{"description": "ICS techniques used by 2022 Ukraine Electric Power Attack, ATT&CK campaign C0034 (v1.0)", "name": "2022 Ukraine Electric Power Attack (C0034)", "domain": "ics-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T0895", "comment": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) used existing hypervisor access to map an ISO image named `a.iso` to a virtual machine running a SCADA server. The SCADA server\u2019s operating system was configured to autorun CD-ROM images, and as a result, a malicious VBS script on the ISO image was automatically executed.(Citation: Mandiant-Sandworm-Ukraine-2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0807", "comment": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) leveraged the SCIL-API on the MicroSCADA platform to execute commands through the `scilc.exe` binary.(Citation: Mandiant-Sandworm-Ukraine-2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0853", "comment": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) utilizes a Visual Basic script `lun.vbs` to execute `n.bat` which then executed the MicroSCADA `scilc.exe` command.(Citation: Mandiant-Sandworm-Ukraine-2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0894", "comment": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) executed a MicroSCADA application binary `scilc.exe` to send a predefined list of SCADA instructions specified in a file defined by the adversary, `s1.txt`. The executed command `C:\\sc\\prog\\exec\\scilc.exe -do pack\\scil\\s1.txt` leverages the SCADA software to send unauthorized command messages to remote substations.(Citation: Mandiant-Sandworm-Ukraine-2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T0855", "comment": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) used the MicroSCADA SCIL-API to specify a set of SCADA instructions, including the sending of unauthorized commands to substation devices.(Citation: Mandiant-Sandworm-Ukraine-2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by 2022 Ukraine Electric Power Attack", "color": "#66b1ff"}]}