{ "Event": { "analysis": "0", "date": "2016-01-07", "extends_uuid": "", "info": "[Threat Intel] Sandworm Team and the Ukrainian Power Authority Attacks (UKRAINE 2015 CYBER ATTACK)", "protected": false, "publish_timestamp": "1772419200", "published": true, "threat_level_id": "1", "timestamp": "1772419195", "uuid": "8079695d-837f-4bda-9ca4-5c46f3b89102", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"CISA\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Google Cloud Blog\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Symantec\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Sandworm\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-groups=\"Sandworm\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Ukraine\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Electric\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003d", "local": false, "name": "rectifyq:sub-category=\"TA-profile\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#1c006d", "local": false, "name": "rectifyq:topic=\"geopolitical\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"State-Sponsored\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Loss of Availability\"", "relationship_type": "" }, { "colour": "#8de1e8", "local": false, "name": "SANS-ICS515", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-assets=\"Human-Machine Interface\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"External Remote Services\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Loss of Control\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Spearphishing Attachment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-software=\"BlackEnergy 3\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"KillDisk\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Block Command Message\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Block Serial COM\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Command-Line Interface\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Commonly Used Port\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Data Destruction\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Denial of Control\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Denial of View\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Indicator Removal on Host\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Masquerading\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Network Connection Enumeration\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Network Service Scanning\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Remote File Copy\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Remote System Discovery\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Scripting\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"System Firmware\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Unauthorized Command Message\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"User Execution\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Valid Accounts\"", "relationship_type": "" }, { "colour": "#f63636", "local": false, "name": "ICS-specific", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771810120", "to_ids": false, "type": "link", "uuid": "5fd794a3-72bf-4dfd-88c8-036bd4e53bb6", "value": "https://cloud.google.com/blog/topics/threat-intelligence/ukraine-and-sandworm-team/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771810120", "to_ids": false, "type": "link", "uuid": "d30f23df-5902-40bb-9bbc-fa1ce3badbba", "value": "https://www.sans.org/blog/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771810120", "to_ids": false, "type": "link", "uuid": "6a9fff7f-76d7-421c-96ea-f67cc682f293", "value": "https://blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-the-scada-connection/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771810120", "to_ids": false, "type": "link", "uuid": "f0627ac8-cc11-4222-824a-d7bfc9acba25", "value": "https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-14-281-01B" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771810120", "to_ids": false, "type": "link", "uuid": "9fd043e5-e30b-4573-b4ca-bd61e95266f7", "value": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=d4529ea1-c3de-4526-8cff-b6374dbf08de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771812490", "to_ids": false, "type": "link", "uuid": "aa70bec1-248c-41ff-9b65-868a80942b7b", "value": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771812626", "to_ids": false, "type": "link", "uuid": "20fe1a0c-8060-4521-a55e-5e76ed55e7ec", "value": "https://www.cisa.gov/news-events/ics-alerts/ir-alert-h-16-056-01" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771812626", "to_ids": false, "type": "link", "uuid": "72eac932-9602-476d-91e6-5d7a94ba84e3", "value": "https://www.ukrinform.net/rubric-crime/1937899-russian-hackers-plan-energy-subversion-in-ukraine.html" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771812626", "to_ids": false, "type": "link", "uuid": "f98ff38b-827f-4fa4-aa7c-055119328fec", "value": "https://www.rbc.ua/rus/news/pravitelstva-ssha-ukrainy-rassmotryat-otchet-1454113214.html" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771812626", "to_ids": false, "type": "link", "uuid": "aedb727d-e59a-4e87-aa0a-4872b1452138", "value": "https://tsn.ua/ru/ukrayina/iz-za-hakerskoy-ataki-obestochilo-polovinu-ivano-frankovskoy-oblasti-550406.html" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1771812762", "to_ids": false, "type": "link", "uuid": "e24a56c3-d756-4045-90ac-6e133e4808e3", "value": "http://web.archive.org/web/20160505184531/http://www.oe.if.ua/showarticle.php?id=3413" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772222356", "to_ids": false, "type": "link", "uuid": "4062416f-48fe-447c-a79b-47427a17b889", "value": "https://www.crowdstrike.com/en-us/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772329286", "to_ids": false, "type": "link", "uuid": "34bcb54b-222b-4042-a2df-60e3b7142cf8", "value": "https://www.cisa.gov/news-events/ics-alerts/ics-alert-14-281-01e" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772404074", "to_ids": false, "type": "link", "uuid": "563a231b-24e6-4411-ad44-0e2864498eb1", "value": "https://www.first.org/conference/2020/recordings" } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771810272", "uuid": "8bcf5da7-c3b8-43eb-a4d3-34ba076bed7a", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771810239", "to_ids": false, "type": "text", "uuid": "76fa477a-ed57-4502-8ba0-3d1dacda4e41", "value": "BlackEnergy" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771810272", "to_ids": false, "type": "comment", "uuid": "b5c71b4c-93f8-440e-8d75-cf7c22de4fdd", "value": "detect common properties of the BE2 and BE3 loader" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771810239", "to_ids": true, "type": "yara", "uuid": "1a449980-ff4f-4301-a89b-708db52c35cb", "value": "rule BlackEnergy\r\n{\r\n strings:\r\n $hc1 = {68 97 04 81 1D 6A 01}\r\n $hc2 = {68 A8 06 B0 3B 6A 02}\r\n $hc3 = {68 14 06 F5 33 6A 01}\r\n $hc4 = {68 AF 02 91 AB 6A 01}\r\n $hc5 = {68 8A 86 39 56 6A 02}\r\n $hc6 = {68 19 2B 90 95 6A 01}\r\n $hc7 = {(68 | B?) 11 05 90 23}\r\n $hc8 = {(68 | B?) EB 05 4A 2F}\r\n $hc9 = {(68 | B?) B7 05 57 2A}\r\n condition:\r\n 2 of ($hc*)\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771810297", "uuid": "5de32ac5-d4e2-45a2-a898-c6787cf5dd05", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771810297", "to_ids": false, "type": "text", "uuid": "839c1514-342e-4e63-a502-e285acc00ac8", "value": "BlackEnergy3" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771810297", "to_ids": false, "type": "comment", "uuid": "c4e982c3-09d2-4d59-b817-4bf4e9117180", "value": "detect BE3 variants that are not caught by the general BlackEnergy rule" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771810297", "to_ids": true, "type": "yara", "uuid": "370aed82-26e8-498b-95c9-4319325c68ac", "value": "rule BlackEnergy3\r\n{\r\n strings:\r\n $a1 = \"MCSF_Config\" ascii\r\n $a2 = \"NTUSER.LOG\" ascii\r\n $a3 = \"ldplg\" ascii\r\n $a4 = \"unlplg\" ascii\r\n $a5 = \"getp\" ascii\r\n $a6 = \"getpd\" ascii\r\n $a7 = \"CSTR\" ascii\r\n $a8 = \"FONTCACHE.DAT\" ascii\r\n condition:\r\n 4 of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771810322", "uuid": "2e8dae27-1cf2-409b-91a1-733289ba520d", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771810322", "to_ids": false, "type": "text", "uuid": "499dd59b-8a7c-4f10-9222-ed45a3c09e36", "value": "BlackEnergy2_Driver" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771810322", "to_ids": false, "type": "comment", "uuid": "75a6576b-0c58-441e-896e-58735b6b2d71", "value": "detect both packed and unpacked variants of the BE2 driver" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771810322", "to_ids": true, "type": "yara", "uuid": "f08afd71-168e-4263-9780-a58857afc345", "value": "rule BlackEnergy2_Driver\r\n{\r\n strings:\r\n $a1 = {7E 4B 54 1A}\r\n $a2 = {E0 3C 96 A2}\r\n $a3 = \"IofCompleteRequest\" ascii\r\n $b1 = {31 A1 44 BC}\r\n $b2 = \"IoAttachDeviceToDeviceStack\" ascii\r\n $b3 = \"KeInsertQueueDpc\" ascii\r\n $c1 = {A3 41 FD 66}\r\n $c2 = {61 1E 4E F8}\r\n $c3 = \"PsCreateSystemThread\" ascii\r\n condition:\r\n all of ($a*) and 3 of ($b*, $c*)\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1771810341", "uuid": "cd5a8cd7-8f33-430e-9120-f2c73f611770", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1771810341", "to_ids": false, "type": "text", "uuid": "9a386f1c-518f-4144-9d34-1ad6233fcf30", "value": "BlackEnergy2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1771810341", "to_ids": false, "type": "comment", "uuid": "7a9de317-a3ed-4c63-a94d-ac30f289665d", "value": "detect BE2 variants, typically plugins or loaders containing plugins" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1771810341", "to_ids": true, "type": "yara", "uuid": "2099b390-061c-4fcb-9ffd-50ff9910fb60", "value": "rule BlackEnergy2\r\n{\r\n strings:\r\n $ex1 = \"DispatchCommand\" ascii\r\n $ex2 = \"DispatchEvent\" ascii\r\n $a1 = {68 A1 B0 5C 72}\r\n $a2 = {68 6B 43 59 4E}\r\n $a3 = {68 E6 4B 59 4E}\r\n condition:\r\n all of ($ex*) and 3 of ($a*)\r\n}" } ] } ] } }