threatintel
actor tracker
Named attack · kill-chain walkthrough

Ukraine Power Grid Attacks

Sandworm's two-act demonstration of cyber-induced blackout — BlackEnergy in 2015, Industroyer in 2016

Sandworm (GRU Unit 74455)December 23, 2015 (BlackEnergy / Kyivoblenergo et al.) + December 17, 2016 (Industroyer / Ukrenergo)High confidence

Both attacks attributed to Sandworm (GRU Unit 74455) by the U.S. intelligence community and allied governments. The 2015 BlackEnergy campaign was publicly attributed in a joint CISA/FBI advisory. The 2016 Industroyer attack was linked to Sandworm via overlapping infrastructure and tradecraft; the same GRU officers implicated in these attacks were indicted by the U.S. Department of Justice on 19 October 2020 in connection with NotPetya and related operations.

In two successive December strikes, Sandworm — Russia's GRU Unit 74455 — proved that cyberattacks could physically darken cities. On 23 December 2015, operators at three Ukrainian electricity distribution companies (Prykarpattyaoblenergo, Kyivoblenergo, and Chernivtsioblenergo) watched helplessly as remote intruders opened breakers across their substations, cutting power to roughly 225,000 customers for up to six hours. The adversary then deployed KillDisk to destroy SCADA workstations and flooded customer call centers with telephone denial-of-service to mask the chaos. Exactly one year later, on 17 December 2016, a new malware framework called Industroyer (also named CrashOverride) struck the Ukrenergo transmission substation north of Kyiv — the first publicly known malware capable of natively speaking industrial control-system protocols (IEC-101, IEC-104, IEC 61850, OPC DA) to command breakers directly, without requiring a human operator. Together, the two attacks constitute the most consequential cyber operations against civilian power infrastructure ever documented.

scene 00 / 08
ACT I — 23 Dec 2015ACT II — 17 Dec 2016SandwormGRU Unit 74455spear-phishWord doc + macroT1566.001 · T1204.002BlackEnergy3modular backdoor / C2MITRE S0089 · T1059.005PrykarpattyaoblenergoKyivoblenergoChernivtsioblenergocredential harvestVPN creds via BE3 pluginweeks of OT reconnaissanceT1078 · T1133VPNgatewayHMI takeover via RDPoperators watch cursors movebreakers opened manuallyT1021.001 · T1078telephoneDoScall centersfloodedT1499KillDiskwiperSCADA hostsdestroyedMITRE S0098T1561.001 · T1485~225,000 customerswithout power · 1–6 hours · 23 Dec 2015Ukrenergo · Pivnichna substation · ~00:03 localUkrenergo re-entryIndustroyer framework stagedHTTP + Tor C2 backdoorT1133 · T1071.001 · T1090.003Industroyeraka CrashOverrideESET · Dragos · Jun 2017MITRE S0604IEC-104 payload modulenative ASDU switching commandsspeaks IEC-101 · IEC-104 · IEC 61850 · OPC DAfirst malware to natively speak ICS protocols · T1565.003IEC-101IEC-104IEC 61850OPC DATRIPPivnichna substationUkrenergo transmission · north of Kyivbreakers opened autonomously ~00:03SIPROTEC DoSCVE-2015-5374UDP :50000 → crashprotection relays downT1499 · T1210SiemensSIPROTEC 4relay crashedKillDisk wiper (timed)MBR overwritten · operator hosts destroyedT1485 · T1561.002 · T1112 · T1070
  1. Phase 01 · Initial Access [2015]TA0001

    Weaponized Word macros delivered BlackEnergy3 to three oblenergos simultaneously

    • Beginning in mid-2015, Sandworm sent spear-phishing emails to employees at Prykarpattyaoblenergo, Kyivoblenergo, and Chernivtsioblenergo — the three regional electricity distributors targeted in the December attack.
    • Attachments were Microsoft Word documents containing malicious macros; when enabled, the macro dropped and executed the BlackEnergy3 (BE3) backdoor — a modular, plugin-based implant that had been evolving since at least 2007.
    • The macro-delivery technique required social engineering to persuade recipients to 'Enable Content'; ESET and SANS researchers documented lure documents referencing Ukrainian parliamentary and energy-sector topics.
    • BlackEnergy3 established C2 via HTTP/HTTPS to actor-controlled servers, providing a persistent foothold on corporate IT networks months before the December 2015 attack.
    Techniques
    T1566.001 · Phishing: Spearphishing AttachmentT1204.002 · User Execution: Malicious FileT1059.005 · Command and Scripting Interpreter: Visual Basic
    Indicators
    BlackEnergy3 — BE3 loader / dropper delivered via weaponized Word macro — SANS/E-ISAC March 2016 report
    Sources
  2. Phase 02 · Persistence & Credential Theft [2015]TA0003

    BlackEnergy3 harvested VPN credentials, enabling legitimate remote access to OT networks

    • Once inside the corporate IT network, BlackEnergy3 plugins collected user credentials — including VPN credentials used by operators to reach industrial control system (ICS) environments from home or other sites.
    • Sandworm used the harvested credentials to authenticate to each oblenergo's VPN infrastructure using the operators' own legitimate accounts, granting access to the SCADA/energy-management systems (EMS) on the OT side.
    • The adversary spent weeks conducting reconnaissance: enumerating the operational network topology, identifying substation IDs and breaker naming conventions in the SCADA EMS, and mapping serial-to-Ethernet gateway configurations.
    • KillDisk, a destructive wiper component, was staged on compromised workstations to be triggered at the conclusion of the attack, destroying SCADA hosts to hamper recovery.
    Techniques
    T1078 · Valid AccountsT1133 · External Remote ServicesT1083 · File and Directory DiscoveryT1485 · Data Destruction
    Sources
  3. Phase 03 · ICS Manipulation & Blackout [2015]TA0040

    Operators remoted in via stolen VPN credentials and manually opened breakers across three oblenergos

    • At approximately 15:30–16:00 local time on 23 December 2015, Sandworm operators used the stolen VPN credentials to log into each oblenergo's SCADA/EMS from remote workstations — essentially impersonating legitimate operators.
    • The attackers manually manipulated the human-machine interfaces (HMIs) using Remote Desktop Protocol (RDP) or native operator software: they opened substation breakers one by one, cutting power to customers. This was a deliberate, manual, operator-style attack — not automated malware commanding the ICS.
    • Three distribution oblenergos lost control simultaneously: Prykarpattyaoblenergo lost 30 substations and roughly 80,000 customers; Kyivoblenergo and Chernivtsioblenergo suffered comparable losses. Total customer impact: approximately 225,000 people were without power for 1–6 hours.
    • In parallel, Sandworm launched a telephone denial-of-service (TDoS) campaign against each company's customer call center — flooding lines with calls to prevent customers from reporting outages and delay operator situational awareness.
    • After opening the breakers, the adversary triggered the pre-staged KillDisk wiper on operator workstations, destroying SCADA host operating systems and rendering recovery more difficult. Uninterruptible power supplies (UPS) at some sites were also remotely disabled.
    Techniques
    T1078 · Valid AccountsT1021.001 · Remote Services: Remote Desktop ProtocolT1499 · Endpoint Denial of ServiceT1485 · Data DestructionT1561.001 · Disk Wipe: Disk Content Wipe
    Sources
  4. Phase 04 · Re-entry & Staging [2016]TA0001

    Sandworm regained a foothold in Ukrainian energy infrastructure to deploy Industroyer

    • By late 2016, Sandworm had established access to the corporate network of Ukrenergo, the national high-voltage transmission operator — a step up in targeting from 2015's regional distributors.
    • The specific initial-access vector for the 2016 campaign has not been publicly disclosed with the same granularity as 2015; ESET and Dragos assessed access was established well before the December 17 attack date, consistent with Sandworm's pattern of months-long pre-positioning.
    • Industroyer was deployed as a multi-stage framework: a main backdoor provided persistent C2 access, while separate payload modules for industrial protocol interaction were staged for later execution.
    • The main backdoor communicated over standard protocols (HTTP/HTTPS on common ports) and used a Tor-based additional C2 channel, providing resilient and covert command infrastructure.
    Techniques
    T1133 · External Remote ServicesT1071.001 · Application Layer Protocol: Web ProtocolsT1090.003 · Proxy: Multi-hop Proxy
    Sources
  5. Phase 05 · ICS Protocol Weaponization [2016]TA0040

    Industroyer spoke native IEC-104 and IEC 61850 to command substation breakers autonomously

    • Industroyer contained four protocol-specific payload modules capable of communicating directly in IEC 60870-5-101 (serial), IEC 60870-5-104 (TCP), IEC 61850 (MMS over TCP), and OPC DA — the four most widely deployed protocols in European power-grid substations.
    • The IEC-104 module was used in the Ukrenergo attack. It autonomously issued ASDU (Application Service Data Unit) command messages to Pivnichna substation switching equipment, opening circuit breakers and de-energizing the transmission segment north of Kyiv at approximately 00:03 on 17 December 2016.
    • This was the first publicly documented malware designed to autonomously manipulate industrial control systems by speaking their native protocols — Stuxnet required Siemens-specific PLC code injection; Industroyer issued standard grid commands that any IEC-104-compliant device would obey.
    • Industroyer's modular architecture was designed for reuse: swapping protocol modules would allow the same framework to attack different vendors' equipment and different countries' grid architectures without fundamental redesign.
    • The attack caused a transmission-level blackout of approximately 200 MW load and an estimated 1-hour outage for Ukrenergo customers — shorter than 2015 but far more significant as a proof of autonomous ICS attack capability.
    Techniques
    T1059 · Command and Scripting InterpreterT1565.003 · Data Manipulation: Runtime Data Manipulation
    Indicators
    Industroyer / Win32/Industroyer — ESET malware family designation for the 2016 ICS attack framework
    Sources
  6. Phase 06 · Protection Relay DoS [2016]TA0040

    A purpose-built module exploited CVE-2015-5374 to disable Siemens SIPROTEC relays, delaying grid restoration

    • Industroyer included a dedicated DoS module targeting Siemens SIPROTEC 4 and SIPROTEC Compact protection relay devices — equipment that monitors substations and automatically re-closes breakers after faults.
    • The module exploited CVE-2015-5374, a vulnerability in the Siemens SIPROTEC EN100 Ethernet communication module. Sending a specially crafted UDP packet to port 50000 caused the relay's firmware to crash and require a manual field reset.
    • By disabling the SIPROTEC relays, Sandworm aimed to prevent automated grid recovery: without functioning protective relays, engineers could not safely re-energize transmission lines, extending the outage and complicating manual restoration.
    • CVE-2015-5374 had been publicly disclosed in July 2015 — over a year before the December 2016 attack — but patch deployment in operational technology environments typically lags far behind IT networks, and many utilities had not yet applied the fix.
    Techniques
    T1499 · Endpoint Denial of ServiceT1210 · Exploitation of Remote Services
    Indicators
    CVE-2015-5374 — Siemens SIPROTEC EN100 Ethernet module — crafted UDP packet to port 50000 causes firmware crash; disclosed July 2015, exploited by Industroyer DoS module
    Sources
  7. Phase 07 · Defense Evasion & Wiper [2016]TA0005

    Industroyer's wiper component overwrote system files to destroy forensic evidence and delay recovery

    • Following the switching attack, Industroyer launched a wiper component (a variant of KillDisk) designed to overwrite the master boot record and corrupt files on operator workstations — destroying forensic evidence and preventing investigators from easily analyzing the malware.
    • The wiper was set to execute on a time-delayed schedule after the ICS attack completed, ensuring the attackers had achieved their primary objective before triggering cover-track activity.
    • Windows registry keys were modified to disable safe-boot options and hinder system recovery. Unlike the NotPetya wiper Sandworm would deploy six months later, this component focused on targeted destruction of incident-response capability rather than broad propagation.
    • The combination of ICS-disruption, relay DoS, and wiper in a coordinated sequence demonstrated sophisticated attack choreography — each component timed to amplify the impact of the others.
    Techniques
    T1070 · Indicator RemovalT1485 · Data DestructionT1561.002 · Disk Wipe: Disk Structure WipeT1112 · Modify Registry
    Sources
  8. Phase 08 · Impact & AttributionTA0040

    225,000 customers blacked out in 2015; autonomous ICS malware demonstrated in 2016 — GRU indicted 2020

    • 2015 impact: approximately 225,000 customers across three Ukrainian oblenergos lost power for 1–6 hours on the afternoon of 23 December 2015 — the first confirmed cyberattack to cause a civilian electricity blackout.
    • 2016 impact: the Pivnichna (Ukrenergo) transmission substation north of Kyiv was tripped at approximately 00:03 on 17 December 2016, causing roughly 1 hour of outage; the significance lay not in duration but in the unprecedented autonomous ICS attack capability Industroyer demonstrated.
    • Both attacks were attributed by the U.S. intelligence community and allied governments to Sandworm (GRU Unit 74455). On 19 October 2020, the U.S. Department of Justice indicted six GRU officers — Yuriy Andrienko, Sergei Detistov, Pavel Frolov, Anatoliy Kovalev, Artem Ochichenko, and Petr Pliskin — for their roles in Sandworm operations including NotPetya and the Ukraine power grid attacks.
    • ESET's June 2017 Industroyer report and Dragos's concurrent CrashOverride paper established that Industroyer's modular design made it a reusable ICS attack platform — the precedent that motivated ICS-CERT and NERC CIP urgent advisories across NATO allies.
    • The 2015 attack is widely regarded as the first public proof-of-concept that a cyberattack could reliably cause a power outage in a modern electric grid; the 2016 attack demonstrated that such operations could be largely automated, removing the need for operators to manually interact with HMIs.
    Techniques
    T1499 · Endpoint Denial of ServiceT1485 · Data Destruction
    Sources
Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • Sandworm (GRU Unit 74455)
Capability
  • T1566.001
  • T1204.002
  • T1059.005
  • T1078
  • T1133
  • +1 more
Infrastructure
Victim
  • See narrative above
Primary sources