{"description": "Enterprise techniques used by 2022 Ukraine Electric Power Attack, ATT&CK campaign C0034 (v1.0)", "name": "2022 Ukraine Electric Power Attack (C0034)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) utilized a PowerShell utility called TANKTRAP to spread and launch a wiper using Windows Group Policy.(Citation: Mandiant-Sandworm-Ukraine-2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.002", "comment": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) configured Systemd to maintain persistence of GOGETTER, specifying the `WantedBy=multi-user.target` configuration to run GOGETTER when the system begins accepting user logins.(Citation: Mandiant-Sandworm-Ukraine-2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1485", "comment": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) deployed [CaddyWiper](https://attack.mitre.org/software/S0693) on the victim\u2019s IT environment systems to wipe files related to the OT capabilities, along with mapped drives, and physical drive partitions.(Citation: Mandiant-Sandworm-Ukraine-2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1484", "showSubtechniques": true}, {"techniqueID": "T1484.001", "comment": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) leveraged Group Policy Objects (GPOs) to deploy and execute malware.(Citation: Mandiant-Sandworm-Ukraine-2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1570", "comment": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) used a Group Policy Object (GPO) to copy [CaddyWiper](https://attack.mitre.org/software/S0693)'s executable `msserver.exe` from a staging server to a local hard drive before deployment.(Citation: Mandiant-Sandworm-Ukraine-2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) leveraged Systemd service units to masquerade GOGETTER malware as legitimate or seemingly legitimate services.(Citation: Mandiant-Sandworm-Ukraine-2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1095", "comment": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) proxied C2 communications within a TLS-based tunnel.(Citation: Mandiant-Sandworm-Ukraine-2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1572", "comment": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) deployed the GOGETTER tunneler software to establish a \u201cYamux\u201d TLS-based C2 channel with an external server(s).(Citation: Mandiant-Sandworm-Ukraine-2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute [CaddyWiper](https://attack.mitre.org/software/S0693) at a predetermined time.(Citation: Mandiant-Sandworm-Ukraine-2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.003", "comment": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) deployed the Neo-REGEORG\u202fwebshell on an internet-facing server.(Citation: Mandiant-Sandworm-Ukraine-2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by 2022 Ukraine Electric Power Attack", "color": "#66b1ff"}]}