Supe\r\n disclaimer = \"This rule is for hunting purposes only and has not been tested to run in a production en\r\n strings:\r\n $s = \"scilc.exe -do\" nocase ascii wide\r\nhttps://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology\r\nPage 13 of 19\n\ncondition:\r\n filesize \u003c 1MB and\r\n all of them\r\n}\r\nrule M_Methodology_MicroSCADA_Path_Strings\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n date = \"2023-02-27\"\r\n description = \"Searching for files containing references to MicroSCADA filesystem path containing nati\r\n disclaimer = \"This rule is for hunting purposes only and has not been tested to run in a production en\r\n strings:\r\n $s1 = \"sc\\\\prog\\\\exec\" nocase ascii wide\r\n condition:\r\n filesize \u003c 1MB and\r\n $s1\r\n}\r\nrule M_Hunting_VBS_Batch_Launcher_Strings\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n date = \"2023-02-13\"\r\n description = \"Searching for VBS files used to launch a batch script.\"\r\n disclaimer = \"This rule is for hunting purposes only and has not been tested to run in a production en\r\n strings:\r\n $s1 = \"CreateObject(\\\"WScript.Shell\\\")\" ascii\r\n $s2 = \"WshShell.Run chr(34) \u0026\" ascii\r\n $s3 = \"\u0026 Chr(34), 0\" ascii\r\n $s4 = \"Set WshShell = Nothing\" ascii\r\n $s5 = \".bat\" ascii\r\n condition:\r\n filesize \u003c 400 and\r\n all of them\r\n}\r\nrule M_Hunting_APT_Webshell_PHP_NEOREGEORG\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Searching for REGEORG webshells.\"\r\n disclaimer = \"This rule is for hunting purposes only and has not been tested to run in a production en\r\nhttps://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology\r\nPage 14 of 19\n\nstrings:\r\n $php = \"\u003c?php\" nocase\r\n $regeorg1 = {24 72 61 77 50 6f 73 74 44 61 74 61 20 3d 20 66 69 6c 65 5f 67 65 74 5f 63 6f 6e 74 65 6e\r\n $regeorg2 = {20 24 77 72 69 74 65 42 75 66 66 20 3d 20 24 5f 53 45 53 53 49 4f 4e 5b 24 77 72 69 74 65\r\n $regeorg3 = {20 75 73 6c 65 65 70 28 35 30 30 30 30 29 3b}\r\n $regeorg4 = {20 24 61 72 68 5f 6b 65 79 20 3d 20 70 72 65 67 5f 72 65 70 6c 61 63 65 28 24 72 78 5f 68\r\n $regeorg5 = {20 24 72 75 6e 6e 69 6e 67 20 3d 20 24 5f 53 45 53 53 49 4f 4e 5b 24 72 75 6e 5d 3b}\r\n $regeorg6 = {20 24 72 78 5f 68 74 74 70 20 3d 20 27 2f 5c 41 48 54 54 50 5f 2f 27 3b}\r\n condition:\r\n (5 of ($regeorg*)) and\r\n $php\r\n}\r\nrule M_Hunting_GOGETTER_SystemdConfiguration_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Searching for Systemd Unit Configuration Files but with some known filenames observed w\r\n disclaimer = \"This rule is for hunting purposes only and has not been tested to run in a production en\r\n strings:\r\n $a1 = \"[Install]\" ascii fullword\r\n $a2 = \"[Service]\" ascii fullword\r\n $a3 = \"[Unit]\" ascii fullword\r\n $v1 = \"Description=\" ascii\r\n $v2 = \"ExecStart=\" ascii\r\n $v3 = \"Restart=\" ascii\r\n $v4 = \"RestartSec=\" ascii\r\n $v5 = \"WantedBy=\" ascii\r\n $f1 = \"fail2ban-settings\" ascii fullword\r\n $f2 = \"system-sockets\" ascii fullword\r\n $f3 = \"oratredb\" ascii fullword\r\n $f4 = \"cloud-online\" ascii fullword\r\n condition:\r\n filesize \u003c 1MB and (3 of ($a*)) and (3 of ($v*)) and (1 of ($f*))\r\n}\r\nAppendix D: SIGMA and YARA-L Rules\r\ntitle: MicroSCADA SCILC Command Execution\r\ndescription: Identification of Events or Host Commands that are related to the MicroSCADA SCILC programming lang\r\nauthor: Mandiant\r\ndate: 2023/02/27\r\nlogsource:\r\nhttps://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology\r\nPage 15 of 19\n\nproduct: windows\r\n service: security\r\ndetection:\r\n selection:\r\n NewProcessName|endswith:\r\n - \\scilc.exe\r\n CommandLine|contains:\r\n - -do\r\n condition: selection\r\nfalsepositives:\r\n - Red Team\r\nlevel: High\r\ntags:\r\n - attack.execution\r\n - attack.T1059\r\nrule M_YARAL_Methodology_ProcessExec_SCILC_Do_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"YARA-L rule hunting for instances of process execution of the scilc.exe process with -do\r\n severity = \"Low\"\r\n reference = \" https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-overview\"\r\n \r\n events:\r\n $e.metadata.event_type = \"PROCESS_LAUNCH\"\r\n $e.target.process.command_line = /\\s+\\-do\\s+[^\\-\\s]+/ nocase\r\n $e.target.process.file.full_path = /scilc\\.exe$/ nocase\r\n condition:\r\n $e\r\n}\r\nAppendix E: MITRE ATT\u0026CK for ICS Mapping\r\nTactic Technique Procedure\r\nhttps://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology\r\nPage 16 of 19\n\nInitial\r\nAccess\r\nT0847: Replication\r\nThrough Removable\r\nMedia\r\nSandworm accessed a hypervisor that hosted a SCADA\r\nmanagement instance for the victim’s substation environment and\r\nleveraged an ISO image named \"a.iso\" as a logical CD-ROM\r\ninserted into the CD-ROM drive of the SCADA virtual machine.\r\nThe system was configured to permit inserted CD-ROMs to\r\nautorun.\r\nExecution\r\nT0807: Command-Line\r\nInterface\r\nSandworm leveraged malicious files that led to at least the\r\nfollowing command lines execution: \r\nwscript.exe \"d:\\pack\\lun.vbs\" \r\ncmd /c \"D:\\pack\\n.bat\" \r\nAdditional fragments recovered include text consistent with\r\nWindows command line execution:\r\nC:\\sc\\prog\\exec\\scilc.exe -do pack\\scil\\s1.txt\r\nExecution\r\nT0871: Execution\r\nThrough API\r\nSandworm utilized the native MicroSCADA “scilc.exe” binary to\r\nexecute an external SCIL program via the SCIL-API.\r\nExecution T0853: Scripting\r\nSandworm leveraged Visual Basic Scripts, such as “lun.vbs”. The\r\ncontents of “lun.vbs” include the following:\r\nSet WshShell = CreateObject(“WScript.Shell”)\r\nWshShell.Run chr(34) \u0026 “pack\\n.bat” \u0026 Chr(34), 0\r\nSet WshShell = Nothing\r\nEvasion\r\nT0872: Indicator\r\nRemoval on Host\r\nSandworm deployed CADDYWIPER malware and deleted files\r\nto remove forensic artifacts.\r\nInhibit\r\nResponse\r\nFunction\r\nT0809: Data\r\nDestruction\r\nSandworm deployed CADDYWIPER to wipe all files, any\r\nmapped drives, and the physical drive partition of impacted\r\nsystems. The actor deleted files related to the OT capability. \r\nhttps://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology\r\nPage 17 of 19\n\nImpair\r\nProcess\r\nControl\r\nT0855: Unauthorized\r\nCommand Message\r\nSandworm utilized “scilc.exe” to execute unauthorized SCIL\r\ncommands that would have caused the MicroSCADA server to\r\nrelay the commands to the substation RTUs via either the IEC-60870-5-104 protocol for TCP/IP connections or the IEC-68750-\r\n5-101 protocol for serial connections.\r\nImpact\r\nT0831: Manipulation of\r\nControl\r\nSandworm caused a manipulation of control of the power\r\ndistribution system via unauthorized SCIL commands. These\r\nwere likely commands to open circuit breakers in the victim’s\r\nsubstation environments.\r\nTable 6: MITRE ATT\u0026CK for ICS mapping\r\nAppendix F: Validation Content\r\nVID Title\r\nA106-\r\n441\r\nMalicious File Transfer - REGEORG.NEO, Download, Variant #1\r\nA106-\r\n442\r\nMalicious File Transfer - Sandworm, GOGETTER, Download, Variant #5\r\nA106-\r\n443\r\nWeb Shell Activity - REGEORG.NEO, Initial Connection, Variant #1\r\nA106-\r\n440\r\nMalicious File Transfer - CADDYWIPER, Download, Variant #6\r\nA106-\r\n438\r\nHost CLI - Sandworm, GOGETTER, Systemd Service\r\nhttps://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology\r\nPage 18 of 19\n\nA106-\r\n446\r\nHost CLI - Sandworm, CADDYWIPER, Scheduled Task, Variant #2\r\nA106-\r\n439\r\nHost CLI - Sandworm, CADDYWIPER, Scheduled Task, Variant #1\r\nA106-\r\n437\r\nProtected Theater - CADDYWIPER, Execution, Variant #2\r\nS100-\r\n280\r\nMalicious Activity Scenario - Sandworm Disrupts Power Using a Novel Attack Against\r\nOperational Technology Systems\r\nPosted in\r\nThreat Intelligence\r\nSource: https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology\r\nhttps://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" ], "report_names": [ "sandworm-disrupts-power-ukraine-operational-technology" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434416, "ts_updated_at": 1775826737, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d45bd99f281d4556aa9aaf19b4f47678d193c965.pdf", "text": "https://archive.orkl.eu/d45bd99f281d4556aa9aaf19b4f47678d193c965.txt", "img": "https://archive.orkl.eu/d45bd99f281d4556aa9aaf19b4f47678d193c965.jpg" } }