S0089: BlackEnergy
BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. [1]
Analyst context for executives and security teams
BlackEnergy matters because ATT&CK describes it as a long-running Windows malware toolkit whose use evolved from DDoS botnets to plug-in-supported operations, including targeting Ukrainian institutions. Its relationship to the 2015 Ukraine Electric Power Attack makes it especially relevant for organizations where enterprise IT access can affect operational technology or service continuity.
Executive priority
Treat this as a resilience and control-validation topic, not just a malware signature topic. Leaders should ask whether Windows endpoint visibility, identity controls, email attachment defenses, SMB/WMI monitoring, and command-and-control monitoring are strong enough to detect a toolkit that can support discovery, persistence, credential collection, lateral movement, and impact behaviors. For critical infrastructure or OT-connected environments, validate that incident response plans cover enterprise-to-operations escalation and business continuity decisions.
Technical view
ATT&CK provides no official detection text for BlackEnergy, so SOC and IR teams should validate coverage through the related techniques. Focus on Windows telemetry for service creation or modification, WMI execution, SMB/admin share activity, DLL injection indicators, keylogging-related collection, screen capture, file/process/network discovery, indicator removal, web-protocol C2, fallback channels, and data destruction behaviors. Relationship context also links BlackEnergy3 with the 2015 Ukraine Electric Power Attack and KillDisk, so defenders in ICS-adjacent environments should correlate enterprise compromise behaviors with access to substations, control networks, or remote administration paths where locally applicable.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows service creation/modification events and related registry changes
- WMI operational and remote execution logs
- SMB/admin share access and lateral movement evidence
- Authentication logs for valid account use, especially remote access patterns
Detection direction
- Do not rely on a BlackEnergy family name alone; ATT&CK lists broad plug-in-supported behavior, so map detections to the related techniques.
- Prioritize correlation across phishing attachment delivery, Windows persistence, discovery, credential collection, SMB/WMI lateral movement, and outbound web-protocol communications.
- Tune for administrative false positives: WMI, SMB admin shares, service changes, and discovery commands are common in IT operations, so detections need user, host role, timing, and change-management context.
- Validate visibility for fallback C2: confirm proxy, DNS, firewall, and endpoint telemetry can show alternate outbound paths, not only known blocked destinations.
- For OT or critical-infrastructure environments, look for enterprise Windows activity that precedes or coincides with access to systems supporting transmission, distribution, or other operational functions.
Mitigation priorities
- Strengthen email attachment controls and user-reporting workflows for targeted spearphishing scenarios.
- Enforce least privilege, privileged access management, and strong authentication for accounts that can access Windows hosts, shares, remote administration, or OT-adjacent systems.
- Restrict and monitor SMB/admin shares, WMI, and remote service management to approved administrative paths.
- Harden Windows endpoints with service-change monitoring, application control where feasible, and EDR coverage for process injection and suspicious collection behaviors.
- Segment enterprise IT from operational or critical systems and tightly govern remote access between zones.
Analyst notes and limits
The most decision-relevant relationships are to the 2015 Ukraine Electric Power Attack, Sandworm Team, and techniques covering valid accounts, spearphishing attachments, standard application-layer protocols, fallback channels, Windows admin shares, WMI, DLL injection, keylogging, discovery, indicator removal, web protocols, screen capture, data destruction, and Windows services.
MITRE does not provide official detection guidance for this software object, and the object’s listed platform is Windows. Some related techniques have broader platform lists, but those should not be assumed for BlackEnergy without local evidence. This take is based only on the supplied ATT&CK fields, references, and relationships and does not assert current activity or customer exposure.
BlackEnergy
BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | BlackEnergy attempts to bypass default User Access Control (UAC) settings by exploiting a backward-compatibility setting found in Windows 7 and later.CitationF-Secure BlackEnergy 2014 |
| Enterprise | T1047 | Windows Management Instrumentation | A BlackEnergy 2 plug-in uses WMI to gather victim host details.CitationSecurelist BlackEnergy Feb 2015 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | BlackEnergy has used a plug-in to gather credentials from web browsers including FireFox, Google Chrome, and Internet Explorer.CitationF-Secure BlackEnergy 2014CitationSecurelist BlackEnergy Nov 2014 |
| Enterprise | T1070 | Indicator Removal | BlackEnergy has removed the watermark associated with enabling the |
| Enterprise | T1113 | Screen Capture | BlackEnergy is capable of taking screenshots.CitationSecurelist BlackEnergy Nov 2014 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | BlackEnergy injects its DLL component into svchost.exe.CitationF-Secure BlackEnergy 2014 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | The BlackEnergy component KillDisk is capable of deleting Windows Event Logs.CitationESEST Black Energy Jan 2016 |
| Enterprise | T1553.006 | Code Signing Policy Modification Sub-technique | BlackEnergy has enabled the |
| Enterprise | T1057 | Process Discovery | BlackEnergy has gathered a process list by using Tasklist.exe.CitationF-Secure BlackEnergy 2014CitationSecurelist BlackEnergy Nov 2014CitationESET BlackEnergy Jan 2016 |
| Enterprise | T1083 | File and Directory Discovery | BlackEnergy gathers a list of installed apps from the uninstall program Registry. It also gathers registered mail, browser, and instant messaging clients from the Registry. BlackEnergy has searched for given file types.CitationF-Secure BlackEnergy 2014CitationSecurelist BlackEnergy Nov 2014 |
| Enterprise | T1046 | Network Service Discovery | BlackEnergy has conducted port scans on a host.CitationSecurelist BlackEnergy Nov 2014 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | BlackEnergy has run a plug-in on a victim to spread through the local network by using PsExec and accessing admin shares.CitationSecurelist BlackEnergy Nov 2014 |
| Enterprise | T1049 | System Network Connections Discovery | BlackEnergy has gathered information about local network connections using netstat.CitationF-Secure BlackEnergy 2014CitationSecurelist BlackEnergy Nov 2014 |
| Enterprise | T1120 | Peripheral Device Discovery | BlackEnergy can gather very specific information about attached USB devices, to include device instance ID and drive geometry.CitationSecurelist BlackEnergy Nov 2014 |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.CitationF-Secure BlackEnergy 2014 |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | BlackEnergy has used a plug-in to gather credentials stored in files on the host by various software programs, including The Bat! email client, Outlook, and Windows Credential Store.CitationF-Secure BlackEnergy 2014CitationSecurelist BlackEnergy Nov 2014 |
| Enterprise | T1056.001 | Keylogging Sub-technique | BlackEnergy has run a keylogger plug-in on a victim.CitationSecurelist BlackEnergy Nov 2014 |
| Enterprise | T1543.003 | Windows Service Sub-technique | One variant of BlackEnergy creates a new service using either a hard-coded or randomly generated name.CitationF-Secure BlackEnergy 2014 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.CitationF-Secure BlackEnergy 2014 |
| Enterprise | T1485 | Data Destruction | BlackEnergy 2 contains a "Destroy" plug-in that destroys data stored on victim hard drives by overwriting file contents.CitationSecurelist BlackEnergy Feb 2015CitationESET BlackEnergy Jan 2016 |
| Enterprise | T1574.010 | Services File Permissions Weakness Sub-technique | One variant of BlackEnergy locates existing driver services that have been disabled and drops its driver component into one of those service's paths, replacing the legitimate executable. The malware then sets the hijacked service to start automatically to establish persistence.CitationF-Secure BlackEnergy 2014 |
| Enterprise | T1016 | System Network Configuration Discovery | BlackEnergy has gathered information about network IP configurations using ipconfig.exe and about routing tables using route.exe.CitationF-Secure BlackEnergy 2014CitationSecurelist BlackEnergy Nov 2014 |
| Enterprise | T1082 | System Information Discovery | BlackEnergy has used Systeminfo to gather the OS version, as well as information on the system configuration, BIOS, the motherboard, and the processor.CitationF-Secure BlackEnergy 2014CitationSecurelist BlackEnergy Nov 2014 |
| Enterprise | T1008 | Fallback Channels | BlackEnergy has the capability to communicate over a backup channel via plus.google.com.CitationSecurelist BlackEnergy Nov 2014 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | BlackEnergy communicates with its C2 server over HTTP.CitationF-Secure BlackEnergy 2014 |
Groups, software, and campaigns
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
C0028: 2015 Ukraine Electric Power Attack
2015 Ukraine Electric Power Attack was a Sandworm Team campaign during which they used BlackEnergy (specifically BlackEnergy3) and KillDisk to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | 19eadfbd6c12… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
F-Secure BlackEnergy 2014
F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
Open source URL -
[2]
mitre-attack S0089Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.