C0028: 2015 Ukraine Electric Power Attack
2015 Ukraine Electric Power Attack was a Sandworm Team campaign during which they used BlackEnergy (specifically BlackEnergy3) and KillDisk to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.
Analyst context for executives and security teams
The 2015 Ukraine Electric Power Attack matters because it is a public ATT&CK campaign example of cyber activity disrupting electric power transmission and distribution substations. For leaders, the decision value is not only the named malware, BlackEnergy and KillDisk, but the combination of enterprise intrusion behaviors, remote access, credential use, lateral movement, and ICS impact techniques that can turn an IT compromise into an operational resilience event.
Executive priority
Treat this campaign as a board-level resilience reference case for organizations with industrial operations, utilities exposure, or dependencies on critical infrastructure. Priority questions include: can security teams prove separation and monitored access between enterprise and control environments; are remote services and valid accounts governed tightly enough for ICS risk; and do incident response plans cover destructive malware and loss of control or availability scenarios, not just data theft. It is especially relevant for business continuity, crisis communications, compliance evidence, and cyber-physical risk exercises.
Technical view
ATT&CK does not provide a detection section for this campaign, so defenders should validate coverage from the relationships. The campaign is attributed in ATT&CK to Sandworm Team and is associated with BlackEnergy on Windows and KillDisk on Windows/Linux, plus enterprise techniques such as Remote System Discovery, Network Sniffing, and Process Injection. ICS relationships include External Remote Services, GUI access, Valid Accounts, Remote Services, Lateral Tool Transfer, Connection Proxy, Commonly Used Port, and multiple operational impact techniques including Denial of Control, Denial of Service, Device Restart/Shutdown, Loss of Availability, Loss of Control, Loss of Productivity and Revenue, and Manipulation of Control. SOC and IR teams should test whether telemetry connects identity activity, remote access, host events, network movement, and control-system operational anomalies into one investigation path.
Likely telemetry
- Remote access gateway logs for VPN, Citrix, and other external remote services where present
- Authentication logs for user, service, vendor, and default-account usage in enterprise and control environments
- Windows and Linux endpoint telemetry relevant to malware execution, file overwrite/wiping behavior, and process injection
- Network discovery evidence such as host enumeration, scanning, name resolution, and unusual system-to-system connections
- Packet capture, flow logs, or IDS telemetry for network sniffing indicators, proxy-like behavior, and communication over commonly used ports
Detection direction
- Because ATT&CK provides no official detection text for this campaign, build detections from the related software and techniques rather than from the campaign object alone.
- Correlate remote access, valid-account use, and GUI/remote service sessions with changes in ICS command activity and device state; isolated alerts may miss the cross-domain nature of the behavior.
- Tune discovery and lateral transfer detections to distinguish authorized engineering, maintenance, and vendor activity from unusual enumeration or file movement between enterprise and control-system assets.
- Review network monitoring for commonly used ports and proxy patterns, but avoid assuming port numbers imply protocol legitimacy; baseline normal ICS and remote administration paths first.
- Validate destructive-malware readiness around KillDisk-like outcomes: unusual file overwrite activity, systems becoming unbootable, and rapid loss of host availability.
Mitigation priorities
- Prioritize governance of external remote services into operational environments, including strong authentication, approval workflows, logging, and periodic access review.
- Reduce valid-account risk through least privilege, separation of enterprise and control-system administrative accounts, removal of default credentials where applicable, and monitoring of vendor/service accounts.
- Strengthen segmentation and controlled pathways between enterprise IT and ICS assets so discovery, remote services, and lateral tool transfer are constrained and observable.
- Prepare for destructive malware by validating offline or protected backups, rebuild procedures, and recovery priorities for HMIs, workstations, servers, and other critical operational assets.
- Exercise incident response for cyber-physical scenarios: denial of control, loss of availability, device restart/shutdown, and manipulation of control require coordination between SOC, engineering, operations, legal, and executive leadership.
Analyst notes and limits
This take is based on the supplied ATT&CK campaign description, external references, and relationships. The strongest supported themes are destructive activity against Ukrainian electric power substations, Sandworm Team attribution in ATT&CK, use of BlackEnergy and KillDisk, and a broad set of enterprise and ICS techniques. The object is in the enterprise-attack domain, but several relationships are from ICS ATT&CK and are important to the practical interpretation.
No official detection guidance, tactics, or platforms are specified on the campaign object itself. Platform references come only from related software and enterprise techniques. Local architecture, asset inventory, remote access design, and OT monitoring maturity are required to determine actual exposure or coverage. This summary does not assert active exploitation or that any organization is currently targeted.
2015 Ukraine Electric Power Attack
2015 Ukraine Electric Power Attack was a Sandworm Team campaign during which they used BlackEnergy (specifically BlackEnergy3) and KillDisk to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | During the 2015 Ukraine Electric Power Attack, Sandworm Team obtained their initial foothold into many IT systems using Microsoft Office attachments delivered through phishing emails. CitationUkraine15 - EISAC - 201603 |
| Enterprise | T1112 | Modify Registry | During the 2015 Ukraine Electric Power Attack, Sandworm Team modified in-registry Internet settings to lower internet security before launching `rundll32.exe`, which in-turn launches the malware and communicates with C2 servers over the Internet. CitationBooz Allen Hamilton. |
| Enterprise | T1685 | Disable or Modify Tools | During the 2015 Ukraine Electric Power Attack, Sandworm Team modified in-registry internet settings to lower internet security. CitationBooz Allen Hamilton |
| Enterprise | T1070.004 | File Deletion Sub-technique | During the 2015 Ukraine Electric Power Attack, vba_macro.exe deletes itself after `FONTCACHE.DAT`, `rundll32.exe`, and the associated .lnk file is delivered. CitationBooz Allen Hamilton |
| Enterprise | T1018 | Remote System Discovery | During the 2015 Ukraine Electric Power Attack, Sandworm Team remotely discovered systems over LAN connections. OT systems were visible from the IT network as well, giving adversaries the ability to discover operational assets. CitationCharles McLellan March 2016 |
| Enterprise | T1133 | External Remote Services | During the 2015 Ukraine Electric Power Attack, Sandworm Team installed a modified Dropbear SSH client as the backdoor to target systems.CitationBooz Allen Hamilton |
| Enterprise | T1105 | Ingress Tool Transfer | During the 2015 Ukraine Electric Power Attack, Sandworm Team pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data. CitationBooz Allen Hamilton |
| Enterprise | T1204.002 | Malicious File Sub-technique | During the 2015 Ukraine Electric Power Attack, Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them. CitationUkraine15 - EISAC - 201603 |
| Enterprise | T1078 | Valid Accounts | During the 2015 Ukraine Electric Power Attack, Sandworm Team used valid accounts on the corporate network to escalate privileges, move laterally, and establish persistence within the corporate network. CitationUkraine15 - EISAC - 201603 |
| Enterprise | T1040 | Network Sniffing | During the 2015 Ukraine Electric Power Attack, Sandworm Team used BlackEnergy’s network sniffer module to discover user credentials being sent over the network between the local LAN and the power grid’s industrial control systems. CitationCharles McLellan March 2016 |
| Enterprise | T1136.002 | Domain Account Sub-technique | During the 2015 Ukraine Electric Power Attack, Sandworm Team created privileged domain accounts to be used for further exploitation and lateral movement. CitationBooz Allen Hamilton |
| Enterprise | T1218.011 | Rundll32 Sub-technique | During the 2015 Ukraine Electric Power Attack, Sandworm Team used a backdoor which could execute a supplied DLL using `rundll32.exe`. CitationBooz Allen Hamilton |
| Enterprise | T1059.005 | Visual Basic Sub-technique | During the 2015 Ukraine Electric Power Attack, Sandworm Team installed a VBA script called `vba_macro.exe`. This macro dropped `FONTCACHE.DAT`, the primary BlackEnergy implant; `rundll32.exe`, for executing the malware; `NTUSER.log`, an empty file; and desktop.ini, the default file used to determine folder displays on Windows machines. CitationBooz Allen Hamilton |
| Enterprise | T1071.001 | Web Protocols Sub-technique | During the 2015 Ukraine Electric Power Attack, Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests. CitationBooz Allen Hamilton |
| Enterprise | T1570 | Lateral Tool Transfer | During the 2015 Ukraine Electric Power Attack, Sandworm Team moved their tools laterally within the corporate network and between the ICS and corporate network. CitationBooz Allen Hamilton |
| Enterprise | T1056.001 | Keylogging Sub-technique | During the 2015 Ukraine Electric Power Attack, Sandworm Team gathered account credentials via a BlackEnergy keylogger plugin. CitationBooz Allen HamiltonCitationUkraine15 - EISAC - 201603 |
| Enterprise | T1055 | Process Injection | During the 2015 Ukraine Electric Power Attack, Sandworm Team loaded BlackEnergy into svchost.exe, which then launched iexplore.exe for their C2. CitationBooz Allen Hamilton |
Groups, software, and campaigns
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
S0607: KillDisk
KillDisk is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of BlackEnergy malware during cyber attacks against Ukraine in 2015. KillDisk has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some KillDisk variants.[1][2][3][4]
S0089: BlackEnergy
BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b443ea37bb5c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Booz Allen Hamilton
Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.
Open source URL -
[2]
mitre-attack C0028Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.