ELECTRUM
Electric grid disruption and long-term persistence using LOTL tactics and custom ICS Malware.
THREAT DESCRIPTION
In December 2016, in Kiev, Ukraine, a significant malware incident blacked out a portion of the city’s electricity for about an hour. ELECTRUM is the activity group responsible for the 2016 power outage event caused by the ICS malware CRASHOVERRIDE. But it wasn’t the first time this group targeted Ukraine.
Dragos associates ELECTRUM with the SANDWORM Advanced Persistent Threat (APT) responsible for another Ukrainian power outage in 2015.
ELECTRUM previously served as a development group facilitating some of the earlier SANDWORM activity, but it moved into both a development and operational role in the CRASHOVERRIDE incident.
Earlier this year, Dragos identified new intelligence that provided more insight into ELECTRUM infiltration techniques and attack capabilities within the CRASHOVERRIDE malware. The group does not rely on exploits or zero-day vulnerabilities and instead leverages common exploitation behaviors and methodology.
For instance, the group used Microsoft SQL database servers as the gateway that bridges both the business and industrial control networks, to successfully compromise industrial control systems where they used stolen credentials to execute code.
ELECTRUM remains active, though our evidence suggests the group is no longer focusing exclusively on Ukraine. The group’s ongoing activity and link to the SANDWORM team indicate ELECTRUM’s sponsor could direct ICS disruption operations to other geographic areas. Dragos considers ELECTRUM to be one of the most competent and sophisticated threat activity groups currently in the ICS industry.
Dragos associates ELECTRUM with the SANDWORM Advanced Persistent Threat (APT) responsible for another Ukrainian power outage in 2015.
ELECTRUM previously served as a development group facilitating some of the earlier SANDWORM activity, but it moved into both a development and operational role in the CRASHOVERRIDE incident.
Earlier this year, Dragos identified new intelligence that provided more insight into ELECTRUM infiltration techniques and attack capabilities within the CRASHOVERRIDE malware. The group does not rely on exploits or zero-day vulnerabilities and instead leverages common exploitation behaviors and methodology.
For instance, the group used Microsoft SQL database servers as the gateway that bridges both the business and industrial control networks, to successfully compromise industrial control systems where they used stolen credentials to execute code.
ELECTRUM remains active, though our evidence suggests the group is no longer focusing exclusively on Ukraine. The group’s ongoing activity and link to the SANDWORM team indicate ELECTRUM’s sponsor could direct ICS disruption operations to other geographic areas. Dragos considers ELECTRUM to be one of the most competent and sophisticated threat activity groups currently in the ICS industry.
Date: Since 2016
ADVERSARY
- Assessed links with SANDWORM APT, now appears independent
CAPABILITIES
- Unique RAT & malicious wiper modules
VICTIM
- Electric Sector
- Ukraine, Europe
INFRASTRUCTURE
- Leveraged servers hosting many additional services such as TOR
ICS IMPACT
- Executed control system portion of 2016 Ukraine power event, deployed CRASHOVERRIDE designed to manipulate electric transmission equipment
