ELECTRUM

Electric grid disruption and long-term persistence using LOTL tactics and custom ICS Malware.

Threat Group: Electrum
THREAT DESCRIPTION
In December 2016, in Kiev, Ukraine, a significant malware incident blacked out a portion of the city’s electricity for about an hour. ELECTRUM is the activity group responsible for the 2016 power outage event caused by the ICS malware CRASHOVERRIDE. But it wasn’t the first time this group targeted Ukraine.

Dragos associates ELECTRUM with the SANDWORM Advanced Persistent Threat (APT) responsible for another Ukrainian power outage in 2015.

ELECTRUM previously served as a development group facilitating some of the earlier SANDWORM activity, but it moved into both a development and operational role in the CRASHOVERRIDE incident.

Earlier this year, Dragos identified new intelligence that provided more insight into ELECTRUM infiltration techniques and attack capabilities within the CRASHOVERRIDE malware. The group does not rely on exploits or zero-day vulnerabilities and instead leverages common exploitation behaviors and methodology.

For instance, the group used Microsoft SQL database servers as the gateway that bridges both the business and industrial control networks, to successfully compromise industrial control systems where they used stolen credentials to execute code.

ELECTRUM remains active, though our evidence suggests the group is no longer focusing exclusively on Ukraine. The group’s ongoing activity and link to the SANDWORM team indicate ELECTRUM’s sponsor could direct ICS disruption operations to other geographic areas. Dragos considers ELECTRUM to be one of the most competent and sophisticated threat activity groups currently in the ICS industry.

Date: Since 2016

ADVERSARY

  • Assessed links with SANDWORM APT, now appears independent

CAPABILITIES

  • Unique RAT & malicious wiper modules

VICTIM

  • Electric Sector
  • Ukraine, Europe

INFRASTRUCTURE

  • Leveraged servers hosting many additional services such as TOR

ICS IMPACT

  • Executed control system portion of 2016 Ukraine power event, deployed CRASHOVERRIDE designed to manipulate electric transmission equipment
Explore Threat Groups
About Dragos Threat Intelligence

Dragos threat intelligence leverages the Dragos Platform, our threat operations center, and other sources to provide comprehensive insight into threats affecting industrial control security and safety worldwide. Dragos does not corroborate nor conduct political attribution to threat activity. Dragos instead focuses on threat behaviors and appropriate detection and response. Read more about Dragos’s approach to categorizing threat activity and attribution.

Dragos does not publicly describe ICS threat group technical details except in extraordinary circumstances in order to limit tradecraft proliferation. However, full details on BAUXITE and other group tools, techniques, procedures, and infrastructure are available to network defenders via Dragos WorldView.

Take the next step to protect your ICS environment now with a free demo.