C0025: 2016 Ukraine Electric Power Attack
2016 Ukraine Electric Power Attack was a Sandworm Team campaign during which they used Industroyer malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by Sandworm Team.[1][2]
Analyst context for executives and security teams
This campaign matters because ATT&CK describes a real-world disruption of Ukrainian electric distribution substations using Industroyer malware. For executives, the lesson is not just malware naming; it is that enterprise Windows activity, credential abuse, remote administration, and lateral movement can become cyber-physical risk when they bridge into industrial control environments.
Executive priority
Treat this as a resilience and governance test case for organizations with OT/ICS exposure. Leaders should ask whether identity controls, Windows administration monitoring, segmentation between enterprise and control environments, and incident response plans can produce evidence fast enough during a substation-impacting event. Budget priority should favor controls that reduce credential misuse and remote movement into operational networks, not only malware signatures.
Technical view
ATT&CK provides no official detection text for this campaign, but the relationships give defenders concrete validation targets: Industroyer on Windows, use of command-line and scripting, Valid Accounts, Remote Services, lateral tool transfer, SMB/Windows admin shares, WMI, PowerShell, Windows command shell, LSASS credential access, remote system discovery, brute force, account manipulation, obfuscation, packing, and masquerading. SOC and IR teams should validate whether these behaviors are visible across Windows hosts, identity systems, remote access paths, file shares, and control-system-adjacent networks.
Likely telemetry
- Windows process creation and command-line logging for cmd, PowerShell, WMI, scripts, and administrative tools
- Authentication logs for successful and failed logons, brute-force patterns, remote service use, and account changes
- Endpoint security telemetry for LSASS access, packed or obfuscated executables, suspicious file names, and masqueraded file types
- SMB/admin share access logs, file copy events, and lateral tool transfer evidence
- Network telemetry for remote services such as SMB, RDP, SSH, and other operator or administrator access paths
Detection direction
- Do not rely on a single Industroyer signature; validate behavioral coverage across credential access, discovery, lateral movement, execution, masquerading, and tool transfer.
- Tune detections for administrative false positives: WMI, PowerShell, SMB, command shells, and remote services are legitimate in many environments, so alerts need asset role, user role, time, and change-window context.
- Correlate identity events with host and network activity. Valid account use, account manipulation, and brute force become more material when followed by remote services, admin share access, or execution on control-system-adjacent hosts.
- Specifically test visibility at enterprise-to-OT boundaries. A common blind spot is good enterprise EDR coverage but weak logging on jump hosts, engineering workstations, file shares, or remote administration paths into ICS environments.
- Because ATT&CK provides no official detection guidance for this campaign object, use the related techniques and software as validation inputs rather than assuming complete campaign-level coverage.
Mitigation priorities
- Prioritize segmentation and controlled remote administration between enterprise networks and ICS/substation environments.
- Harden identity paths: reduce standing privilege, monitor privileged and service accounts, address brute-force exposure, and review account manipulation controls.
- Restrict and monitor remote services, SMB/admin shares, WMI, PowerShell, command shells, and scripting where they are not operationally required.
- Apply strict change control and application allowlisting concepts for control-system-adjacent Windows systems where feasible.
- Prepare IR playbooks that connect SOC investigation, identity containment, OT engineering validation, and business continuity decisions for distribution-substation disruption scenarios.
Analyst notes and limits
ATT&CK attributes this campaign to Sandworm Team and links it to Industroyer malware used against Ukrainian power grid distribution substations in December 2016. The object is in the enterprise ATT&CK domain, while several relationships point to ICS ATT&CK techniques, making this most useful as a cross-domain enterprise-to-OT readiness case.
The supplied campaign fields list no platforms or tactics and provide no official detection section. Platform and behavior guidance above is derived from the supplied relationships, especially Industroyer on Windows and the related enterprise and ICS techniques. Local architecture, logging depth, and OT asset inventory are required to determine actual exposure or coverage.
2016 Ukraine Electric Power Attack
2016 Ukraine Electric Power Attack was a Sandworm Team campaign during which they used Industroyer malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by Sandworm Team.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.005 | Visual Basic Sub-technique | During the 2016 Ukraine Electric Power Attack, Sandworm Team created VBScripts to run on an SSH server.CitationDragos Crashoverride 2018 |
| Enterprise | T1036.008 | Masquerade File Type Sub-technique | During the 2016 Ukraine Electric Power Attack, Sandworm Team masqueraded executables as `.txt` files.CitationDragos Crashoverride 2018 |
| Enterprise | T1059.001 | PowerShell Sub-technique | During the 2016 Ukraine Electric Power Attack, Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.CitationDragos Crashoverride 2018 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.CitationDragos Crashoverride 2017 |
| Enterprise | T1505.001 | SQL Stored Procedures Sub-technique | During the 2016 Ukraine Electric Power Attack, Sandworm Team used various MS-SQL stored procedures.CitationDragos Crashoverride 2018 |
| Enterprise | T1136 | Create Account | During the 2016 Ukraine Electric Power Attack, Sandworm Team added a login to a SQL Server with `sp_addlinkedsrvlogin`.CitationDragos Crashoverride 2018 |
| Enterprise | T1685.001 | Disable or Modify Windows Event Log Sub-technique | During the 2016 Ukraine Electric Power Attack, Sandworm Team disabled event logging on compromised systems.CitationDragos Crashoverride 2018 |
| Enterprise | T1570 | Lateral Tool Transfer | During the 2016 Ukraine Electric Power Attack, Sandworm Team used `move` to transfer files to a network share.CitationDragos Crashoverride 2018 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | During the 2016 Ukraine Electric Power Attack, Sandworm Team used the `xp_cmdshell` command in MS-SQL.CitationDragos Crashoverride 2018 |
| Enterprise | T1027 | Obfuscated Files or Information | During the 2016 Ukraine Electric Power Attack, Sandworm Team used heavily obfuscated code with Industroyer in its Windows Notepad backdoor.CitationESET Industroyer |
| Enterprise | T1543.003 | Windows Service Sub-technique | During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary. CitationDragos Crashoverride 2017 |
| Enterprise | T1027.002 | Software Packing Sub-technique | During the 2016 Ukraine Electric Power Attack, Sandworm Team used UPX to pack a copy of Mimikatz.CitationDragos Crashoverride 2018 |
| Enterprise | T1036.010 | Masquerade Account Name Sub-technique | During the 2016 Ukraine Electric Power Attack, Sandworm Team created two new accounts, “admin” and “система” (System).CitationDragos Crashoverride 2018 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | During the 2016 Ukraine Electric Power Attack, Sandworm Team used Mimikatz to capture and use legitimate credentials.CitationDragos Crashoverride 2018 |
| Enterprise | T1047 | Windows Management Instrumentation | During the 2016 Ukraine Electric Power Attack, WMI in scripts were used for remote execution and system surveys. CitationDragos Crashoverride 2018 |
| Enterprise | T1098 | Account Manipulation | During the 2016 Ukraine Electric Power Attack, Sandworm Team used the `sp_addlinkedsrvlogin` command in MS-SQL to create a link between a created account and other servers in the network.CitationDragos Crashoverride 2018 |
| Enterprise | T1110 | Brute Force | During the 2016 Ukraine Electric Power Attack, Sandworm Team used a script to attempt RPC authentication against a number of hosts.CitationDragos Crashoverride 2018 |
| Enterprise | T1136.002 | Domain Account Sub-technique | During the 2016 Ukraine Electric Power Attack, Sandworm Team created two new accounts, “admin” and “система” (System). The accounts were then assigned to a domain matching local operation and were delegated new privileges.CitationDragos Crashoverride 2018 |
| Enterprise | T1018 | Remote System Discovery | During the 2016 Ukraine Electric Power Attack, Sandworm Team checked for connectivity to resources within the network and used LDAP to query Active Directory, discovering information about computers listed in AD.CitationDragos Crashoverride 2018 |
| Enterprise | T1554 | Compromise Host Software Binary | During the 2016 Ukraine Electric Power Attack, Sandworm Team used a trojanized version of Windows Notepad to add a layer of persistence for Industroyer.CitationESET Industroyer |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | During the 2016 Ukraine Electric Power Attack, Sandworm Team utilized `net use` to connect to network shares.CitationDragos Crashoverride 2018 |
Groups, software, and campaigns
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
S0604: Industroyer
Industroyer is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.[1] Industroyer was used in the attacks on the Ukrainian power grid in December 2016.[2] This is the first publicly known malware specifically designed to target and impact operations in the electric grid.[3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2026d7b5a99c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Industroyer
Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
Open source URL -
[2]
Dragos Crashoverride 2018
Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
Open source URL -
[3]
mitre-attack C0025Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.