C0034: 2022 Ukraine Electric Power Attack
The 2022 Ukraine Electric Power Attack was a Sandworm Team campaign that used a combination of GOGETTER, Neo-REGEORG, CaddyWiper, and living of the land (LotL) techniques to gain access to a Ukrainian electric utility to send unauthorized commands from their SCADA system.[1][2]
Analyst context for executives and security teams
This campaign matters because it connects enterprise intrusion activity to an operational technology outcome: unauthorized commands sent from a SCADA system at a Ukrainian electric utility, alongside destructive tooling. For leaders, the decision value is not only “malware was used,” but that identity, Windows administration, remote access, tunneling, web server persistence, and ICS command activity can combine into a cyber-physical disruption path.
Executive priority
Prioritize this as an operational resilience and cyber-physical risk scenario. Executives should ask whether the organization can prove separation and monitoring between enterprise IT and control system environments, whether privileged changes such as Group Policy and scheduled tasks are reviewed quickly, whether destructive data activity would be contained, and whether incident response playbooks include SCADA/ICS decision-making. For utilities and other OT-dependent organizations, this object supports investment in joint IT/OT detection, recovery planning, and evidence needed for compliance or board reporting around critical operations.
Technical view
ATT&CK does not provide a detection section for this campaign, so teams should validate coverage from the related behaviors: CaddyWiper use, Windows scheduled tasks and PowerShell, Group Policy modification, masqueraded tasks or services, web shells, lateral tool transfer, protocol tunneling or non-application-layer communications, Linux systemd service persistence where applicable, and ICS command messages from SCADA/control system paths. SOC and IR teams should test whether they can correlate enterprise persistence and command-and-control indicators with OT network events that show unauthorized or abnormal command messages.
Likely telemetry
- Windows event logs for scheduled task creation or modification, PowerShell execution, service/task naming, and Group Policy changes
- Active Directory and SYSVOL change records relevant to Group Policy modification
- Endpoint process, file, and command-line telemetry on Windows and Linux systems
- Web server access logs, file integrity records, and script execution evidence for possible web shell activity
- Network flow, proxy, firewall, and packet metadata for tunneling, non-application-layer protocols, and unusual internal transfers
Detection direction
- Because no official campaign detection text is supplied, map detections to the related ATT&CK techniques rather than assuming a single campaign signature.
- Tune for sequences: persistence or privilege changes in enterprise systems followed by lateral transfer, tunneling, and access paths toward SCADA/control environments.
- Review false positives carefully for administrative tools such as PowerShell, scheduled tasks, systemd services, and Group Policy; detection value depends on unusual timing, account context, host role, naming, destination, and change approval evidence.
- For OT, prioritize visibility into command messages and whether commands are consistent with expected operator workflows and logical preconditions.
- Validate that web-facing or internally reachable servers are monitored for web shell-like script placement and command execution.
Mitigation priorities
- Establish or validate segmentation and monitored pathways between enterprise IT and SCADA/ICS environments.
- Harden and monitor privileged administration: Group Policy changes, scheduled tasks, PowerShell use, service creation, and systemd units where applicable.
- Restrict and review remote access, tunneling, and non-standard protocol use across network boundaries.
- Maintain web server hardening and file integrity monitoring to reduce persistent access via web shells.
- Prepare destructive-event response: protected backups, restoration procedures, and IR playbooks that include IT and OT roles.
Analyst notes and limits
The supplied relationship context attributes the campaign to Sandworm Team and lists CaddyWiper plus multiple enterprise and ICS techniques. The strongest defensive lesson is the convergence of enterprise compromise behaviors with control-system command activity. Glexia should treat this as a scenario for resilience validation, not as a claim that the same campaign is active against any specific organization.
The ATT&CK object does not specify platforms or tactics for the campaign itself and provides no official detection guidance. Platform references come only from related software and technique objects. Local architecture, control system protocols, logging maturity, and business process context are required to turn this into precise detections or control requirements.
2022 Ukraine Electric Power Attack
The 2022 Ukraine Electric Power Attack was a Sandworm Team campaign that used a combination of GOGETTER, Neo-REGEORG, CaddyWiper, and living of the land (LotL) techniques to gain access to a Ukrainian electric utility to send unauthorized commands from their SCADA system.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Systemd service units to masquerade GOGETTER malware as legitimate or seemingly legitimate services.CitationMandiant-Sandworm-Ukraine-2022 |
| Enterprise | T1059.001 | PowerShell Sub-technique | During the 2022 Ukraine Electric Power Attack, Sandworm Team utilized a PowerShell utility called TANKTRAP to spread and launch a wiper using Windows Group Policy.CitationMandiant-Sandworm-Ukraine-2022 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.CitationMandiant-Sandworm-Ukraine-2022 |
| Enterprise | T1543.002 | Systemd Service Sub-technique | During the 2022 Ukraine Electric Power Attack, Sandworm Team configured Systemd to maintain persistence of GOGETTER, specifying the `WantedBy=multi-user.target` configuration to run GOGETTER when the system begins accepting user logins.CitationMandiant-Sandworm-Ukraine-2022 |
| Enterprise | T1505.003 | Web Shell Sub-technique | During the 2022 Ukraine Electric Power Attack, Sandworm Team deployed the Neo-REGEORG webshell on an internet-facing server.CitationMandiant-Sandworm-Ukraine-2022 |
| Enterprise | T1095 | Non-Application Layer Protocol | During the 2022 Ukraine Electric Power Attack, Sandworm Team proxied C2 communications within a TLS-based tunnel.CitationMandiant-Sandworm-Ukraine-2022 |
| Enterprise | T1572 | Protocol Tunneling | During the 2022 Ukraine Electric Power Attack, Sandworm Team deployed the GOGETTER tunneler software to establish a “Yamux” TLS-based C2 channel with an external server(s).CitationMandiant-Sandworm-Ukraine-2022 |
| Enterprise | T1485 | Data Destruction | During the 2022 Ukraine Electric Power Attack, Sandworm Team deployed CaddyWiper on the victim’s IT environment systems to wipe files related to the OT capabilities, along with mapped drives, and physical drive partitions.CitationMandiant-Sandworm-Ukraine-2022 |
| Enterprise | T1570 | Lateral Tool Transfer | During the 2022 Ukraine Electric Power Attack, Sandworm Team used a Group Policy Object (GPO) to copy CaddyWiper's executable `msserver.exe` from a staging server to a local hard drive before deployment.CitationMandiant-Sandworm-Ukraine-2022 |
| Enterprise | T1484.001 | Group Policy Modification Sub-technique | During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Group Policy Objects (GPOs) to deploy and execute malware.CitationMandiant-Sandworm-Ukraine-2022 |
Groups, software, and campaigns
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
S0693: CaddyWiper
CaddyWiper is a destructive data wiper that has been used in attacks against organizations in Ukraine since at least March 2022.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ef26692f62e5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant-Sandworm-Ukraine-2022
Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.
Open source URL -
[2]
Dragos-Sandworm-Ukraine-2022
Dragos, Inc.. (2023, December 11). ELECTRUM Targeted Ukrainian Electric Entity Using Custom Tools and CaddyWiper Malware, October 2022. Retrieved March 28, 2024.
Open source URL -
[3]
mitre-attack C0034Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.