CINXE.COM

<!doctype html><html lang="en-US" dir="ltr"><head><base href="https://cloud.google.com/blog/"><link rel="preconnect" href="//www.gstatic.com"><meta name="referrer" content="origin"><meta name="viewport" content="initial-scale=1, width=device-width"><meta name="track-metadata-page_hosting_platform" content="blog_boq"><meta name="mobile-web-app-capable" content="yes"><meta name="apple-mobile-web-app-capable" content="yes"><meta name="application-name" content="Google Cloud Blog"><meta name="apple-mobile-web-app-title" content="Google Cloud Blog"><meta name="apple-mobile-web-app-status-bar-style" content="black"><meta name="msapplication-tap-highlight" content="no"><link rel="preconnect" href="//fonts.googleapis.com"><link rel="preconnect" href="//fonts.gstatic.com"><link rel="preconnect" href="//www.gstatic.com"><link rel="preconnect" href="//storage.googleapis.com"><link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Google+Sans+Text_old:400,500,700,400i,500i,700i"><link rel="manifest" crossorigin="use-credentials" href="_/TransformBlogUi/manifest.json"><link rel="home" href="/?lfhs=2"><link rel="msapplication-starturl" href="/?lfhs=2"><link rel="icon" href="//www.gstatic.com/cloud/images/icons/favicon.ico" sizes="32x32"><link rel="apple-touch-icon-precomposed" href="//www.gstatic.com/cloud/images/icons/favicon.ico" sizes="32x32"><link rel="msapplication-square32x32logo" href="//www.gstatic.com/cloud/images/icons/favicon.ico" sizes="32x32"><script data-id="_gd" nonce="7I0sTsvUKABcH_D7zfn1tw">window.WIZ_global_data = {"Bwo7Jf":"%.@.\"SG\",1]","CGQM5":"%.@.[[1]]]","DpimGf":false,"EP1ykd":["/_/*","/accounts/*","/transform","/transform/*"],"FdrFJe":"7078306328448180800","Im6cmf":"/blog/_/TransformBlogUi","JvMKJd":"%.@.\"GTM-5CVQBG\",[[\"en\",\"\\u202aEnglish\\u202c\",true,\"en\"],[\"de\",\"\\u202aDeutsch\\u202c\",true,\"de\"],[\"es\",\"\\u202aEspañol\\u202c\",true,\"es\"],[\"es-419\",\"\\u202aEspañol (Latinoamérica)\\u202c\",true,\"es-419\"],[\"fr\",\"\\u202aFrançais\\u202c\",true,\"fr\"],[\"id\",\"\\u202aIndonesia\\u202c\",true,\"id\"],[\"it\",\"\\u202aItaliano\\u202c\",true,\"it\"],[\"pt-BR\",\"\\u202aPortuguês (Brasil)\\u202c\",true,\"pt-BR\"],[\"zh-CN\",\"\\u202a简体中文\\u202c\",true,\"zh-Hans\"],[\"zh-TW\",\"\\u202a繁體中文\\u202c\",true,\"zh-Hant\"],[\"ja\",\"\\u202a日本語\\u202c\",true,\"ja\"],[\"ko\",\"\\u202a한국어\\u202c\",true,\"ko\"]],[\"83405\",\"AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg\"],\"en\",null,null,[],[[\"https://cloud.google.com/innovators\",\"https://cloud.google.com/innovators/plus/activate\",\"https://cloud.google.com/innovators/innovatorsplus\"],[\"https://workspace.google.com/pricing\",\"https://www.x.com/googleworkspace\",\"https://www.facebook.com/googleworkspace\",\"https://www.youtube.com/channel/UCBmwzQnSoj9b6HzNmFrg_yw\",\"https://www.instagram.com/googleworkspace\",\"https://www.linkedin.com/showcase/googleworkspace\",\"https://about.google/?utm_source\\u003dworkspace.google.com\\u0026utm_medium\\u003dreferral\\u0026utm_campaign\\u003dgsuite-footer-en\",\"https://about.google/products/?tip\\u003dexplore\",\"https://workspace.google.com\",\"https://workspace.google.com/contact/?source\\u003dgafb-form-globalnav-en\",\"https://workspace.google.com/business/signup/welcome?hl\\u003den\\u0026source\\u003dgafb-form-globalnav-en\",\"https://workspace.google.com/blog\"],[\"https://www.cloudskillsboost.google\",\"https://www.cloudskillsboost.google?utm_source\\u003dcgc\\u0026utm_medium\\u003dwebsite\\u0026utm_campaign\\u003devergreen\",\"https://www.cloudskillsboost.google/subscriptions?utm_source\\u003dcgc\\u0026utm_medium\\u003dwebsite\\u0026utm_campaign\\u003devergreenlaunchpromo\",\"https://www.cloudskillsboost.google/subscriptions?utm_source\\u003dcgc\\u0026utm_medium\\u003dwebsite\\u0026utm_campaign\\u003devergreen\",\"https://www.cloudskillsboost.google/catalog?utm_source\\u003dcgc\\u0026utm_medium\\u003dwebsite\\u0026utm_campaign\\u003devergreen\",\"https://www.cloudskillsboost.google/paths?utm_source\\u003dcgc\\u0026utm_medium\\u003dwebsite\\u0026utm_campaign\\u003devergreen\"],[\"https://mapsplatform.google.com\"],[\"https://cloud.google.com/developers\",\"https://cloud.google.com/developers/settings?utm_source\\u003dinnovators\"],[\"https://console.cloud.google.com/freetrial\",\"https://console.cloud.google.com/\",\"https://console.cloud.google.com/freetrial?redirectPath\\u003dhttps://cloud.google.com/blog/topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology/\"],[\"https://aitestkitchen.withgoogle.com/signup\",\"https://blog.google/technology/ai/join-us-in-the-ai-test-kitchen/\",\"https://cloud.google.com/ai\"],[\"https://googlecloudplatform.blogspot.com/\",\"https://github.com/GoogleCloudPlatform\",\"https://www.linkedin.com/company/google-cloud\",\"https://twitter.com/GoogleCloud_sg\",\"https://www.facebook.com/googlecloud\",\"https://www.youtube.com/GoogleCloudAPAC\"]],[2024,11,25],[[\"en\",\"x-default\"],\"x-default\"],[null,true],null,\"/blog/topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology/?hl\\u003den\",[\"6LcsrxUqAAAAAFhpR1lXsPN2j2nsTwy6JTbRKzJr\"]]","LVIXXb":1,"LoQv7e":false,"M55kSc":"%.@.]","MT7f9b":[],"MUE6Ne":"TransformBlogUi","PylxI":"%.@.\"cloudblog\",\"topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology\",[\"en\",\"de\",\"fr\",\"ko\",\"ja\"],\"en\",null,\"https://cloud.google.com/blog\",\"blog_article\",\"cloud.google.com\",[\"https://console.cloud.google.com/freetrial/\",\"https://cloud.google.com/contact/\",\"https://cloud.google.com/\",\"https://cloud.google.com/blog\",\"https://cloud.google.com/\",\"https://www.google.com/\",\"https://cloud.google.com/products/\",\"https://about.google.com/products/\",\"https://about.google/intl/en/\",\"https://support.google.com\"],[\"googlecloud\",\"googlecloud\",\"showcase/google-cloud\",\"googlecloud/\",\"googlecloud/\"],true]","QrtxK":"","S06Grb":"","S6lZl":105833389,"TSDtV":"%.@.[[null,[[45449436,null,false,null,null,null,\"NCoWOd\"],[45667527,null,false,null,null,null,\"Qzt9sd\"],[45449424,null,null,null,\"default\",null,\"PB4oCc\"],[45532645,null,true,null,null,null,\"wFnpse\"],[45643590,null,false,null,null,null,\"w7jzef\"],[45449433,null,true,null,null,null,\"BotAtd\"],[45662378,null,true,null,null,null,\"DG71uf\"],[45449442,null,true,null,null,null,\"dsKk4d\"],[45449449,null,true,null,null,null,\"b5B1L\"],[45663339,null,false,null,null,null,\"OEmSkb\"],[45664956,null,false,null,null,null,\"aeNUHe\"],[45459555,null,false,null,null,null,\"Imeoqb\"],[45646404,null,false,null,null,null,\"tfPPe\"],[45651445,null,false,null,null,null,\"XzXOC\"],[45449440,null,false,null,null,null,\"j9nUqf\"],[45631885,null,false,null,null,null,\"kG32O\"],[45449445,null,true,null,null,null,\"C4H3Td\"],[45649370,null,false,null,null,null,\"LibkZ\"],[45657332,null,true,null,null,null,\"oBUucf\"],[45449438,null,false,null,null,null,\"m0uJSe\"],[45449471,null,null,null,\"default\",null,\"Ammqqf\"],[45612748,null,false,null,null,null,\"fdXYmb\"],[45449467,null,null,null,\"variant3\",null,\"qL2Vf\"],[45449469,null,null,null,\"default\",null,\"mBNY1\"],[45449443,null,false,null,null,null,\"wvKxS\"],[45616194,null,false,null,null,null,\"y3jdm\"],[45449434,null,true,null,null,null,\"PvZHQ\"],[45449428,null,null,null,\"default\",null,\"cbPi4d\"],[45664077,null,false,null,null,null,\"w1axY\"],[45449423,null,null,null,\"default\",null,\"FIJFKf\"],[45449450,null,false,null,null,null,\"PTNaKe\"],[45632110,null,true,null,null,null,\"QK58Od\"],[45449435,null,false,null,null,null,\"s7Z7Ld\"],[45449446,null,true,null,null,null,\"ktxJzc\"],[45449468,null,null,null,\"variant1\",null,\"BUEcUe\"],[45659313,null,false,null,null,null,\"i2rGv\"],[45532646,null,true,null,null,null,\"RIvlU\"],[45449439,null,true,null,null,null,\"lsuui\"],[45650156,null,false,null,null,null,\"Pr5Lcf\"],[45449422,null,null,null,\"default\",null,\"epsxQe\"],[45628378,null,true,null,null,null,\"hRRuzd\"],[45651724,null,true,null,null,null,\"xYDLRc\"],[45662552,null,false,null,null,null,\"epuB3d\"],[45449444,null,true,null,null,null,\"HGJqie\"],[45655733,null,true,null,null,null,\"xPTOyb\"],[45663526,null,false,null,null,null,\"kG33G\"]],\"CAMSIB0Z4c2IEJz+BPXvF/2KA82ttBKhkOMGFrecDRbM9Q15\"]]]","UUFaWc":"%.@.null,1000,2]","Vvafkd":false,"Yllh3e":"%.@.1732526905941908,24367447,3575805305]","aAofAd":"%.@.[[[\"Solutions \\u0026 technology\",null,[[[\"AI \\u0026 Machine Learning\",\"/blog/products/ai-machine-learning\"],[\"API Management\",\"/blog/products/api-management\"],[\"Application Development\",\"/blog/products/application-development\"],[\"Application Modernization\",\"/blog/products/application-modernization\"],[\"Chrome Enterprise\",\"/blog/products/chrome-enterprise\"],[\"Compute\",\"/blog/products/compute\"],[\"Containers \\u0026 Kubernetes\",\"/blog/products/containers-kubernetes\"],[\"Data Analytics\",\"/blog/products/data-analytics\"],[\"Databases\",\"/blog/products/databases\"],[\"DevOps \\u0026 SRE\",\"/blog/products/devops-sre\"],[\"Maps \\u0026 Geospatial\",\"/blog/topics/maps-geospatial\"],[\"Security\",null,[[[\"Security \\u0026 Identity\",\"/blog/products/identity-security\"],[\"Threat Intelligence\",\"/blog/topics/threat-intelligence\"]]]],[\"Infrastructure\",\"/blog/products/infrastructure\"],[\"Infrastructure Modernization\",\"/blog/products/infrastructure-modernization\"],[\"Networking\",\"/blog/products/networking\"],[\"Productivity \\u0026 Collaboration\",\"/blog/products/productivity-collaboration\"],[\"SAP on Google Cloud\",\"/blog/products/sap-google-cloud\"],[\"Storage \\u0026 Data Transfer\",\"/blog/products/storage-data-transfer\"],[\"Sustainability\",\"/blog/topics/sustainability\"]]]],[\"Ecosystem\",null,[[[\"IT Leaders\",\"/transform\"],[\"Industries\",null,[[[\"Financial Services\",\"/blog/topics/financial-services\"],[\"Healthcare \\u0026 Life Sciences\",\"/blog/topics/healthcare-life-sciences\"],[\"Manufacturing\",\"/blog/topics/manufacturing\"],[\"Media \\u0026 Entertainment\",\"/blog/products/media-entertainment\"],[\"Public Sector\",\"/blog/topics/public-sector\"],[\"Retail\",\"/blog/topics/retail\"],[\"Supply Chain\",\"/blog/topics/supply-chain-logistics\"],[\"Telecommunications\",\"/blog/topics/telecommunications\"]]]],[\"Partners\",\"/blog/topics/partners\"],[\"Startups \\u0026 SMB\",\"/blog/topics/startups\"],[\"Training \\u0026 Certifications\",\"/blog/topics/training-certifications\"],[\"Inside Google Cloud\",\"/blog/topics/inside-google-cloud\"],[\"Google Cloud Next \\u0026 Events\",\"/blog/topics/google-cloud-next\"],[\"Google Maps Platform\",\"https://mapsplatform.google.com/resources/blog/\"],[\"Google Workspace\",\"https://workspace.google.com/blog\"]]]],[\"Developers \\u0026 Practitioners\",\"/blog/topics/developers-practitioners\"],[\"Transform with Google Cloud\",\"/transform\"]]],[[\"de\",[[[\"Neuigkeiten\",\"/blog/de/topics/whats-new/aktuelles-auf-dem-google-cloud-blog\"],[\"Lösungen \\u0026 Technologien\",null,[[[\"Anwendungsentwicklung\",\"/blog/de/products/application-development\"],[\"Anwendungsmodernisierung\",\"/blog/de/products/anwendungsmodernisierung\"],[\"API-Verwaltung\",\"/blog/de/products/api-management\"],[\"Chrome Enterprise\",\"/blog/de/products/chrome-enterprise\"],[\"Computing\",\"/blog/de/products/compute\"],[\"Containers \\u0026 Kubernetes\",\"/blog/de/products/containers-kubernetes\"],[\"Datenanalysen\",\"/blog/de/products/data-analytics\"],[\"Datenbanken\",\"/blog/de/products/databases\"],[\"DevOps \\u0026 SRE\",\"/blog/de/products/devops-sre\"],[\"Infrastruktur\",\"/blog/de/products/infrastructure\"],[\"KI \\u0026 Machine Learning\",\"/blog/de/products/ai-machine-learning\"],[\"Maps \\u0026 Geospatial\",\"/blog/de/topics/maps-geospatial\"],[\"Modernisierung der Infrastruktur\",\"/blog/de/products/modernisierung-der-infrastruktur\"],[\"Nachhaltigkeit\",\"/blog/de/topics/nachhaltigkeit\"],[\"Netzwerk\",\"/blog/de/products/networking\"],[\"Produktivität und Zusammenarbeit\",\"/blog/de/products/produktivitaet-und-kollaboration\"],[\"SAP in Google Cloud\",\"/blog/de/products/sap-google-cloud\"],[\"Sicherheit \\u0026 Identität\",\"/blog/de/products/identity-security\"],[\"Speicher und Datentransfer\",\"/blog/de/products/storage-data-transfer\"]]]],[\"Ökosystem\",null,[[[\"IT Leader\",\"/transform/de\"],[\"Industrien\",null,[[[\"Behörden und öffentlicher Sektor\",\"/blog/de/topics/public-sector\"],[\"Einzelhandel\",\"/blog/de/topics/retail\"],[\"Fertigung\",\"/blog/de/topics/fertigung\"],[\"Finanzdienstleistungen\",\"/blog/de/topics/financial-services\"],[\"Gesundheitswesen und Biowissenschaften\",\"/blog/de/topics/healthcare-life-sciences\"],[\"Lieferkette und Logistik\",\"/blog/de/topics/lieferkette-und-logistik\"],[\"Medien und Unterhaltung\",\"/blog/de/products/media-entertainment\"],[\"Telekommunikation\",\"/blog/de/topics/telecommunications\"]]]],[\"Entwickler*innen \\u0026 Fachkräfte\",\"/blog/de/topics/developers-practitioners\"],[\"Google Cloud Next \\u0026 Events\",\"/blog/de/topics/events\"],[\"Google Maps Platform\",\"/blog/de/products/maps-platform\"],[\"Google Workspace\",\"https://workspace.google.com/blog/de\"],[\"Inside Google Cloud\",\"/blog/de/topics/inside-google-cloud\"],[\"Kunden\",\"/blog/de/topics/kunden\"],[\"Partner\",\"/blog/de/topics/partners\"],[\"Start-ups und KMU\",\"/blog/de/topics/startups\"],[\"Training und Zertifizierung\",\"/blog/de/topics/training-certifications\"]]]],[\"Transformation mit Google Cloud\",\"/transform/de\"]]]],[\"en\",[[[\"Solutions \\u0026 technology\",null,[[[\"AI \\u0026 Machine Learning\",\"/blog/products/ai-machine-learning\"],[\"API Management\",\"/blog/products/api-management\"],[\"Application Development\",\"/blog/products/application-development\"],[\"Application Modernization\",\"/blog/products/application-modernization\"],[\"Chrome Enterprise\",\"/blog/products/chrome-enterprise\"],[\"Compute\",\"/blog/products/compute\"],[\"Containers \\u0026 Kubernetes\",\"/blog/products/containers-kubernetes\"],[\"Data Analytics\",\"/blog/products/data-analytics\"],[\"Databases\",\"/blog/products/databases\"],[\"DevOps \\u0026 SRE\",\"/blog/products/devops-sre\"],[\"Maps \\u0026 Geospatial\",\"/blog/topics/maps-geospatial\"],[\"Security\",null,[[[\"Security \\u0026 Identity\",\"/blog/products/identity-security\"],[\"Threat Intelligence\",\"/blog/topics/threat-intelligence\"]]]],[\"Infrastructure\",\"/blog/products/infrastructure\"],[\"Infrastructure Modernization\",\"/blog/products/infrastructure-modernization\"],[\"Networking\",\"/blog/products/networking\"],[\"Productivity \\u0026 Collaboration\",\"/blog/products/productivity-collaboration\"],[\"SAP on Google Cloud\",\"/blog/products/sap-google-cloud\"],[\"Storage \\u0026 Data Transfer\",\"/blog/products/storage-data-transfer\"],[\"Sustainability\",\"/blog/topics/sustainability\"]]]],[\"Ecosystem\",null,[[[\"IT Leaders\",\"/transform\"],[\"Industries\",null,[[[\"Financial Services\",\"/blog/topics/financial-services\"],[\"Healthcare \\u0026 Life Sciences\",\"/blog/topics/healthcare-life-sciences\"],[\"Manufacturing\",\"/blog/topics/manufacturing\"],[\"Media \\u0026 Entertainment\",\"/blog/products/media-entertainment\"],[\"Public Sector\",\"/blog/topics/public-sector\"],[\"Retail\",\"/blog/topics/retail\"],[\"Supply Chain\",\"/blog/topics/supply-chain-logistics\"],[\"Telecommunications\",\"/blog/topics/telecommunications\"]]]],[\"Partners\",\"/blog/topics/partners\"],[\"Startups \\u0026 SMB\",\"/blog/topics/startups\"],[\"Training \\u0026 Certifications\",\"/blog/topics/training-certifications\"],[\"Inside Google Cloud\",\"/blog/topics/inside-google-cloud\"],[\"Google Cloud Next \\u0026 Events\",\"/blog/topics/google-cloud-next\"],[\"Google Maps Platform\",\"https://mapsplatform.google.com/resources/blog/\"],[\"Google Workspace\",\"https://workspace.google.com/blog\"]]]],[\"Developers \\u0026 Practitioners\",\"/blog/topics/developers-practitioners\"],[\"Transform with Google Cloud\",\"/transform\"]]]],[\"fr\",[[[\"Les tendances\",\"/blog/fr/topics/les-tendances/quelles-sont-les-nouveautes-de-google-cloud\"],[\"Solutions et Technologie\",null,[[[\"Analyse de données\",\"/blog/fr/products/analyse-de-donnees/\"],[\"Bases de données\",\"/blog/fr/products/databases\"],[\"Calcul\",\"/blog/fr/products/calcul/\"],[\"Chrome Entreprise\",\"/blog/fr/products/chrome-enterprise/\"],[\"Conteneurs et Kubernetes\",\"/blog/fr/products/conteneurs-et-kubernetes/\"],[\"Développement d\u0027Applications\",\"/blog/fr/products/application-development\"],[\"Développement durable\",\"/blog/fr/topics/developpement-durable\"],[\"DevOps et ingénierie SRE\",\"/blog/fr/products/devops-sre\"],[\"Gestion des API\",\"/blog/fr/products/api-management\"],[\"IA et Machine Learning\",\"/blog/fr/products/ai-machine-learning\"],[\"Infrastructure\",\"/blog/fr/products/infrastructure\"],[\"Maps et Géospatial\",\"/blog/fr/topics/maps-geospatial\"],[\"Modernisation d\u0027Applications\",\"/blog/fr/products/modernisation-dapplications/\"],[\"Modernisation d\u0027Infrastructure\",\"/blog/fr/products/modernisation-dinfrastructure/\"],[\"Networking\",\"/blog/fr/products/networking\"],[\"Productivité et Collaboration\",\"/blog/fr/products/productivite-et-collaboration\"],[\"SAP sur Google Cloud\",\"/blog/fr/products/sap-google-cloud\"],[\"Sécurité et Identité\",\"/blog/fr/products/identity-security\"],[\"Stockage et transfert de données\",\"/blog/fr/products/storage-data-transfer\"]]]],[\"Écosystème\",null,[[[\"Responsables IT\",\"/transform/fr\"],[\"Industries\",null,[[[\"Commerce\",\"/blog/fr/topics/retail\"],[\"Manufacturing\",\"/blog/fr/topics/manufacturing\"],[\"Médias et Divertissement\",\"/blog/fr/products/media-entertainment\"],[\"Santé\",\"/blog/fr/topics/healthcare-life-sciences\"],[\"Secteur Public\",\"/blog/fr/topics/public-sector\"],[\"Services Financiers\",\"/blog/fr/topics/financial-services\"],[\"Supply Chain\",\"/blog/fr/topics/supply-chain/\"],[\"Telecommunications\",\"/blog/fr/topics/telecommunications\"]]]],[\"Clients\",\"/blog/fr/topics/clients/\"],[\"Développeurs et professionnels\",\"/blog/fr/topics/developers-practitioners\"],[\"Formations et certifications\",\"/blog/fr/topics/training-certifications\"],[\"Google Cloud Next et Événements\",\"/blog/fr/topics/evenements\"],[\"Google Maps Platform\",\"/blog/fr/products/maps-platform\"],[\"Google Workspace\",\"https://workspace.google.com/blog/fr\"],[\"Inside Google Cloud\",\"/blog/fr/topics/inside-google-cloud\"],[\"Partenaires\",\"/blog/fr/topics/partners\"],[\"Start-ups et PME\",\"/blog/fr/topics/startups\"]]]],[\"Transformer avec Google Cloud\",\"/transform/fr\"]]]],[\"ja\",[[[\"ソリューションとテクノロジー\",null,[[[\"AI \\u0026 機械学習\",\"/blog/ja/products/ai-machine-learning\"],[\"API 管理\",\"/blog/ja/products/api-management\"],[\"アプリケーション開発\",\"/blog/ja/products/application-development\"],[\"アプリケーションモダナイゼーション\",\"/blog/ja/products/application-modernization\"],[\"Chrome Enterprise\",\"/blog/ja/products/chrome-enterprise\"],[\"コンピューティング\",\"/blog/ja/products/compute\"],[\"Containers \\u0026 Kubernetes\",\"/blog/ja/products/containers-kubernetes\"],[\"データ分析\",\"/blog/ja/products/data-analytics\"],[\"データベース\",\"/blog/ja/products/databases\"],[\"DevOps \\u0026 SRE\",\"/blog/ja/products/devops-sre\"],[\"Maps \\u0026 Geospatial\",\"/blog/ja/products/maps-platform\"],[\"セキュリティ\",null,[[[\"セキュリティ \\u0026 アイデンティティ\",\"/blog/ja/products/identity-security\"],[\"脅威インテリジェンス\",\"/blog/ja/topics/threat-intelligence\"]]]],[\"インフラストラクチャ\",\"/blog/ja/products/infrastructure\"],[\"インフラモダナイゼーション\",\"/blog/ja/products/infrastructure-modernization\"],[\"ネットワーキング\",\"/blog/ja/products/networking\"],[\"生産性とコラボレーション\",\"/blog/ja/products/productivity-collaboration\"],[\"Google Cloud での SAP\",\"/blog/ja/products/sap-google-cloud\"],[\"ストレージとデータ転送\",\"/blog/ja/products/storage-data-transfer\"],[\"サステナビリティ\",\"/blog/ja/topics/sustainability\"]]]],[\"エコシステム\",null,[[[\"ITリーダー\",\"/transform/ja\"],[\"業種\",null,[[[\"金融サービス\",\"/blog/ja/topics/financial-services\"],[\"ヘルスケア、ライフサイエンス\",\"/blog/ja/topics/healthcare-life-sciences\"],[\"製造\",\"/blog/ja/topics/manufacturing\"],[\"メディア、エンターテイメント\",\"/blog/ja/products/media-entertainment\"],[\"公共部門\",\"/blog/ja/topics/public-sector\"],[\"小売業\",\"/blog/ja/topics/retail\"],[\"サプライチェーン\",\"/blog/ja/topics/supply-chain-logistics\"],[\"通信\",\"/blog/ja/topics/telecommunications\"]]]],[\"顧客事例\",\"/blog/ja/topics/customers\"],[\"パートナー\",\"/blog/ja/topics/partners\"],[\"スタートアップ \\u0026 SMB\",\"/blog/ja/topics/startups\"],[\"トレーニングと認定\",\"/blog/ja/topics/training-certifications\"],[\"Inside Google Cloud\",\"/blog/ja/topics/inside-google-cloud\"],[\"Google Cloud Next とイベント\",\"/blog/ja/topics/google-cloud-next\"],[\"Google Maps Platform\",\"/blog/ja/products/maps-platform\"],[\"Google Workspace\",\"https://workspace.google.com/blog/ja\"]]]],[\"デベロッパー\",\"/blog/ja/topics/developers-practitioners\"],[\"Transform with Google Cloud\",\"/transform/ja\"]]]],[\"ko\",[[[\"솔루션 및 기술\",null,[[[\"AI 및 머신러닝\",\"/blog/ko/products/ai-machine-learning\"],[\"API 관리\",\"/blog/ko/products/api-management\"],[\"애플리케이션 개발\",\"/blog/ko/products/application-development\"],[\"애플리케이션 현대화\",\"/blog/ko/products/application-modernization\"],[\"Chrome Enterprise\",\"/blog/products/chrome-enterprise\"],[\"컴퓨팅\",\"/blog/ko/products/compute\"],[\"컨테이너 \\u0026 Kubernetes\",\"/blog/ko/products/containers-kubernetes\"],[\"데이터 분석\",\"/blog/ko/products/data-analytics\"],[\"데이터베이스\",\"/blog/ko/products/databases\"],[\"DevOps 및 SRE\",\"/blog/ko/products/devops-sre\"],[\"Maps \\u0026 Geospatial\",\"/blog/ko/products/maps-platform\"],[\"보안\",null,[[[\"보안 \\u0026 아이덴티티\",\"/blog/ko/products/identity-security\"],[\"위협 인텔리전스\",\"/blog/ko/topics/threat-intelligence\"]]]],[\"인프라\",\"/blog/ko/products/infrastructure\"],[\"Infrastructure Modernization\",\"/blog/ko/products/infrastructure-modernization\"],[\"네트워킹\",\"/blog/ko/products/networking\"],[\"생산성 및 공동작업\",\"/blog/ko/products/productivity-collaboration\"],[\"SAP on Google Cloud\",\"/blog/ko/products/sap-google-cloud\"],[\"스토리지 및 데이터 전송\",\"/blog/ko/products/storage-data-transfer\"],[\"지속가능성\",\"/blog/ko/topics/sustainability\"]]]],[\"에코시스템\",null,[[[\"IT Leaders\",\"/transform/ko\"],[\"업종\",null,[[[\"금융 서비스\",\"/blog/ko/topics/financial-services\"],[\"의료 및 생명과학\",\"/blog/ko/topics/healthcare-life-sciences\"],[\"제조업\",\"/blog/ko/topics/manufacturing\"],[\"미디어 및 엔터테인먼트\",\"/blog/ko/products/media-entertainment\"],[\"공공부문\",\"/blog/ko/topics/public-sector\"],[\"소매업\",\"/blog/ko/topics/retail\"],[\"공급망\",\"/blog/topics/supply-chain-logistics\"],[\"통신\",\"/blog/ko/topics/telecommunications\"]]]],[\"고객 사례\",\"/blog/ko/topics/customers\"],[\"파트너\",\"/blog/ko/topics/partners\"],[\"스타트업 \\u0026 SMB\",\"/blog/ko/topics/startups\"],[\"교육 \\u0026 인증\",\"/blog/ko/topics/training-certifications\"],[\"Inside Google Cloud\",\"/blog/ko/topics/inside-google-cloud\"],[\"Google Cloud Next 및 이벤트\",\"/blog/ko/topics/google-cloud-next\"],[\"Google Maps Platform\",\"/blog/ko/products/maps-platform\"],[\"Google Workspace\",\"https://workspace.google.com/blog/ko\"]]]],[\"개발 및 IT운영\",\"/blog/ko/topics/developers-practitioners\"],[\"Google Cloud와 함께 하는 디지털 혁신\",\"/transform/ko\"]]]]]]","cfb2h":"boq_cloudx-web-blog-uiserver_20241121.08_p0","eptZe":"/blog/_/TransformBlogUi/","f8POw":"%.@.[97656899,97785988,1706538,97684535,97442199,48897392,97863170,93778619,48554498,97517172,97535270,1714243,93874004,48830069,48887082,97863043,48489830,97716267,97656881,97785970,97684517,97442181,97517154,93873986,48887064],null,null,null,null,true]","fPDxwd":[97517172,97684535,97863043,97863170],"gGcLoe":false,"iCzhFc":false,"nQyAE":{"b5B1L":"true","PTNaKe":"false","ktxJzc":"true","BUEcUe":"variant1","XzXOC":"false","kG32O":"false","C4H3Td":"true","w1axY":"false","Pr5Lcf":"false","kG33G":"false","OEmSkb":"false","aeNUHe":"false","j9nUqf":"false","wvKxS":"false","wFnpse":"true","tfPPe":"false","LibkZ":"false","m0uJSe":"false","PvZHQ":"true","s7Z7Ld":"false","i2rGv":"false","RIvlU":"true","lsuui":"true","HGJqie":"true","NCoWOd":"false","Qzt9sd":"false","dsKk4d":"true","fdXYmb":"false","epuB3d":"false","BotAtd":"true"},"p9hQne":"https://www.gstatic.com/_/boq-cloudx-web-blog/_/r/","qwAQke":"TransformBlogUi","rtQCxc":-480,"u4g7r":"%.@.null,1000,2]","vJ2GOe":"%.@.null,[[\"de\",[[[\"Themen\",null,[[[\"Product Announcements\",\"/blog/de/product-announcements\"],[\"KI \\u0026 Machine Learning\",\"/blog/de/ai-machine-learning\"],[\"Produktivität und Kollaboration\",\"/blog/de/productivity-collaboration\"],[\"Identität und Sicherheit\",\"/blog/de/identity-and-security\"],[\"Future of Work\",\"/blog/de/future-of-work\"],[\"Hybrides Arbeiten\",\"/blog/de/hybrid-work\"],[\"Kundenreferenzen\",\"/blog/de/customer-stories\"],[\"Entwickler*innen und Fachkräfte\",\"/blog/de/developers-practitioners\"],[\"Partner\",\"/blog/de/partners\"],[\"Events\",\"/blog/de/events\"],[\"Öffentlicher Sektor\",\"/blog/de/public-sector\"]]]],[\"Produktneuigkeiten\",null,[[[\"Gmail\",\"/blog/de/gmail\"],[\"Meet\",\"/blog/de/meet\"],[\"Chat and Spaces\",\"/blog/de/chat-spaces\"],[\"Drive\",\"/blog/de/drive\"],[\"Docs\",\"/blog/de/docs\"],[\"Sheets\",\"/blog/de/sheets\"]]]]]]],[\"en\",[[[\"Topics\",null,[[[\"Product Announcements\",\"/blog/product-announcements\"],[\"AI and Machine Learning\",\"/blog/ai-machine-learning\"],[\"Productivity and Collaboration\",\"/blog/productivity-collaboration\"],[\"Identity and Security\",\"/blog/identity-and-security\"],[\"Future of Work\",\"/blog/future-of-work\"],[\"Hybrid Work\",\"/blog/hybrid-work\"],[\"Customer Stories\",\"/blog/customer-stories\"],[\"Developers and Practitioners\",\"/blog/developers-practitioners\"],[\"Partners\",\"/blog/partners\"],[\"Events\",\"/blog/events\"],[\"Public Sector\",\"/blog/public-sector\"]]]],[\"Product News\",null,[[[\"Gmail\",\"/blog/gmail\"],[\"Meet\",\"/blog/meet\"],[\"Chat and Spaces\",\"/blog/chat-spaces\"],[\"Drive\",\"/blog/drive\"],[\"Docs\",\"/blog/docs\"],[\"Sheets\",\"/blog/sheets\"]]]]]]],[\"fr\",[[[\"Thèmes\",null,[[[\"Product Announcements\",\"/blog/fr/product-announcements\"],[\"IA et Machine Learning\",\"/blog/fr/ai-machine-learning\"],[\"Productivité et Collaboration\",\"/blog/fr/productivity-collaboration\"],[\"Identité et Sécurité\",\"/blog/fr/identity-and-security\"],[\"L\u0027avenir du travail\",\"/blog/fr/future-of-work\"],[\"Travail hybride\",\"/blog/fr/hybrid-work\"],[\"Témoignages Clients\",\"/blog/fr/customer-stories\"],[\"Développeurs et professionnels\",\"/blog/fr/developers-practitioners\"],[\"Partenaires\",\"/blog/fr/partners\"],[\"Événements\",\"/blog/fr/events\"],[\"Secteur Public\",\"/blog/fr/public-sector\"]]]],[\"Annonces sur les produits\",null,[[[\"Gmail\",\"/blog/fr/gmail\"],[\"Meet\",\"/blog/fr/meet\"],[\"Chat et Spaces\",\"/blog/fr/chat-spaces\"],[\"Drive\",\"/blog/fr/drive\"],[\"Docs\",\"/blog/fr/docs\"],[\"Sheets\",\"/blog/fr/sheets\"]]]]]]],[\"ja\",[[[\"トピック\",null,[[[\"プロダクトの発表\",\"/blog/ja/product-announcements\"],[\"AI \\u0026 機械学習\",\"/blog/ja/ai-machine-learning\"],[\"生産性とコラボレーション\",\"/blog/ja/productivity-collaboration\"],[\"アイデンティティとセキュリティ\",\"/blog/ja/identity-and-security\"],[\"未来の働き方\",\"/blog/ja/future-of-work\"],[\"ハイブリッドな働き方\",\"/blog/ja/hybrid-work\"],[\"顧客事例\",\"/blog/ja/customer-stories\"],[\"デベロッパー\",\"/blog/ja/developers-practitioners\"],[\"パートナー\",\"/blog/ja/partners\"],[\"イベント\",\"/blog/ja/events\"],[\"公共部門\",\"/blog/ja/public-sector\"]]]],[\"製品ニュース\",null,[[[\"Gmail\",\"/blog/ja/gmail\"],[\"Meet\",\"/blog/ja/meet\"],[\"Chat and Spaces\",\"/blog/ja/chat-spaces\"],[\"ドライブ\",\"/blog/ja/drive\"],[\"ドキュメント\",\"/blog/ja/docs\"],[\"スプレッドシート\",\"/blog/ja/sheets\"]]]]]]],[\"ko\",[[[\"주제\",null,[[[\"제품 업데이트\",\"/blog/ko/product-announcements\"],[\"AI 및 머신러닝\",\"/blog/ko/ai-machine-learning\"],[\"생산성 및 공동작업\",\"/blog/ko/productivity-collaboration\"],[\"인증 및 보안 \",\"/blog/ko/identity-and-security\"],[\"Future of Work\",\"/blog/ko/future-of-work\"],[\"하이브리드 업무\",\"/blog/ko/hybrid-work\"],[\"고객 사례\",\"/blog/ko/customer-stories\"],[\"개발자\",\"/blog/ko/developers-practitioners\"],[\"파트너\",\"/blog/ko/partners\"],[\"이벤트\",\"/blog/ko/events\"],[\"공공부문\",\"/blog/ko/public-sector\"]]]],[\"제품 소식\",null,[[[\"Gmail\",\"/blog/ko/gmail\"],[\"Meet\",\"/blog/ko/meet\"],[\"Chat 및 Spaces\",\"/blog/ko/chat-spaces\"],[\"Drive\",\"/blog/ko/drive\"],[\"Docs\",\"/blog/ko/docs\"],[\"Sheets\",\"/blog/ko/sheets\"]]]]]]]],null,[[\"de\",[[[[[\"Enthaltene Anwendungen\",\"https://workspace.google.com/intl/de/features/\",[[[\"Gmail\",\"https://workspace.google.com/intl/de/products/gmail/\"],[\"Meet\",\"https://workspace.google.com/intl/de/products/meet/\"],[\"Chat\",\"https://workspace.google.com/intl/de/products/chat/\"],[\"Kalender\",\"https://workspace.google.com/intl/de/products/calendar/\"],[\"Drive\",\"https://workspace.google.com/intl/de/products/drive/\"],[\"Docs\",\"https://workspace.google.com/intl/de/products/docs/\"],[\"Tabellen\",\"https://workspace.google.com/intl/de/products/sheets/\"],[\"Präsentationen\",\"https://workspace.google.com/intl/de/products/slides/\"],[\"Formulare\",\"https://workspace.google.com/intl/de/products/forms/\"],[\"Sites\",\"https://workspace.google.com/intl/de/products/sites/\"],[\"Notizen\",\"https://workspace.google.com/intl/de/products/keep/\"],[\"Apps Script\",\"https://workspace.google.com/intl/de/products/apps-script/\"]]]]]],[[[\"Sicherheit und Verwaltung\",\"https://workspace.google.com/intl/de/security/\",[[[\"Admin\",\"https://workspace.google.com/intl/de/products/admin/\"],[\"Endpunkt\",\"https://workspace.google.com/intl/de/products/admin/endpoint/\"],[\"Vault\",\"https://workspace.google.com/intl/de/products/vault/\"],[\"Work Insights\",\"https://workspace.google.com/intl/de/products/workinsights/\"]]]],[\"Lösungen\",\"https://workspace.google.com/intl/de/solutions/\",[[[\"Neue Unternehmen\",\"https://workspace.google.com/intl/de/business/new-business/\"],[\"Kleine Unternehmen\",\"https://workspace.google.com/intl/de/business/small-business/\"],[\"Große Unternehmen\",\"https://workspace.google.com/intl/de/solutions/enterprise/\"],[\"Education\",\"https://edu.google.com/products/workspace-for-education/education-fundamentals/\"],[\"Nonprofit-Organisationen\",\"https://www.google.com/nonprofits/\"]]]]]],[[[\"Preise\",\"https://workspace.google.com/intl/de/pricing.html\",[[[\"Version auswählen\",\"https://workspace.google.com/intl/de/pricing.html\"]]]],[\"Add-ons\",null,[[[\"Gemini für Workspace\",\"https://workspace.google.com/solutions/ai/\"],[\"Google Voice\",\"https://workspace.google.com/intl/de/products/voice/\"],[\"AppSheet\",\"https://about.appsheet.com/home/\"]]]]]],[[[\"Ressourcen\",\"https://workspace.google.com/intl/de/faq/\",[[[\"Telearbeit\",\"https://workspace.google.com/intl/de/working-remotely/\"],[\"Sicherheit\",\"https://workspace.google.com/intl/de/security/\"],[\"FAQ\",\"https://workspace.google.com/intl/de/faq/\"],[\"Partner\",\"https://cloud.withgoogle.com/partners/?products\\u003dGOOGLE_WORKSPACE_PRODUCT\"],[\"Google Workspace Marketplace\",\"https://workspace.google.com/marketplace/\"],[\"Integrationen\",\"https://workspace.google.com/intl/de/integrations/\"],[\"Schulung \\u0026 Zertifizierung\",\"https://workspace.google.com/intl/de/training/\"]]]]]],[[[\"Schulung und Support\",\"https://workspace.google.com/intl/de/support/\",[[[\"Admin-Hilfe\",\"https://support.google.com/a/#topic\\u003d29157\"],[\"Einrichtungs- und Bereitstellungscenter\",\"https://workspace.google.com/setup/?hl\\u003dde\"],[\"Schulungscenter für Nutzer\",\"https://workspace.google.com/intl/de/learning-center/\"],[\"Foren für Administratoren\",\"https://productforums.google.com/forum/#!forum/apps\"],[\"Google Workspace-Dashboard\",\"https://www.google.com/appsstatus\"],[\"Presse\",\"https://cloud.google.com/press/\"]]]],[\"Mehr von Google\",null,[[[\"Google Cloud\",\"https://cloud.google.com/?hl\\u003dde\"],[\"Chrome Enterprise\",\"https://chromeenterprise.google/\"],[\"Google Lösungen für Unternehmen\",\"https://www.google.com/intl/de/services/\"],[\"Google Ads\",\"https://ads.google.com/home/?subid\\u003dde-de-xs-aw-z-a-dyn-accounts_wsft!o3\"],[\"Business Messages\",\"https://businessmessages.google/\"],[\"An Nutzerstudien teilnehmen\",\"https://userresearch.google.com/?reserved\\u003d0\\u0026utm_source\\u003dgsuite.google.com\\u0026Q_Language\\u003den\\u0026utm_medium\\u003down_srch\\u0026utm_campaign\\u003dGlobal-GSuite\\u0026utm_term\\u003d0\\u0026utm_content\\u003d0\\u0026productTag\\u003dgafw\\u0026campaignDate\\u003dnov18\\u0026pType\\u003dbprof\\u0026referral_code\\u003dug422768\"]]]]]]]]],[\"en\",[[[[[\"Included applications\",\"https://workspace.google.com/features/\",[[[\"Gmail\",\"https://workspace.google.com/products/gmail/\"],[\"Meet\",\"https://workspace.google.com/products/meet/\"],[\"Chat\",\"https://workspace.google.com/products/chat/\"],[\"Calendar\",\"https://workspace.google.com/products/calendar/\"],[\"Drive\",\"https://workspace.google.com/products/drive/\"],[\"Docs\",\"https://workspace.google.com/products/docs/\"],[\"Sheets\",\"https://workspace.google.com/products/sheets/\"],[\"Slides\",\"https://workspace.google.com/products/slides/\"],[\"Forms\",\"https://workspace.google.com/products/forms/\"],[\"Sites\",\"https://workspace.google.com/products/sites/\"],[\"Keep\",\"https://workspace.google.com/products/keep/\"],[\"Apps Script\",\"https://workspace.google.com/products/apps-script/\"]]]]]],[[[\"Security and management\",\"https://workspace.google.com/security/\",[[[\"Admin\",\"https://workspace.google.com/products/admin/\"],[\"Endpoint\",\"https://workspace.google.com/products/admin/endpoint/\"],[\"Vault\",\"https://workspace.google.com/products/vault/\"],[\"Work Insights\",\"https://workspace.google.com/products/workinsights/\"]]]],[\"Solutions\",\"https://workspace.google.com/solutions/\",[[[\"New Business\",\"https://workspace.google.com/business/new-business/\"],[\"Small Business\",\"https://workspace.google.com/business/small-business/\"],[\"Enterprise\",\"https://workspace.google.com/solutions/enterprise/\"],[\"Retail\",\"https://workspace.google.com/industries/retail/\"],[\"Manufacturing\",\"https://workspace.google.com/industries/manufacturing/\"],[\"Professional Services\",\"https://workspace.google.com/industries/professional-services/\"],[\"Technology\",\"https://workspace.google.com/industries/technology/\"],[\"Healthcare\",\"https://workspace.google.com/industries/healthcare/\"],[\"Government\",\"https://workspace.google.com/industries/government/\"],[\"Education\",\"https://edu.google.com/products/workspace-for-education/education-fundamentals/\"],[\"Nonprofits\",\"https://www.google.com/nonprofits/\"],[\"Artificial Intelligence\",\"https://workspace.google.com/solutions/ai/\"]]]]]],[[[\"Pricing\",\"https://workspace.google.com/pricing.html\",[[[\"Compare pricing plans\",\"https://workspace.google.com/pricing.html\"]]]],[\"Add-ons\",null,[[[\"Gemini for Workspace\",\"https://workspace.google.com/solutions/ai/\"],[\"Meet hardware\",\"https://workspace.google.com/products/meet-hardware/\"],[\"Google Voice\",\"https://workspace.google.com/products/voice/\"],[\"AppSheet\",\"https://about.appsheet.com/home/\"]]]]]],[[[\"Resources\",\"https://workspace.google.com/faq/\",[[[\"Working remotely\",\"https://workspace.google.com/working-remotely/\"],[\"Security\",\"https://workspace.google.com/security/\"],[\"Customer Stories\",\"https://workspace.google.com/customers/\"],[\"FAQs\",\"https://workspace.google.com/faq/\"],[\"Partners\",\"https://cloud.withgoogle.com/partners/?products\\u003dGOOGLE_WORKSPACE_PRODUCT\"],[\"Marketplace\",\"https://workspace.google.com/marketplace/\"],[\"Integrations\",\"https://workspace.google.com/integrations/\"],[\"Training \\u0026 Certification\",\"https://workspace.google.com/training/\"],[\"Refer Google Workspace\",\"https://workspace.google.com/landing/partners/referral/\"]]]]]],[[[\"Learning and support\",\"https://workspace.google.com/support/\",[[[\"Admin Help\",\"https://support.google.com/a/#topic\\u003d29157\"],[\"Setup and Deployment Center\",\"https://workspace.google.com/setup\"],[\"Learning Center for Users\",\"https://workspace.google.com/learning-center/\"],[\"Forums for Admins\",\"https://productforums.google.com/forum/#!forum/apps\"],[\"Google Workspace Dashboard\",\"https://www.google.com/appsstatus\"],[\"What\u0027s New in Google Workspace\",\"https://workspace.google.com/whatsnew/\"],[\"Find a Google Workspace Partner\",\"https://www.google.com/a/partnersearch/\"],[\"Join the community of IT Admins\",\"https://www.googlecloudcommunity.com/gc/Google-Workspace/ct-p/google-workspace\"],[\"Press\",\"https://cloud.google.com/press/\"]]]],[\"More from Google\",null,[[[\"Google Cloud\",\"https://cloud.google.com/\"],[\"Google Domains\",\"https://domains.google.com/about/?utm_source\\u003dgoogleappsforwork\\u0026utm_medium\\u003dreferral\\u0026utm_campaign\\u003dgooglepromos\"],[\"Chrome Enterprise\",\"https://chromeenterprise.google/\"],[\"Google Business Solutions\",\"https://www.google.com/services/\"],[\"Google Ads\",\"https://ads.google.com/home/?subid\\u003dus-en-xs-aw-z-a-dyn-accounts_wsft!o3\"],[\"Business Messages\",\"https://businessmessages.google/\"],[\"Join User Studies\",\"https://userresearch.google.com/?reserved\\u003d0\\u0026utm_source\\u003dgsuite.google.com\\u0026Q_Language\\u003den\\u0026utm_medium\\u003down_srch\\u0026utm_campaign\\u003dGlobal-GSuite\\u0026utm_term\\u003d0\\u0026utm_content\\u003d0\\u0026productTag\\u003dgafw\\u0026campaignDate\\u003dnov18\\u0026pType\\u003dbprof\\u0026referral_code\\u003dug422768\"]]]]]]]]],[\"fr\",[[[[[\"Enthaltene Anwendungen\",\"https://workspace.google.com/intl/fr/features/\",[[[\"Gmail\",\"https://workspace.google.com/intl/fr/products/gmail/\"],[\"Meet\",\"https://workspace.google.com/intl/fr/products/meet/\"],[\"Chat\",\"https://workspace.google.com/intl/fr/products/chat/\"],[\"Google Agenda\",\"https://workspace.google.com/intl/fr/products/calendar/\"],[\"Drive\",\"https://workspace.google.com/intl/fr/products/drive/\"],[\"Docs\",\"https://workspace.google.com/intl/fr/products/docs/\"],[\"Sheets\",\"https://workspace.google.com/intl/fr/products/sheets/\"],[\"Slides\",\"https://workspace.google.com/intl/fr/products/slides/\"],[\"Forms\",\"https://workspace.google.com/intl/fr/products/forms/\"],[\"Google Sites\",\"https://workspace.google.com/intl/fr/products/sites/\"],[\"Keep\",\"https://workspace.google.com/intl/fr/products/keep/\"],[\"Apps Script\",\"https://workspace.google.com/intl/fr/products/apps-script/\"]]]]]],[[[\"Sécurité et gestion\",\"https://workspace.google.com/intl/fr/security/\",[[[\"Console d\u0027administration\",\"https://workspace.google.com/intl/fr/products/admin/\"],[\"Point de terminaison\",\"https://workspace.google.com/intl/fr/products/admin/endpoint/\"],[\"Vault\",\"https://workspace.google.com/intl/fr/products/vault/\"],[\"Work Insights\",\"https://workspace.google.com/intl/fr/products/workinsights/\"]]]],[\"Solutions\",\"https://workspace.google.com/intl/fr/solutions/\",[[[\"Nouvelle entreprise\",\"https://workspace.google.com/intl/fr/business/new-business/\"],[\"PME\",\"https://workspace.google.com/intl/fr/business/small-business/\"],[\"Grande entreprise\",\"https://workspace.google.com/intl/fr/solutions/enterprise/\"],[\"Education\",\"https://edu.google.com/products/workspace-for-education/education-fundamentals/\"],[\"Associations\",\"https://www.google.com/nonprofits/\"]]]]]],[[[\"Tarifs\",\"https://workspace.google.com/intl/fr/pricing.html\",[[[\"Choisissez une édition\",\"https://workspace.google.com/intl/fr/pricing.html\"]]]],[\"Add-ons\",null,[[[\"Gemini pour Workspace\",\"https://workspace.google.com/solutions/ai/\"],[\"Matériel Meet\",\"https://workspace.google.com/intl/fr/products/meet-hardware/\"],[\"Google Voice\",\"https://workspace.google.com/intl/fr/products/voice/\"],[\"AppSheet\",\"https://about.appsheet.com/home/\"]]]]]],[[[\"Ressources\",\"https://workspace.google.com/intl/fr/faq/\",[[[\"Travail à distance\",\"https://workspace.google.com/intl/fr/working-remotely/\"],[\"Sécurité\",\"https://workspace.google.com/intl/fr/security/\"],[\"Questions fréquentes\",\"https://workspace.google.com/intl/fr/faq/\"],[\"Partenaires\",\"https://cloud.withgoogle.com/partners/?products\\u003dGOOGLE_WORKSPACE_PRODUCT\"],[\"Marketplace\",\"https://workspace.google.com/marketplace/\"],[\"Intégrations\",\"https://workspace.google.com/intl/fr/integrations/\"],[\"Formation et certification\",\"https://workspace.google.com/intl/fr/training/\"]]]]]],[[[\"Formation et assistance\",\"https://workspace.google.com/intl/fr/support/\",[[[\"Aide pour les administrateurs\",\"https://support.google.com/a/#topic\\u003d29157\"],[\"Centre de configuration et de déploiement\",\"https://workspace.google.com/setup/?hl\\u003dfr\"],[\"Centre de formation pour les utilisateurs\",\"https://workspace.google.com/intl/fr/learning-center/\"],[\"Forums pour les administrateurs\",\"https://productforums.google.com/forum/#!forum/apps\"],[\"Tableau de bord Google Workspace\",\"https://www.google.com/appsstatus#hl\\u003dfr\"],[\"Rechercher un partenaire Google Workspace\",\"https://www.google.com/a/partnersearch/?hl\\u003dfr#home\"],[\"Presse\",\"https://cloud.google.com/press/\"]]]],[\"Autres ressources Google\",null,[[[\"Google Cloud\",\"https://cloud.google.com/?hl\\u003dfr\"],[\"Chrome Enterprise\",\"https://chromeenterprise.google/\"],[\"Solutions d\u0027entreprise Google\",\"https://www.google.com/intl/fr/services/\"],[\"Google pour les Pros\",\"https://pourlespros.withgoogle.com/?utm_source\\u003dEngagement\\u0026utm_medium\\u003dep\\u0026utm_term\\u003dSMB\\u0026utm_content\\u003dFR%20Apps%20for%20work%20footert\\u0026utm_campaign\\u003dQ4_2015%20FR%20Apps%20for%20work%20footer\"],[\"Google Ads\",\"https://ads.google.com/home/?subid\\u003dfr-fr-xs-aw-z-a-dyn-accounts_wsft!o3\"],[\"Business Messages\",\"https://businessmessages.google/\"],[\"Participer aux études sur l\u0027expérience utilisateur\",\"https://userresearch.google.com/?reserved\\u003d0\\u0026utm_source\\u003dgsuite.google.com\\u0026Q_Language\\u003den\\u0026utm_medium\\u003down_srch\\u0026utm_campaign\\u003dGlobal-GSuite\\u0026utm_term\\u003d0\\u0026utm_content\\u003d0\\u0026productTag\\u003dgafw\\u0026campaignDate\\u003dnov18\\u0026pType\\u003dbprof\\u0026referral_code\\u003dug422768\"]]]]]]]]],[\"ja\",[[[[[\"ご利用いただけるアプリケーション\",\"https://workspace.google.com/intl/ja/features/\",[[[\"Gmail\",\"https://workspace.google.com/intl/ja/products/gmail/\"],[\"Meet\",\"https://workspace.google.com/intl/ja/products/meet/\"],[\"Chat\",\"https://workspace.google.com/intl/ja/products/chat/\"],[\"カレンダー\",\"https://workspace.google.com/intl/ja/products/calendar/\"],[\"ドライブ\",\"https://workspace.google.com/intl/ja/products/drive/\"],[\"ドキュメント\",\"https://workspace.google.com/intl/ja/products/docs/\"],[\"スプレッドシート\",\"https://workspace.google.com/intl/ja/products/sheets/\"],[\"スライド\",\"https://workspace.google.com/intl/ja/products/slides/\"],[\"フォーム\",\"https://workspace.google.com/intl/ja/products/forms/\"],[\"サイト\",\"https://workspace.google.com/intl/ja/products/sites/\"],[\"Keep\",\"https://workspace.google.com/intl/ja/products/keep/\"],[\"Apps Script\",\"https://workspace.google.com/intl/ja/products/apps-script/\"]]]]]],[[[\"セキュリティと管理\",\"https://workspace.google.com/intl/ja/security/\",[[[\"管理コンソール\",\"https://workspace.google.com/intl/ja/products/admin/\"],[\"エンドポイント\",\"https://workspace.google.com/intl/ja/products/admin/endpoint/\"],[\"Vault\",\"https://workspace.google.com/intl/ja/products/vault/\"],[\"Work Insights\",\"https://workspace.google.com/intl/ja/products/workinsights/\"]]]],[\"ソリューション\",\"https://workspace.google.com/intl/ja/solutions/\",[[[\"新規ビジネス\",\"https://workspace.google.com/intl/ja/business/new-business/\"],[\"小規模ビジネス\",\"https://workspace.google.com/intl/ja/business/small-business/\"],[\"大規模ビジネス\",\"https://workspace.google.com/intl/ja/solutions/enterprise/\"],[\"Education\",\"https://edu.google.com/intl/ja/products/workspace-for-education/education-fundamentals/\"],[\"非営利団体\",\"https://www.google.com/intl/ja/nonprofits/\"]]]]]],[[[\"料金\",\"https://workspace.google.com/intl/ja/pricing.html\",[[[\"エディションを選ぶ\",\"https://workspace.google.com/intl/ja/pricing.html\"]]]],[\"Add-ons\",null,[[[\"Gemini for Workspace\",\"https://workspace.google.com/solutions/ai/\"],[\"Meet ハードウェア\",\"https://workspace.google.com/intl/ja/products/meet-hardware/\"],[\"AppSheet\",\"https://about.appsheet.com/home/\"]]]]]],[[[\"関連情報\",\"https://workspace.google.com/intl/ja/faq/\",[[[\"リモートワーク\",\"https://workspace.google.com/intl/ja/working-remotely/\"],[\"セキュリティ\",\"https://workspace.google.com/intl/ja/security/\"],[\"事例紹介\",\"https://workspace.google.com/intl/ja/customers/\"],[\"よくある質問\",\"https://workspace.google.com/intl/ja/faq/\"],[\"パートナー\",\"https://cloud.withgoogle.com/partners/?products\\u003dGOOGLE_WORKSPACE_PRODUCT\"],[\"Marketplace\",\"https://workspace.google.com/intl/ja/marketplace/\"],[\"統合\",\"https://workspace.google.com/intl/ja/integrations/\"],[\"トレーニングと認定資格\",\"https://workspace.google.com/intl/ja/training/\"]]]]]],[[[\"学習とサポート\",\"https://workspace.google.com/intl/ja/support/\",[[[\"管理者用ヘルプ\",\"https://support.google.com/a/#topic\\u003d29157\"],[\"設定と導入のガイド\",\"https://workspace.google.com/setup/?hl\\u003dja\"],[\"ユーザー向けラーニングセンター\",\"https://workspace.google.com/intl/ja/learning-center/\"],[\"管理者向けフォーラム\",\"https://productforums.google.com/forum/#!forum/apps\"],[\"Google Workspace ステータスダッシュボード\",\"https://www.google.com/appsstatus#hl\\u003dja\"],[\"Google Workspace パートナーを探す\",\"https://www.google.com/a/partnersearch/?hl\\u003dja#home\"],[\"プレスリリース\",\"https://cloud.google.com/press/?hl\\u003dja\"]]]],[\"その他の Google サービス\",null,[[[\"Google Cloud\",\"https://cloud.google.com/?hl\\u003dja\"],[\"Chrome Enterprise\",\"https://chromeenterprise.google/\"],[\"Google ビジネスソリューション\",\"https://www.google.com/intl/ja/services/\"],[\"Google 広告\",\"https://ads.google.com/home/?subid\\u003dja-ja-xs-aw-z-a-dyn-accounts_wsft!o3\"],[\"Business Messages\",\"https://businessmessages.google/\"],[\"ユーザー調査に参加する\",\"https://userresearch.google.com/?reserved\\u003d0\\u0026utm_source\\u003dgsuite.google.com\\u0026Q_Language\\u003den\\u0026utm_medium\\u003down_srch\\u0026utm_campaign\\u003dGlobal-GSuite\\u0026utm_term\\u003d0\\u0026utm_content\\u003d0\\u0026productTag\\u003dgafw\\u0026campaignDate\\u003dnov18\\u0026pType\\u003dbprof\\u0026referral_code\\u003dug422768\"]]]]]]]]],[\"ko\",[[[[[\"포함된 애플리케이션\",\"https://workspace.google.com/intl/ko/features/\",[[[\"Gmail\",\"https://workspace.google.com/intl/ko/products/gmail/\"],[\"Meet\",\"https://workspace.google.com/intl/ko/products/meet/\"],[\"Chat\",\"https://workspace.google.com/intl/ko/products/chat/\"],[\"Calendar\",\"https://workspace.google.com/intl/ko/products/calendar/\"],[\"Drive\",\"https://workspace.google.com/intl/ko/products/drive/\"],[\"Docs\",\"https://workspace.google.com/intl/ko/products/docs/\"],[\"Sheets\",\"https://workspace.google.com/intl/ko/products/sheets/\"],[\"Slides\",\"https://workspace.google.com/intl/ko/products/slides/\"],[\"설문지\",\"https://workspace.google.com/intl/ko/products/forms/\"],[\"사이트 도구\",\"https://workspace.google.com/intl/ko/products/sites/\"],[\"Keep\",\"https://workspace.google.com/intl/ko/products/keep/\"],[\"Apps Script\",\"https://workspace.google.com/intl/ko/products/apps-script/\"]]]]]],[[[\"보안 및 관리\",\"https://workspace.google.com/intl/ko/security/\",[[[\"관리\",\"https://workspace.google.com/intl/ko/products/admin/\"],[\"엔드포인트\",\"https://workspace.google.com/intl/ko/products/admin/endpoint/\"],[\"Vault\",\"https://workspace.google.com/intl/ko/products/vault/\"],[\"Work Insights\",\"https://workspace.google.com/intl/ko/products/workinsights/\"]]]],[\"솔루션\",\"https://workspace.google.com/intl/ko/solutions/\",[[[\"신규 업체\",\"https://workspace.google.com/intl/ko/business/new-business/\"],[\"중소기업\",\"https://workspace.google.com/intl/ko/business/small-business/\"],[\"엔터프라이즈\",\"https://workspace.google.com/intl/ko/solutions/enterprise/\"],[\"Education\",\"https://edu.google.com/products/workspace-for-education/education-fundamentals/\"],[\"비영리단체\",\"https://www.google.com/nonprofits/\"]]]]]],[[[\"가격\",\"https://workspace.google.com/intl/ko/pricing.html\",[[[\"버전 선택\",\"https://workspace.google.com/intl/ko/pricing.html\"]]]],[\"Add-ons\",null,[[[\"Workspace를 위한 Gemini\",\"https://workspace.google.com/solutions/ai/\"],[\"AppSheet\",\"https://about.appsheet.com/home/\"]]]]]],[[[\"리소스\",\"https://workspace.google.com/intl/ko/faq/\",[[[\"원격 근무\",\"https://workspace.google.com/intl/ko/working-remotely/\"],[\"보안\",\"https://workspace.google.com/intl/ko/security/\"],[\"FAQ\",\"https://workspace.google.com/intl/ko/faq/\"],[\"파트너\",\"https://cloud.withgoogle.com/partners/?products\\u003dGOOGLE_WORKSPACE_PRODUCT\"],[\"Marketplace\",\"https://workspace.google.com/intl/ko/marketplace/\"],[\"통합\",\"https://workspace.google.com/intl/ko/integrations/\"],[\"교육 및 인증\",\"https://workspace.google.com/intl/ko/training/\"]]]]]],[[[\"학습 및 지원\",\"https://workspace.google.com/intl/ko/support/\",[[[\"관리자 도움말\",\"https://support.google.com/a/#topic\\u003d29157\"],[\"설치 및 배포 센터\",\"https://workspace.google.com/setup/?hl\\u003dko\"],[\"사용자를 위한 학습 센터\",\"https://workspace.google.com/intl/ko/learning-center/\"],[\"관리자 포럼\",\"https://productforums.google.com/forum/#!forum/apps\"],[\"Google Workspace 대시보드\",\"https://www.google.com/appsstatus#hl\\u003dko\"],[\"Google Workspace 파트너 찾기\",\"https://www.google.com/a/partnersearch/?hl\\u003dko#home\"],[\"보도자료\",\"https://cloud.google.com/press/\"]]]],[\"Google의 다른 제품\",null,[[[\"Google Cloud\",\"https://cloud.google.com/?hl\\u003dko\"],[\"Chrome Enterprise\",\"https://chromeenterprise.google/\"],[\"Google 비즈니스 솔루션\",\"https://www.google.com/intl/ko_kr/business/\"],[\"Google Ads\",\"https://ads.google.com/home/?subid\\u003dkr-ko-xs-aw-z-a-dyn-accounts_wsft!o3\"],[\"Business Messages\",\"https://businessmessages.google/\"],[\"사용자 연구 참여\",\"https://userresearch.google.com/?reserved\\u003d0\\u0026utm_source\\u003dgsuite.google.com\\u0026Q_Language\\u003den\\u0026utm_medium\\u003down_srch\\u0026utm_campaign\\u003dGlobal-GSuite\\u0026utm_term\\u003d0\\u0026utm_content\\u003d0\\u0026productTag\\u003dgafw\\u0026campaignDate\\u003dnov18\\u0026pType\\u003dbprof\\u0026referral_code\\u003dug422768\"]]]]]]]]]]]","w2btAe":"%.@.null,null,\"\",false,null,null,true,false]","xn5OId":false,"xnI9P":true,"xwAfE":true,"y2FhP":"prod","yFnxrf":1884,"zChJod":"%.@.]"};</script><script nonce="7I0sTsvUKABcH_D7zfn1tw">(function(){'use strict';var a=window,d=a.performance,l=k();a.cc_latency_start_time=d&&d.now?0:d&&d.timing&&d.timing.navigationStart?d.timing.navigationStart:l;function k(){return d&&d.now?d.now():(new Date).getTime()}function n(e){if(d&&d.now&&d.mark){var g=d.mark(e);if(g)return g.startTime;if(d.getEntriesByName&&(e=d.getEntriesByName(e).pop()))return e.startTime}return k()}a.onaft=function(){n("aft")};a._isLazyImage=function(e){return e.hasAttribute("data-src")||e.hasAttribute("data-ils")||e.getAttribute("loading")==="lazy"}; a.l=function(e){function g(b){var c={};c[b]=k();a.cc_latency.push(c)}function m(b){var c=n("iml");b.setAttribute("data-iml",c);return c}a.cc_aid=e;a.iml_start=a.cc_latency_start_time;a.css_size=0;a.cc_latency=[];a.ccTick=g;a.onJsLoad=function(){g("jsl")};a.onCssLoad=function(){g("cssl")};a._isVisible=function(b,c){if(!c||c.style.display=="none")return!1;var f=b.defaultView;if(f&&f.getComputedStyle&&(f=f.getComputedStyle(c),f.height=="0px"||f.width=="0px"||f.visibility=="hidden"))return!1;if(!c.getBoundingClientRect)return!0; var h=c.getBoundingClientRect();c=h.left+a.pageXOffset;f=h.top+a.pageYOffset;if(f+h.height<0||c+h.width<0||h.height<=0||h.width<=0)return!1;b=b.documentElement;return f<=(a.innerHeight||b.clientHeight)&&c<=(a.innerWidth||b.clientWidth)};a._recordImlEl=m;document.documentElement.addEventListener("load",function(b){b=b.target;var c;b.tagName!="IMG"||b.hasAttribute("data-iid")||a._isLazyImage(b)||b.hasAttribute("data-noaft")||(c=m(b));if(a.aft_counter&&(b=a.aft_counter.indexOf(b),b!==-1&&(b=a.aft_counter.splice(b, 1).length===1,a.aft_counter.length===0&&b&&c)))a.onaft(c)},!0);a.prt=-1;a.wiz_tick=function(){var b=n("prt");a.prt=b}};}).call(this); l('DK1zsb')</script><script nonce="7I0sTsvUKABcH_D7zfn1tw">var _F_cssRowKey = 'boq-cloudx-web-blog.TransformBlogUi.kBvWwdAt86U.L.X.O';var _F_combinedSignature = 'AHrnUqUMne414GLMZipCdLurIRsd0ykfYQ';function _DumpException(e) {throw e;}</script><link rel="stylesheet" href="https://www.gstatic.com/_/mss/boq-cloudx-web-blog/_/ss/k=boq-cloudx-web-blog.TransformBlogUi.kBvWwdAt86U.L.X.O/am=OBgwCw/d=1/ed=1/rs=AHrnUqUdHr1ILLldbe8xmK4BOgod6WRp4g/m=articleview,_b,_tp" data-id="_cl" nonce="cbb7tgPh1zAAjQl0So98rg"><script nonce="7I0sTsvUKABcH_D7zfn1tw">onCssLoad();</script><style nonce="cbb7tgPh1zAAjQl0So98rg">@font-face{font-family:'Product Sans';font-style:normal;font-weight:400;src:url(https://fonts.gstatic.com/s/productsans/v9/pxiDypQkot1TnFhsFMOfGShVF9eK.eot);}@font-face{font-family:'Google Sans';font-style:normal;font-weight:400;src:url(https://fonts.gstatic.com/s/googlesans/v58/4Ua_rENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iqcsih3SAyH6cAwhX9RFD48TE63OOYKtrwEIJllpy0.eot);}@font-face{font-family:'Google Sans';font-style:normal;font-weight:500;src:url(https://fonts.gstatic.com/s/googlesans/v58/4Ua_rENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iqcsih3SAyH6cAwhX9RFD48TE63OOYKtrw2IJllpy0.eot);}@font-face{font-family:'Google Sans';font-style:normal;font-weight:700;src:url(https://fonts.gstatic.com/s/googlesans/v58/4Ua_rENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iqcsih3SAyH6cAwhX9RFD48TE63OOYKtrzjJ5llpy0.eot);}@font-face{font-family:'Google Sans Display';font-style:normal;font-weight:400;src:url(https://fonts.gstatic.com/s/googlesansdisplay/v13/ea8FacM9Wef3EJPWRrHjgE4B6CnlZxHVDv79pQ.eot);}@font-face{font-family:'Google Sans Display';font-style:normal;font-weight:500;src:url(https://fonts.gstatic.com/s/googlesansdisplay/v13/ea8IacM9Wef3EJPWRrHjgE4B6CnlZxHVBg3etBD7SA.eot);}@font-face{font-family:'Google Sans Display';font-style:normal;font-weight:700;src:url(https://fonts.gstatic.com/s/googlesansdisplay/v13/ea8IacM9Wef3EJPWRrHjgE4B6CnlZxHVBkXYtBD7SA.eot);}</style><script nonce="7I0sTsvUKABcH_D7zfn1tw">(function(){'use strict';function e(){var a=g,b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}};/* Copyright The Closure Library Authors. SPDX-License-Identifier: Apache-2.0 */ var l=this||self;/* Copyright 2024 Google, Inc SPDX-License-Identifier: MIT */ var m=["focus","blur","error","load","toggle"];function n(a){return a==="mouseenter"?"mouseover":a==="mouseleave"?"mouseout":a==="pointerenter"?"pointerover":a==="pointerleave"?"pointerout":a};function p(a){this.l={};this.m={};this.i=null;this.g=[];this.o=a}p.prototype.handleEvent=function(a,b,c){q(this,{eventType:a,event:b,targetElement:b.target,eic:c,timeStamp:Date.now(),eia:void 0,eirp:void 0,eiack:void 0})};function q(a,b){if(a.i)a.i(b);else{b.eirp=!0;var c;(c=a.g)==null||c.push(b)}} function r(a,b,c){if(!(b in a.l)&&a.o){var d=function(h,f,B){a.handleEvent(h,f,B)};a.l[b]=d;c=n(c||b);if(c!==b){var k=a.m[c]||[];k.push(b);a.m[c]=k}a.o.addEventListener(c,function(h){return function(f){d(b,f,h)}},void 0)}}p.prototype.j=function(a){return this.l[a]};p.prototype.ecrd=function(a){this.i=a;var b;if((b=this.g)==null?0:b.length){for(a=0;a<this.g.length;a++)q(this,this.g[a]);this.g=null}};var t=typeof navigator!=="undefined"&&/iPhone|iPad|iPod/.test(navigator.userAgent);function u(a){this.g=a;this.i=[]}u.prototype.addEventListener=function(a,b,c){t&&(this.g.style.cursor="pointer");var d=this.i,k=d.push,h=this.g;b=b(this.g);var f=!1;m.indexOf(a)>=0&&(f=!0);h.addEventListener(a,b,typeof c==="boolean"?{capture:f,passive:c}:f);k.call(d,{eventType:a,j:b,capture:f,passive:c})};var g="click dblclick focus focusin blur error focusout keydown keyup keypress load mouseover mouseout mouseenter mouseleave submit toggle touchstart touchend touchmove touchcancel auxclick change compositionstart compositionupdate compositionend beforeinput input select textinput copy cut paste mousedown mouseup wheel contextmenu dragover dragenter dragleave drop dragstart dragend pointerdown pointermove pointerup pointercancel pointerenter pointerleave pointerover pointerout gotpointercapture lostpointercapture ended loadedmetadata pagehide pageshow visibilitychange beforematch".split(" "); if(!(g instanceof Array)){var v;var w=typeof Symbol!="undefined"&&Symbol.iterator&&g[Symbol.iterator];if(w)v=w.call(g);else if(typeof g.length=="number")v={next:e()};else throw Error(String(g)+" is not an iterable or ArrayLike");for(var x,y=[];!(x=v.next()).done;)y.push(x.value)};var z=function(a){return{trigger:function(b){var c=a.j(b.type);c||(r(a,b.type),c=a.j(b.type));var d=b.target||b.srcElement;c&&c(b.type,b,d.ownerDocument.documentElement)},configure:function(b){b(a)}}}(function(){var a=window,b=new u(a.document.documentElement),c=new p(b);g.forEach(function(h){return r(c,h)});var d,k;"onwebkitanimationend"in a&&(d="webkitAnimationEnd");r(c,"animationend",d);"onwebkittransitionend"in a&&(k="webkitTransitionEnd");r(c,"transitionend",k);return{s:c,u:b}}().s),A=["BOQ_wizbind"], C=window||l;A[0]in C||typeof C.execScript=="undefined"||C.execScript("var "+A[0]);for(var D;A.length&&(D=A.shift());)A.length||z===void 0?C[D]&&C[D]!==Object.prototype[D]?C=C[D]:C=C[D]={}:C[D]=z;}).call(this); </script><script noCollect src="https://www.gstatic.com/_/mss/boq-cloudx-web-blog/_/js/k=boq-cloudx-web-blog.TransformBlogUi.en_US.gC3IVRdc-js.es5.O/am=OBgwCw/d=1/excm=_b,_tp,articleview/ed=1/dg=0/wt=2/ujg=1/rs=AHrnUqUC0U47L_N8kMcLkQijaVUP_3FZOw/m=_b,_tp" defer id="base-js" fetchpriority="high" nonce="7I0sTsvUKABcH_D7zfn1tw"></script><script nonce="7I0sTsvUKABcH_D7zfn1tw">if (window.BOQ_loadedInitialJS) {onJsLoad();} else {document.getElementById('base-js').addEventListener('load', onJsLoad, false);}</script><script nonce="7I0sTsvUKABcH_D7zfn1tw"> window['_wjdc'] = function (d) {window['_wjdd'] = d}; </script><title>Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology | Google Cloud Blog</title><meta name="description" content=""><meta name="robots" content="max-image-preview:large"><meta property="og:title" content="Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology | Google Cloud Blog"><meta property="og:type" content="website"><meta property="og:url" content="https://cloud.google.com/blog/topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology"><meta property="og:image" content="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplif.max-2600x2600.png"><meta property="og:site_name" content="Google Cloud Blog"><meta name="twitter:card" content="summary_large_image"><meta name="twitter:url" content="https://cloud.google.com/blog/topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology"><meta name="twitter:title" content="Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology | Google Cloud Blog"><meta name="twitter:description" content=""><meta name="twitter:image" content="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplif.max-2600x2600.png"><meta name="twitter:site" content="@googlecloud"><script type="application/ld+json">{"@context":"https://schema.org","@type":"BlogPosting","@id":"https://cloud.google.com/blog/topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology","headline":"Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology","description":"","image":"https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplif.max-2600x2600.png","author":[{"@type":"Person","name":"Mandiant ","url":""}],"datePublished":"2023-11-09","publisher":{"@type":"Organization","name":"Google Cloud","logo":{"@type":"ImageObject","url":"https://www.gstatic.com/devrel-devsite/prod/v8bb8fa0afe9a8c3a776ebeb25d421bb443344d789b3607754dfabea418b8c4be/cloud/images/cloud-logo.svg"}},"url":"https://cloud.google.com/blog/topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology","keywords":["Threat Intelligence"],"timeRequired":"PT29M"}</script><link rel="canonical" href="https://cloud.google.com/blog/topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology/"><meta name="track-metadata-page_post_title" content="Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology"><meta name="track-metadata-page_post_labels" content="Threat Intelligence"><meta name="track-metadata-page_first_published" content="2024-03-26 05:03:00"><meta name="track-metadata-page_last_published" content="2023-11-09 17:11:00"><meta name="track-metadata-page_post_author" content="Mandiant "><meta name="track-metadata-page_post_author_role" content=""><header jsaction="rcuQ6b:npT2md" jscontroller="o60eef" class="glue-header nRhiJb-tJHJj-OWXEXe-kFx1Ae" id="kO001e"><a href="./#content" class="glue-header__link glue-header__skip-content">Jump to Content</a><div class="glue-header__bar glue-header__bar--mobile DFb9Jf" track-metadata-module="header"><div class="nRhiJb-mb9u9d"><div class="glue-header__container JF2WI"><div class="nRhiJb-o2XRw-yHKmmc lUwpmd"><div class="nRhiJb-rSCjMe"><a class="nRhiJb-rSCjMe-hSRGPd" href="https://cloud.google.com/" title="Google Cloud" track-name="google cloud"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/"track-metadata-module="header"><div class="nRhiJb-rSCjMe-haAclf"><svg class="glue-header__logo-svg" viewBox="0 0 74 24" role="presentation" aria-hidden="true"><path fill="#4285F4" d="M9.24 8.19v2.46h5.88c-.18 1.38-.64 2.39-1.34 3.1-.86.86-2.2 1.8-4.54 1.8-3.62 0-6.45-2.92-6.45-6.54s2.83-6.54 6.45-6.54c1.95 0 3.38.77 4.43 1.76L15.4 2.5C13.94 1.08 11.98 0 9.24 0 4.28 0 .11 4.04.11 9s4.17 9 9.13 9c2.68 0 4.7-.88 6.28-2.52 1.62-1.62 2.13-3.91 2.13-5.75 0-.57-.04-1.1-.13-1.54H9.24z"></path><path fill="#EA4335" d="M25 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"></path><path fill="#4285F4" d="M53.58 7.49h-.09c-.57-.68-1.67-1.3-3.06-1.3C47.53 6.19 45 8.72 45 12c0 3.26 2.53 5.81 5.43 5.81 1.39 0 2.49-.62 3.06-1.32h.09v.81c0 2.22-1.19 3.41-3.1 3.41-1.56 0-2.53-1.12-2.93-2.07l-2.22.92c.64 1.54 2.33 3.43 5.15 3.43 2.99 0 5.52-1.76 5.52-6.05V6.49h-2.42v1zm-2.93 8.03c-1.76 0-3.1-1.5-3.1-3.52 0-2.05 1.34-3.52 3.1-3.52 1.74 0 3.1 1.5 3.1 3.54.01 2.03-1.36 3.5-3.1 3.5z"></path><path fill="#FBBC05" d="M38 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"></path><path fill="#34A853" d="M58 .24h2.51v17.57H58z"></path><path fill="#EA4335" d="M68.26 15.52c-1.3 0-2.22-.59-2.82-1.76l7.77-3.21-.26-.66c-.48-1.3-1.96-3.7-4.97-3.7-2.99 0-5.48 2.35-5.48 5.81 0 3.26 2.46 5.81 5.76 5.81 2.66 0 4.2-1.63 4.84-2.57l-1.98-1.32c-.66.96-1.56 1.6-2.86 1.6zm-.18-7.15c1.03 0 1.91.53 2.2 1.28l-5.25 2.17c0-2.44 1.73-3.45 3.05-3.45z"></path></svg></div><span class="nRhiJb-rSCjMe-OWXEXe-UBMNlb khBwGd">Cloud</span></a></div></div><div class="glue-header__hamburger s6BfRd"><button class="glue-header__drawer-toggle-btn" aria-label="Open the navigation drawer"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M3 18h18v-2H3v2zm0-5h18v-2H3v2zm0-7v2h18V6H3z"></path></svg></button></div><div class="nRhiJb-o2XRw-yHKmmc UrjqX"><div class="nRhiJb-rSCjMe"><a class="nRhiJb-rSCjMe-hSRGPd" href="https://cloud.google.com/blog" title="Google Cloud Blog" track-name="blog"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog"track-metadata-module="header"><span class="nRhiJb-rSCjMe-OWXEXe-UBMNlb khBwGd">Blog</span></a></div></div></div><div class="glue-header__container ca6rub"><div class="nRhiJb-GUI8l"><a class="nRhiJb-LgbsSe nRhiJb-LgbsSe-OWXEXe-pSzOP-o6Shpd " href="https://cloud.google.com/contact/" track-name="contact sales"track-type="blog nav"track-metadata-eventdetail="cloud.google.com/contact/"track-metadata-module="header" track-name="contact sales"track-type="button"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/contact/">Contact sales </a><a class="nRhiJb-LgbsSe nRhiJb-LgbsSe-OWXEXe-CNusmb-o6Shpd " href="https://console.cloud.google.com/freetrial/" track-name="get started for free"track-type="blog nav"track-metadata-eventdetail="console.cloud.google.com/freetrial/"track-metadata-module="header" track-name="get started for free"track-type="button"track-metadata-position="nav"track-metadata-eventdetail="console.cloud.google.com/freetrial/">Get started for free </a></div><div class="GKI4ub"><div class="Jhiezd"><form action="/blog/search/" class="A2C6Ob"><input class="BAhdXd" jsname="oJAbI" name="query" type="text" placeholder="Find an article..."><input type="hidden" name="language" value=en hidden><input type="hidden" name="category" value=article hidden><input type="hidden" name="paginate" value="25" hidden><input type="hidden" name="order" value="newest" hidden><input type="hidden" name="hl" value=en hidden><span class="A0lwXc" jsname="D8MWrd" aria-label="Show the search input field." role="button" jsaction="click:jUF4E"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c" viewBox="0 0 24 24" role="presentation" aria-hidden="true" width="40" height="22"><path d="M20.49 19l-5.73-5.73C15.53 12.2 16 10.91 16 9.5A6.5 6.5 0 1 0 9.5 16c1.41 0 2.7-.47 3.77-1.24L19 20.49 20.49 19zM5 9.5C5 7.01 7.01 5 9.5 5S14 7.01 14 9.5 11.99 14 9.5 14 5 11.99 5 9.5z"></path></svg></span></form></div></div></div></div></div><div class="glue-header__bar glue-header__bar--desktop glue-header__drawer YcctDe" track-metadata-module="header"><div class="nRhiJb-mb9u9d M7RUq"><div class="glue-header__container JF2WI"><div class="nRhiJb-o2XRw-yHKmmc lUwpmd"><div class="nRhiJb-rSCjMe"><a class="nRhiJb-rSCjMe-hSRGPd" href="https://cloud.google.com/" title="Google Cloud" track-name="google cloud"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/"track-metadata-module="header"><div class="nRhiJb-rSCjMe-haAclf"><svg class="glue-header__logo-svg" viewBox="0 0 74 24" role="presentation" aria-hidden="true"><path fill="#4285F4" d="M9.24 8.19v2.46h5.88c-.18 1.38-.64 2.39-1.34 3.1-.86.86-2.2 1.8-4.54 1.8-3.62 0-6.45-2.92-6.45-6.54s2.83-6.54 6.45-6.54c1.95 0 3.38.77 4.43 1.76L15.4 2.5C13.94 1.08 11.98 0 9.24 0 4.28 0 .11 4.04.11 9s4.17 9 9.13 9c2.68 0 4.7-.88 6.28-2.52 1.62-1.62 2.13-3.91 2.13-5.75 0-.57-.04-1.1-.13-1.54H9.24z"></path><path fill="#EA4335" d="M25 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"></path><path fill="#4285F4" d="M53.58 7.49h-.09c-.57-.68-1.67-1.3-3.06-1.3C47.53 6.19 45 8.72 45 12c0 3.26 2.53 5.81 5.43 5.81 1.39 0 2.49-.62 3.06-1.32h.09v.81c0 2.22-1.19 3.41-3.1 3.41-1.56 0-2.53-1.12-2.93-2.07l-2.22.92c.64 1.54 2.33 3.43 5.15 3.43 2.99 0 5.52-1.76 5.52-6.05V6.49h-2.42v1zm-2.93 8.03c-1.76 0-3.1-1.5-3.1-3.52 0-2.05 1.34-3.52 3.1-3.52 1.74 0 3.1 1.5 3.1 3.54.01 2.03-1.36 3.5-3.1 3.5z"></path><path fill="#FBBC05" d="M38 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"></path><path fill="#34A853" d="M58 .24h2.51v17.57H58z"></path><path fill="#EA4335" d="M68.26 15.52c-1.3 0-2.22-.59-2.82-1.76l7.77-3.21-.26-.66c-.48-1.3-1.96-3.7-4.97-3.7-2.99 0-5.48 2.35-5.48 5.81 0 3.26 2.46 5.81 5.76 5.81 2.66 0 4.2-1.63 4.84-2.57l-1.98-1.32c-.66.96-1.56 1.6-2.86 1.6zm-.18-7.15c1.03 0 1.91.53 2.2 1.28l-5.25 2.17c0-2.44 1.73-3.45 3.05-3.45z"></path></svg></div><span class="nRhiJb-rSCjMe-OWXEXe-UBMNlb khBwGd">Cloud</span></a></div></div><div class="nRhiJb-o2XRw-yHKmmc UrjqX"><div class="nRhiJb-rSCjMe"><a class="nRhiJb-rSCjMe-hSRGPd" href="https://cloud.google.com/blog" title="Google Cloud Blog" track-name="blog"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog"track-metadata-module="header"><span class="nRhiJb-rSCjMe-OWXEXe-UBMNlb khBwGd">Blog</span></a></div></div></div><div class="glue-header__container glue-header__stepped-nav LKvi8b" role="navigation"><div class="glue-header__stepped-nav-controls-container"><div class="glue-header__stepped-nav-controls"><div class="glue-header__stepped-nav-controls-arrow"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M16.41 5.41L15 4l-8 8 8 8 1.41-1.41L9.83 12"></path></svg><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G glue-header__stepped-nav-subnav-icon" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M7.59 18.59L9 20l8-8-8-8-1.41 1.41L14.17 12"></path></svg></div><div class="glue-header__stepped-nav-controls-title glue-header__link"></div></div></div><div class="glue-header__stepped-nav-menus"></div></div><div class="glue-header__container nRhiJb-J6KYL-OWXEXe-Q4irje"><nav class="glue-header__link-bar"><ul class="glue-header__list glue-header__list--nested glue-header__deep-nav URiJfb"><li class="glue-header__item "><a class="glue-header__link">Solutions & technology<svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M5.41 7.59L4 9l8 8 8-8-1.41-1.41L12 14.17"></path></svg></a><ul class="glue-header__list NDdrcc"><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/ai-machine-learning" track-name="ai & machine learning"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/ai-machine-learning"track-metadata-module="header"><span>AI & Machine Learning</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/api-management" track-name="api management"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/api-management"track-metadata-module="header"><span>API Management</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/application-development" track-name="application development"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/application-development"track-metadata-module="header"><span>Application Development</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/application-modernization" track-name="application modernization"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/application-modernization"track-metadata-module="header"><span>Application Modernization</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/chrome-enterprise" track-name="chrome enterprise"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/chrome-enterprise"track-metadata-module="header"><span>Chrome Enterprise</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/compute" track-name="compute"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/compute"track-metadata-module="header"><span>Compute</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/containers-kubernetes" track-name="containers & kubernetes"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/containers-kubernetes"track-metadata-module="header"><span>Containers & Kubernetes</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/data-analytics" track-name="data analytics"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/data-analytics"track-metadata-module="header"><span>Data Analytics</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/databases" track-name="databases"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/databases"track-metadata-module="header"><span>Databases</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/devops-sre" track-name="devops & sre"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/devops-sre"track-metadata-module="header"><span>DevOps & SRE</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/maps-geospatial" track-name="maps & geospatial"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/maps-geospatial"track-metadata-module="header"><span>Maps & Geospatial</span></a></li><li class="glue-header__item "><a class="glue-header__link janap">Security<svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M7.59 18.59L9 20l8-8-8-8-1.41 1.41L14.17 12"></path></svg></a><ul class="glue-header__list NDdrcc"><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/identity-security" track-name="security & identity"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/identity-security"track-metadata-module="header"><span>Security & Identity</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/threat-intelligence" track-name="threat intelligence"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/threat-intelligence"track-metadata-module="header"><span>Threat Intelligence</span></a></li></ul></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/infrastructure" track-name="infrastructure"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/infrastructure"track-metadata-module="header"><span>Infrastructure</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/infrastructure-modernization" track-name="infrastructure modernization"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/infrastructure-modernization"track-metadata-module="header"><span>Infrastructure Modernization</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/networking" track-name="networking"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/networking"track-metadata-module="header"><span>Networking</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/productivity-collaboration" track-name="productivity & collaboration"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/productivity-collaboration"track-metadata-module="header"><span>Productivity & Collaboration</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/sap-google-cloud" track-name="sap on google cloud"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/sap-google-cloud"track-metadata-module="header"><span>SAP on Google Cloud</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/storage-data-transfer" track-name="storage & data transfer"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/storage-data-transfer"track-metadata-module="header"><span>Storage & Data Transfer</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/sustainability" track-name="sustainability"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/sustainability"track-metadata-module="header"><span>Sustainability</span></a></li></ul></li><li class="glue-header__item "><a class="glue-header__link">Ecosystem<svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M5.41 7.59L4 9l8 8 8-8-1.41-1.41L12 14.17"></path></svg></a><ul class="glue-header__list NDdrcc"><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/transform" track-name="it leaders"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/transform"track-metadata-module="header"><span>IT Leaders</span></a></li><li class="glue-header__item "><a class="glue-header__link janap">Industries<svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M7.59 18.59L9 20l8-8-8-8-1.41 1.41L14.17 12"></path></svg></a><ul class="glue-header__list NDdrcc"><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/financial-services" track-name="financial services"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/financial-services"track-metadata-module="header"><span>Financial Services</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/healthcare-life-sciences" track-name="healthcare & life sciences"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/healthcare-life-sciences"track-metadata-module="header"><span>Healthcare & Life Sciences</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/manufacturing" track-name="manufacturing"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/manufacturing"track-metadata-module="header"><span>Manufacturing</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/media-entertainment" track-name="media & entertainment"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/media-entertainment"track-metadata-module="header"><span>Media & Entertainment</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/public-sector" track-name="public sector"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/public-sector"track-metadata-module="header"><span>Public Sector</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/retail" track-name="retail"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/retail"track-metadata-module="header"><span>Retail</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/supply-chain-logistics" track-name="supply chain"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/supply-chain-logistics"track-metadata-module="header"><span>Supply Chain</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/telecommunications" track-name="telecommunications"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/telecommunications"track-metadata-module="header"><span>Telecommunications</span></a></li></ul></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/partners" track-name="partners"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/partners"track-metadata-module="header"><span>Partners</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/startups" track-name="startups & smb"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/startups"track-metadata-module="header"><span>Startups & SMB</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/training-certifications" track-name="training & certifications"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/training-certifications"track-metadata-module="header"><span>Training & Certifications</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/inside-google-cloud" track-name="inside google cloud"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/inside-google-cloud"track-metadata-module="header"><span>Inside Google Cloud</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/google-cloud-next" track-name="google cloud next & events"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/google-cloud-next"track-metadata-module="header"><span>Google Cloud Next & Events</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://mapsplatform.google.com/resources/blog/" track-name="google maps platform"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="mapsplatform.google.com/resources/blog/"track-metadata-module="header" target="_blank"><span>Google Maps Platform<svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G FsOzib nRhiJb-tHaKme-AipIyc" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="m8.9 16.075 5.4-5.4v2.675h1.4V8.3h-5.05v1.4h2.65l-5.375 5.375ZM12 21.3q-1.925 0-3.625-.738-1.7-.737-2.95-1.987-1.25-1.25-1.987-2.95Q2.7 13.925 2.7 12t.738-3.625q.737-1.7 1.987-2.95 1.25-1.25 2.95-1.988Q10.075 2.7 12 2.7t3.625.737q1.7.738 2.95 1.988 1.25 1.25 1.987 2.95.738 1.7.738 3.625t-.738 3.625q-.737 1.7-1.987 2.95-1.25 1.25-2.95 1.987-1.7.738-3.625.738Z"></path></svg></span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://workspace.google.com/blog" track-name="google workspace"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="workspace.google.com/blog"track-metadata-module="header" target="_blank"><span>Google Workspace<svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G FsOzib nRhiJb-tHaKme-AipIyc" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="m8.9 16.075 5.4-5.4v2.675h1.4V8.3h-5.05v1.4h2.65l-5.375 5.375ZM12 21.3q-1.925 0-3.625-.738-1.7-.737-2.95-1.987-1.25-1.25-1.987-2.95Q2.7 13.925 2.7 12t.738-3.625q.737-1.7 1.987-2.95 1.25-1.25 2.95-1.988Q10.075 2.7 12 2.7t3.625.737q1.7.738 2.95 1.988 1.25 1.25 1.987 2.95.738 1.7.738 3.625t-.738 3.625q-.737 1.7-1.987 2.95-1.25 1.25-2.95 1.987-1.7.738-3.625.738Z"></path></svg></span></a></li></ul></li><li class="glue-header__item "><a class="glue-header__link " href="https://cloud.google.com/blog/topics/developers-practitioners" track-name="developers & practitioners"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/developers-practitioners"track-metadata-module="header"><span>Developers & Practitioners</span></a></li><li class="glue-header__item "><a class="glue-header__link " href="https://cloud.google.com/transform" track-name="transform with google cloud"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/transform"track-metadata-module="header"><span>Transform with Google Cloud</span></a></li></ul></nav></div><div class="glue-header__container ca6rub nRhiJb-J6KYL-OWXEXe-SU0ZEf"><div class="nRhiJb-GUI8l"><a class="nRhiJb-LgbsSe nRhiJb-LgbsSe-OWXEXe-pSzOP-o6Shpd " href="https://cloud.google.com/contact/" track-name="contact sales"track-type="blog nav"track-metadata-eventdetail="cloud.google.com/contact/"track-metadata-module="header" track-name="contact sales"track-type="button"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/contact/">Contact sales </a><a class="nRhiJb-LgbsSe nRhiJb-LgbsSe-OWXEXe-CNusmb-o6Shpd " href="https://console.cloud.google.com/freetrial/" track-name="get started for free"track-type="blog nav"track-metadata-eventdetail="console.cloud.google.com/freetrial/"track-metadata-module="header" track-name="get started for free"track-type="button"track-metadata-position="nav"track-metadata-eventdetail="console.cloud.google.com/freetrial/">Get started for free </a></div><div class="GKI4ub"><div class="Jhiezd"><form action="/blog/search/" class="A2C6Ob"><input class="BAhdXd" jsname="oJAbI" name="query" type="text" placeholder="Find an article..."><input type="hidden" name="language" value=en hidden><input type="hidden" name="category" value=article hidden><input type="hidden" name="paginate" value="25" hidden><input type="hidden" name="order" value="newest" hidden><input type="hidden" name="hl" value=en hidden><span class="A0lwXc" jsname="D8MWrd" aria-label="Show the search input field." role="button" jsaction="click:jUF4E"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c" viewBox="0 0 24 24" role="presentation" aria-hidden="true" width="40" height="22"><path d="M20.49 19l-5.73-5.73C15.53 12.2 16 10.91 16 9.5A6.5 6.5 0 1 0 9.5 16c1.41 0 2.7-.47 3.77-1.24L19 20.49 20.49 19zM5 9.5C5 7.01 7.01 5 9.5 5S14 7.01 14 9.5 11.99 14 9.5 14 5 11.99 5 9.5z"></path></svg></span></form></div></div></div></div></div><div class="glue-header__drawer-backdrop"></div></header><script nonce="7I0sTsvUKABcH_D7zfn1tw">var AF_initDataKeys = ["ds:0"]; var AF_dataServiceRequests = {'ds:0' : {id:'nInjGe',request:["cloudblog","topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology","en"]}}; var AF_initDataChunkQueue = []; var AF_initDataCallback; var AF_initDataInitializeCallback; if (AF_initDataInitializeCallback) {AF_initDataInitializeCallback(AF_initDataKeys, AF_initDataChunkQueue, AF_dataServiceRequests);}if (!AF_initDataCallback) {AF_initDataCallback = function(chunk) {AF_initDataChunkQueue.push(chunk);};}</script></head><body id="yDmH0d" jscontroller="pjICDe" jsaction="rcuQ6b:npT2md; click:FAbpgf; auxclick:FAbpgf" class="tQj5Y ghyPEc IqBfM ecJEib EWZcud nRhiJb-qJTHM" data-has-header="true" data-has-footer="true"><script aria-hidden="true" nonce="7I0sTsvUKABcH_D7zfn1tw">window.wiz_progress&&window.wiz_progress();</script><div class="VUoKZ" aria-hidden="true"><div class="TRHLAc"></div></div><c-wiz jsrenderer="zPZHOe" class="SSPGKf" jsdata="deferred-i1" data-p="%.@."cloudblog","topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology","en"]" data-node-index="0;0" jsmodel="hc6Ubd" view c-wiz data-ogpc><div class="T4LgNb " jsname="a9kxte"><div jsname="qJTHM" class="kFwPee"><article class="nRhiJb-qJTHM" jsaction="rcuQ6b:npT2md" jscontroller="kxO7ab"><section class="nRhiJb-DARUcf"><div class="Wdmc0c nRhiJb-DbgRPb-wNfPc-cGMI2b"><div class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-qWD73c nRhiJb-BFbNVe-r8s4j-bMElCd dIsJJe" track-name="threat intelligence"track-type="tag">Threat Intelligence</div><div class="nRhiJb-ObfsIf"><div class="nRhiJb-kR0ZEf-OWXEXe-GV1x9e-R6PoUb"></div><div class="nRhiJb-kR0ZEf-OWXEXe-GV1x9e-EehZO nRhiJb-fmcmS-oXtfBe"><h1 class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-ibL1re"><div class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-ibL1re"><span class="FewWi"></span>Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology</div></h1></div></div><div class="nRhiJb-fmcmS-oXtfBe dEogG">November 9, 2023</div></div></section><div class="EKklye"><div class="nRhiJb-DARUcf ZWw7T"><div class="npzWPc"><div class="dzoHJ"><div class="nRhiJb-DX2B6 nRhiJb-DX2B6-OWXEXe-h30Snd"><div class="nRhiJb-j5y3u"><ul class="nRhiJb-Qijihe phRaUe" role="list"><li class="hpHPGf"><a class="nRhiJb-ARYxNe" href="https://x.com/intent/tweet?text=Sandworm%20Disrupts%20Power%20in%20Ukraine%20Using%20a%20Novel%20Attack%20Against%20Operational%20Technology%20@googlecloud&url=https://cloud.google.com/blog/topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology" track-name="x"track-type="social share"track-metadata-eventdetail="x.com/intent/tweet?text=Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology%20@googlecloud&url=cloud.google.com/blog/topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology"track-metadata-module="social icons" target="_blank" rel="noopener"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-DX2B6 nRhiJb-Bz112c-OWXEXe-nSuQf" viewBox="0 0 24 24" role="presentation" aria-hidden="true" role="presentation" aria-hidden="true"><path d="M13.9,10.5L21.1,2h-1.7l-6.3,7.4L8,2H2.2l7.6,11.1L2.2,22h1.7l6.7-7.8L16,22h5.8L13.9,10.5L13.9,10.5z M11.5,13.2l-0.8-1.1 L4.6,3.3h2.7l5,7.1l0.8,1.1l6.5,9.2h-2.7L11.5,13.2L11.5,13.2z"></path></svg></a></li><li class="hpHPGf"><a class="nRhiJb-ARYxNe" href="https://www.linkedin.com/shareArticle?mini=true&url=https://cloud.google.com/blog/topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology&title=Sandworm%20Disrupts%20Power%20in%20Ukraine%20Using%20a%20Novel%20Attack%20Against%20Operational%20Technology" track-name="linkedin"track-type="social share"track-metadata-eventdetail="www.linkedin.com/shareArticle?mini=true&url=cloud.google.com/blog/topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology&title=Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology"track-metadata-module="social icons" target="_blank" rel="noopener"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-DX2B6 nRhiJb-Bz112c-OWXEXe-nSuQf" viewBox="0 0 24 24" role="presentation" aria-hidden="true" role="presentation" aria-hidden="true"><path d="M20 2H4c-1.1 0-1.99.9-1.99 2L2 20c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V4c0-1.1-.9-2-2-2zM8 19H5v-9h3v9zM6.5 8.31c-1 0-1.81-.81-1.81-1.81S5.5 4.69 6.5 4.69s1.81.81 1.81 1.81S7.5 8.31 6.5 8.31zM19 19h-3v-5.3c0-.83-.67-1.5-1.5-1.5s-1.5.67-1.5 1.5V19h-3v-9h3v1.2c.52-.84 1.59-1.4 2.5-1.4 1.93 0 3.5 1.57 3.5 3.5V19z"></path></svg></a></li><li class="hpHPGf"><a class="nRhiJb-ARYxNe" href="https://www.facebook.com/sharer/sharer.php?caption=Sandworm%20Disrupts%20Power%20in%20Ukraine%20Using%20a%20Novel%20Attack%20Against%20Operational%20Technology&u=https://cloud.google.com/blog/topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology" track-name="facebook"track-type="social share"track-metadata-eventdetail="www.facebook.com/sharer/sharer.php?caption=Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology&u=cloud.google.com/blog/topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology"track-metadata-module="social icons" target="_blank" rel="noopener"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-DX2B6 nRhiJb-Bz112c-OWXEXe-nSuQf" viewBox="0 0 24 24" role="presentation" aria-hidden="true" role="presentation" aria-hidden="true"><path d="M20 2H4c-1.1 0-1.99.9-1.99 2L2 20c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V4c0-1.1-.9-2-2-2zm-1 2v3h-2c-.55 0-1 .45-1 1v2h3v3h-3v7h-3v-7h-2v-3h2V7.5C13 5.57 14.57 4 16.5 4H19z"></path></svg></a></li><li class="hpHPGf"><a class="nRhiJb-ARYxNe" href="mailto:?subject=Sandworm%20Disrupts%20Power%20in%20Ukraine%20Using%20a%20Novel%20Attack%20Against%20Operational%20Technology&body=Check%20out%20this%20article%20on%20the%20Cloud%20Blog:%0A%0ASandworm%20Disrupts%20Power%20in%20Ukraine%20Using%20a%20Novel%20Attack%20Against%20Operational%20Technology%0A%0A%0A%0Ahttps://cloud.google.com/blog/topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology" track-name="email"track-type="social share"track-metadata-eventdetail="mailto:?subject=Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology&body=Check%20out%20this%20article%20on%20the%20Cloud%20Blog:%0A%0ASandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology%0A%0A%0A%0Acloud.google.com/blog/topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology"track-metadata-module="social icons" target="_blank" rel="noopener"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-DX2B6 nRhiJb-Bz112c-OWXEXe-nSuQf" viewBox="0 0 24 24" role="presentation" aria-hidden="true" role="presentation" aria-hidden="true"><path d="M20 4H4c-1.1 0-2 .9-2 2v12c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V6c0-1.1-.9-2-2-2zm-.8 2L12 10.8 4.8 6h14.4zM4 18V7.87l8 5.33 8-5.33V18H4z"></path></svg></a></li></ul></div></div></div></div></div><div><section class="nRhiJb-DARUcf"><div class="nRhiJb-DbgRPb-wNfPc-ma6Yeb nRhiJb-DbgRPb-wNfPc-cGMI2b"><section class="DA9Qj nRhiJb-ObfsIf nRhiJb-fmcmS-oXtfBe"><div class="nRhiJb-kR0ZEf-OWXEXe-GV1x9e-c5RTEf"></div><div class="nRhiJb-kR0ZEf-OWXEXe-GV1x9e-qWD73c"><h5 class="cHE8Ub Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-qWD73c">Mandiant </h5><p class="nRhiJb-qJTHM khCp7b"></p></div></section></div></section><div class="nRhiJb-DARUcf"><div class="nRhiJb-ObfsIf nRhiJb-DbgRPb-wNfPc-ma6Yeb nRhiJb-DbgRPb-qWD73c-cGMI2b"><div class="nRhiJb-kR0ZEf-OWXEXe-GV1x9e-ibL1re dzoHJ"></div><div class="OYL9D nRhiJb-kR0ZEf-OWXEXe-GV1x9e-OiUrBf" jsname="tx2NYc"><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Written by: Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler McLellan, Chris Sistrunk</p> <hr></span></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p dir="ltr">In late 2022, Mandiant responded to a disruptive cyber physical incident in which the Russia-linked threat actor Sandworm targeted a Ukrainian critical infrastructure organization. This incident was a multi-event cyber attack that leveraged a novel technique for impacting industrial control systems (ICS) / operational technology (OT). The actor first used OT-level living off the land (LotL) techniques to likely trip the victim’s substation circuit breakers, causing an unplanned power outage that coincided with mass missile strikes on critical infrastructure across Ukraine. Sandworm later conducted a second disruptive event by deploying a new variant of CADDYWIPER in the victim’s IT environment.</p> <p dir="ltr">This attack represents the latest evolution in Russia’s cyber physical attack capability, which has been increasingly visible since Russia’s invasion of Ukraine. The techniques leveraged during the incident suggest a growing maturity of Russia’s offensive OT arsenal, including an ability to recognize novel OT threat vectors, develop new capabilities, and leverage different types of OT infrastructure to execute attacks. By using LotL techniques, the actor likely decreased the time and resources required to conduct its cyber physical attack. While Mandiant was unable to determine the initial intrusion point, our analysis suggests the OT component of this attack may have been developed in as little as two months. This indicates that the threat actor is likely capable of quickly developing similar capabilities against other OT systems from different original equipment manufacturers (OEMs) leveraged across the world.</p> <p dir="ltr">We initially tracked this activity as <a href="https://cloud.google.com/blog/topics/threat-intelligence/gru-disruptive-playbook" rel="noopener" target="_blank"><u>UNC3810</u></a> before merging the cluster with Sandworm. Sandworm is a full-spectrum threat actor that has carried out espionage, influence and attack operations in support of Russia's Main Intelligence Directorate (GRU) since at least 2009. The group's long-standing center focus has been Ukraine, where it has carried out a campaign of disruptive and destructive attacks over the past decade using wiper malware, including during Russia's re-invasion in 2022. Beyond Ukraine, the group continues to sustain espionage operations that are global in scope and illustrative of the Russian military's far-reaching ambitions and interests in other regions. Government indictments have linked the group to the Main Center for Special Technologies (also known as GTsST and Military Unit 74455). Given Sandworm’s global threat activity and novel OT capabilties, we urge OT asset owners to take action to mitigate this threat. We include a range of detections, hunting and hardening guidance, MITRE ATT&CK mappings and more in the appendices of this blog post.</p> <p dir="ltr"><em>If you need support responding to related activity, please contact </em><a href="https://cloud.google.com/security/consulting/mandiant-incident-response-services" rel="noopener" target="_blank"><em><u>Mandiant Consulting</u></em></a><em>. Further analysis of Sandworm threat activity is available as part of </em><a href="https://cloud.google.com/security/products/threat-intelligence" rel="noopener" target="_blank"><em><u>Mandiant Advantage Threat Intelligence</u></em></a><em>.</em></p> <h2>Incident Summary</h2> <p dir="ltr">Based on our analysis, the intrusion began on, or prior to, June 2022 and culminated in two disruptive events on October 10 and 12, 2022. While we were unable to identify the initial access vector into the IT environment, Sandworm gained access to the OT environment through a hypervisor that hosted a supervisory control and data acquisition (SCADA) management instance for the victim’s substation environment. Based on evidence of lateral movement, the attacker potentially had access to the SCADA system for up to three months.</p> <p dir="ltr">On October 10, the actor leveraged an optical disc (ISO) image named “a.iso” to execute a native MicroSCADA binary in a likely attempt to execute malicious control commands to switch off substations. The ISO file contained at least the following:</p> <ul> <li dir="ltr">“lun.vbs”, which runs n.bat</li> <li dir="ltr">“n.bat”, which likely runs the native scilc.exe utility</li> <li dir="ltr">“s1.txt”, which likely contains the unauthorized MicroSCADA commands</li> </ul> <p dir="ltr">Based on a September 23 timestamp of “lun.vbs”, there was potentially a two-month time period from when the attacker gained initial access to the SCADA system to when they developed the OT capability. Although we were not able to fully recover the ICS command execution implemented by the binary, we are aware that the attack resulted in an unscheduled power outage. Figure 1 contains a visualization of the execution chain resulting in the disruptive OT event.</p></span></section><section class="QzPuud"><div><section><figure class="NEBdNd"><section class="PBkdHd DhGbH" jscontroller="SCGBie" jsaction="rcuQ6b:npT2md"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig1_ezxk.max-1400x1400.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig1_ezxk.max-1400x1400.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><section class="glue-modal glue-modal--dark QHdDac" role="dialog" aria-modal="true"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig1_ezxk.max-1400x1400.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig1_ezxk.max-1400x1400.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><button class="glue-modal__close-btn" tabindex="0" aria-label="Close this modal"></button></section></section></figure><div class="nRhiJb-cHYyed nRhiJb-DbgRPb-R6PoUb-ma6Yeb ZpqjUe"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Figure 1: Execution chain of disruptive OT event</p></span></div></section></div></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p dir="ltr">Two days after the OT event, Sandworm deployed a new variant of CADDYWIPER in the victim’s IT environment to cause further disruption and potentially to remove forensic artifacts. However, we note that the wiper deployment was limited to the victim’s IT environment and did not impact the hypervisor or the SCADA virtual machine. This is unusual since the threat actor had removed other forensic artifacts from the SCADA system in a possible attempt to cover their tracks, which would have been enhanced by the wiper activity. This could indicate a lack of coordination across different individuals or operational subteams involved in the attack.</p> <p dir="ltr">A deeper dive on the attack lifecycle and OT capability can be found in the Technical Analysis section of the blog post.</p> <h2>Sandworm’s Threat Activity Reveals Insights into Russia’s Offensive Cyber Capabilities</h2> <p dir="ltr">Sandworm’s substation attack reveals notable insights into Russia’s continued investment in OT-oriented offensive cyber capabilities and overall approach to attacking OT systems. This incident and last year’s INDUSTROYER.V2 incident both show efforts to streamline OT attack capabilities through simplified deployment features. We observed the same efforts in our analysis of a series of documents detailing project requirements to enhance Russian <a href="https://cloud.google.com/blog/topics/threat-intelligence/cyber-operations-russian-vulkan" rel="noopener" target="_blank"><u>offensive cyber capabilities</u></a>.</p> <p dir="ltr">Similarly, the evolution of suspected GRU-sponsored OT attacks shows a decrease in the scope of disruptive activities per attack. The 2015 and 2016 Ukraine blackout events each featured several discrete disruptive events against the OT environment (e.g., disabling UPS systems, bricking serial-to-ethernet converters, conducting a DoS attack against a SIPROTEC relay, wiping OT systems, etc.). By comparison, the <a href="https://cloud.google.com/blog/topics/threat-intelligence/industroyer-v2-old-malware-new-tricks" rel="noopener" target="_blank"><u>INDUSTROYER.V2 incidents</u></a> lacked many of those same disruptive components and the malware did not feature the wiper module from the original INDUSTROYER. Likewise, Sandworm’s activity in the OT network appears streamlined to only executing unauthorized ICS command messages, with the wiper activity limited to the IT environment. While this shift likely reflects the increased tempo of wartime cyber operations, it also reveals the GRU’s priority objectives in OT attacks.</p> <p dir="ltr">Sandworm’s use of a native <a href="https://attack.mitre.org/techniques/T1218/" rel="noopener" target="_blank"><u>Living off the Land binary (LotLBin)</u></a> to disrupt an OT environment shows a significant shift in techniques. Using tools that are more lightweight and generic than those observed in prior OT incidents, the actor likely decreased the time and resources required to conduct a cyber physical attack. LotLBin techniques also make it difficult for defenders to detect threat activity as they need to not only remain vigilant for new files introduced to their environments, but also for modifications to files already present within their installed OT applications and services. As outlined in recent research detailing the <a href="https://cloud.google.com/blog/topics/threat-intelligence/gru-disruptive-playbook" rel="noopener" target="_blank"><u>GRU's disruptive playbook</u></a>, we have observed Sandworm adopting LotL tactics across its wider operations to similarly increase the speed and scale at which it can operate while minimizing the odds of detection.</p> <p>While we lack sufficient evidence to assess a possible link, we note that the timing of the attack overlaps with Russian kinetic operations. Sandworm potentially developed the disruptive capability as early as three weeks prior to the OT event, suggesting the attacker may have been waiting for a specific moment to deploy the capability. The eventual execution of the attack <a href="https://www.understandingwar.org/backgrounder/russian-offensive-campaign-assessment-october-10" rel="noopener" target="_blank"><u>coincided</u></a> with the start of a multi-day set of coordinated missile strikes on critical infrastructure across <a href="https://www.facebook.com/GeneralStaff.ua/posts/pfbid034WNoYsPX22Fd413PLchpSQFwRKVbkdFyn1arb1mgDE77bT6PRTLWSXNN64fXu41Ml" rel="noopener" target="_blank"><u>several</u></a> Ukrainian cities, including the city in which the victim was located.</p></span></section><section class="QzPuud"><div><section><figure class="NEBdNd"><section class="PBkdHd DhGbH" jscontroller="SCGBie" jsaction="rcuQ6b:npT2md"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig2_ebkw.max-1400x1400.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig2_ebkw.max-1400x1400.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><section class="glue-modal glue-modal--dark QHdDac" role="dialog" aria-modal="true"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig2_ebkw.max-1400x1400.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig2_ebkw.max-1400x1400.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><button class="glue-modal__close-btn" tabindex="0" aria-label="Close this modal"></button></section></section></figure><div class="nRhiJb-cHYyed nRhiJb-DbgRPb-R6PoUb-ma6Yeb ZpqjUe"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Figure 2: Historical Russia-nexus activity impacting OT</p></span></div></section></div></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><h2>Outlook</h2> <p dir="ltr">This attack represents an immediate threat to Ukrainian critical infrastructure environments leveraging the MicroSCADA supervisory control system. Given Sandworm's global threat activity and the worldwide deployment of MicroSCADA products, asset owners globally should take action to mitigate their tactics, techniques, and procedures against IT and OT systems. Furthermore, our analysis of the activity suggests Russia would be capable of developing similar capabilities against other SCADA systems and programming languages beyond MicroSCADA and SCIL. We urge asset owners to review and implement the following recommendations to mitigate and detect this activity.</p> <h2>Acknowledgements</h2> <p dir="ltr">This research was made possible thanks to the hard work of many people not listed on the byline. Mandiant would like to acknowledge the Security Service of Ukraine (SBU) for their continued partnership and contributions to this report as well as their on-going collaboration. This incident response engagement was funded through the UK’s Ukraine Cyber Programme (cross-government Conflict, Stability and Security Fund) and delivered by the United Kingdom’s Foreign, Commonwealth and Development Office.</p> <h2>Technical Analysis: Sandworm Attack Against Ukrainian Substations</h2></span></section><section class="QzPuud"><div><section><figure class="NEBdNd"><section class="PBkdHd DhGbH" jscontroller="SCGBie" jsaction="rcuQ6b:npT2md"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig3_yjky.max-900x900.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig3_yjky.max-900x900.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><section class="glue-modal glue-modal--dark QHdDac" role="dialog" aria-modal="true"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig3_yjky.max-900x900.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig3_yjky.max-900x900.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><button class="glue-modal__close-btn" tabindex="0" aria-label="Close this modal"></button></section></section></figure><div class="nRhiJb-cHYyed nRhiJb-DbgRPb-R6PoUb-ma6Yeb ZpqjUe"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Figure 3: Incident targeted attack lifecycle</p></span></div></section></div></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><h3>Initial Compromise and Maintaining Presence</h3> <p dir="ltr">At this time, it is unknown how Sandworm gained initial access to the victim. Sandworm was first observed in the victim’s environment in June 2022, when the actor deployed the <a href="https://github.com/L-codes/Neo-reGeorg" rel="noopener" target="_blank"><u>Neo-REGEORG</u></a> webshell on an internet-facing server. This is consistent with the group’s prior activity scanning and exploiting internet facing servers for initial access. Roughly one month later, Sandworm deployed GOGETTER, which is a tunneler written in Golang that proxies communications for its command and control (C2) server using the open-source library Yamux over TLS.</p> <p dir="ltr">When leveraging GOGETTER, Sandworm utilized a Systemd service unit to maintain persistence on systems. A Systemd service unit allows for a program to be run under certain conditions, and in this case, it was used to execute the GOGETTER binary on reboot.</p></span></section><section class="QzPuud"><div><section><figure class="NEBdNd"><section class="PBkdHd DhGbH" jscontroller="SCGBie" jsaction="rcuQ6b:npT2md"><img class="JcsBte mZzdH H05fDc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig4_enek.max-900x900.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig4_enek.max-900x900.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><section class="glue-modal glue-modal--dark QHdDac" role="dialog" aria-modal="true"><img class="JcsBte mZzdH H05fDc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig4_enek.max-900x900.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig4_enek.max-900x900.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><button class="glue-modal__close-btn" tabindex="0" aria-label="Close this modal"></button></section></section></figure><div class="nRhiJb-cHYyed nRhiJb-DbgRPb-R6PoUb-ma6Yeb ZpqjUe"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Figure 4: Sandworm GOGETTER Systemd configuration location</p></span></div></section></div></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>The Systemd configuration file leveraged by Sandworm enabled the group to maintain persistence on systems. The value “WantedBy” defines when the program should be run; in the configuration used by Sandworm, the setting “multi-user.target” means that the program will be run when the host has reached a state when it will accept users logging on, for example after successful power on. This enables GOGETTER to maintain persistence across reboots. The “ExecStart” value specifies the path of the program to be run, which in this case was GOGETTER.</p></span></section><section class="QzPuud"><div><section><figure class="NEBdNd"><section class="PBkdHd DhGbH" jscontroller="SCGBie" jsaction="rcuQ6b:npT2md"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig5_wwim.max-1200x1200.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig5_wwim.max-1200x1200.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><section class="glue-modal glue-modal--dark QHdDac" role="dialog" aria-modal="true"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig5_wwim.max-1200x1200.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig5_wwim.max-1200x1200.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><button class="glue-modal__close-btn" tabindex="0" aria-label="Close this modal"></button></section></section></figure><div class="nRhiJb-cHYyed nRhiJb-DbgRPb-R6PoUb-ma6Yeb ZpqjUe"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Figure 5: Sandworm GOGETTER Systemd configuration</p></span></div></section></div></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p dir="ltr">When deploying GOGETTER, Mandiant observed Sandworm leverage Systemd service units designed to masquerade as legitimate or seemingly legitimate services.</p> <h3>Lateral Movement to SCADA Hypervisor and OT Attack Execution</h3> <p dir="ltr">Sandworm utilized a novel technique to impact the OT environment by executing code within an End-of-Life (EOL) MicroSCADA control system and issuing commands that impacted the victim’s connected substations. Table 1 summarizes the malicious files containing the new OT capability. We note that given the attacker’s use of anti-forensics techniques, we were not able to recover all the artifacts from the intrusion.</p> <div dir="ltr"><br> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"><table> <tbody> <tr> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr"><strong>Filename</strong></p> </td> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr"><strong>Hash</strong></p> </td> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr"><strong>Purpose</strong></p> </td> </tr> <tr> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">a.iso</p> </td> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">Unknown</p> </td> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">Contains attacker’s files</p> </td> </tr> <tr> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">lun.vbs</p> </td> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">26e2a41f26ab885bf409982cb823ffd1</p> </td> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">Runs n.bat</p> </td> </tr> <tr> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">n.bat</p> </td> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">Unknown</p> </td> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">Likely runs native scilc.exe utility</p> </td> </tr> <tr> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">s1.txt</p> </td> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">Unknown</p> </td> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">Likely contains SCIL commands</p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div style="color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%;text-align:center"><span style="color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%">Table 1: Malicious OT files</span></div> </div> </div> <p dir="ltr">To impact the OT systems, Sandworm accessed the hypervisor that hosted a SCADA management instance for the victim’s substation environment and leveraged an ISO image named "a.iso" as a virtual CD-ROM. The system was configured to permit inserted CD-ROMs to autorun. The ISO file, at minimum, contained the following files: "lun.vbs" and "n.bat" as both files are referenced within the D volume and therefore contained within “a.iso”. The inserted ISO led to at least the following command lines execution:</p> <ul> <li dir="ltr">wscript.exe "d:\pack\lun.vbs"</li> <li dir="ltr">cmd /c "D:\pack\n.bat"</li> </ul> <p dir="ltr">Based on forensic analysis, we believe “lun.vbs” contents are the following (Figure 6):</p></span></section><section class="QzPuud"><div><section><figure class="NEBdNd"><section class="PBkdHd DhGbH" jscontroller="SCGBie" jsaction="rcuQ6b:npT2md"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig6_kbSV9R9.max-800x800.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig6_kbSV9R9.max-800x800.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><section class="glue-modal glue-modal--dark QHdDac" role="dialog" aria-modal="true"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig6_kbSV9R9.max-800x800.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig6_kbSV9R9.max-800x800.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><button class="glue-modal__close-btn" tabindex="0" aria-label="Close this modal"></button></section></section></figure><div class="nRhiJb-cHYyed nRhiJb-DbgRPb-R6PoUb-ma6Yeb ZpqjUe"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Figure 6: “lun.vbs” contents</p></span></div></section></div></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p dir="ltr">The contents in Figure 6 indicate that “lun.vbs” executes “n.bat”. Additional fragments recovered include text consistent with Windows command line execution (Figure 7). This fragment was identified by analyzing images from the host. Reconstruction of the host’s anti-virus logs indicates “lun.vbs” and “n.bat” were executed in close time proximity. Because of this and the reference to the attacker’s ISO folder path, we believe that the command fragment in Figure 7 is likely the contents of “n.bat”.</p></span></section><section class="QzPuud"><div><section><figure class="NEBdNd"><section class="PBkdHd DhGbH" jscontroller="SCGBie" jsaction="rcuQ6b:npT2md"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig7_zzoHBUq.max-800x800.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig7_zzoHBUq.max-800x800.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><section class="glue-modal glue-modal--dark QHdDac" role="dialog" aria-modal="true"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig7_zzoHBUq.max-800x800.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig7_zzoHBUq.max-800x800.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><button class="glue-modal__close-btn" tabindex="0" aria-label="Close this modal"></button></section></section></figure><div class="nRhiJb-cHYyed nRhiJb-DbgRPb-R6PoUb-ma6Yeb ZpqjUe"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Figure 7: Command fragment</p></span></div></section></div></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p dir="ltr">The syntax of the command fragment includes “scilc.exe”, a native utility that is part of the MicroSCADA software suite. The utility is located in the “\sc\prog\exec” folder within the MicroSCADA installation directory, amongst other utilities, libraries, and resources used by MicroSCADA. The impacted MicroSCADA system was running an EOL software version that allowed default access to the SCIL-API. The “-do” flag specifies a SCIL program file to execute (Figure 8). Lastly, the command supplies a file named “s1.txt” in the "pack\scil\" folder of the attacker's ISO. We assess "pack\scil\s1.txt" is likely a file containing SCIL commands the attackers executed in MicroSCADA. This file was unrecoverable at the time of analysis.</p></span></section><section class="QzPuud"><div><section><figure class="NEBdNd"><section class="PBkdHd DhGbH" jscontroller="SCGBie" jsaction="rcuQ6b:npT2md"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig8.max-800x800.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig8.max-800x800.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><section class="glue-modal glue-modal--dark QHdDac" role="dialog" aria-modal="true"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig8.max-800x800.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig8.max-800x800.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><button class="glue-modal__close-btn" tabindex="0" aria-label="Close this modal"></button></section></section></figure><div class="nRhiJb-cHYyed nRhiJb-DbgRPb-R6PoUb-ma6Yeb ZpqjUe"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Figure 8: Scilc.exe usage example</p></span></div></section></div></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>According to Hitachi Energy’s <a href="https://datacloud.fun/Data/ABB/MicroSCADA/SYS600_Programming%20Language%20SCIL.pdf" rel="noopener" target="_blank"><u>documentation</u></a>, SCIL is a high level programming language designed for MicroSCADA control systems and can operate the system and its features (Figure 9). SCIL programs are generally text-based statements that can be composed of commands, objects, variables, calls to predefined functions, and expressions. There are several methods in which SCIL programs can execute, such as an engineer/operator clicking a button or image within the MicroSCADA system, scheduled or process derived changes, or in this case manual execution.</p></span></section><section class="QzPuud"><div><section><figure class="NEBdNd"><section class="PBkdHd DhGbH" jscontroller="SCGBie" jsaction="rcuQ6b:npT2md"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig9_xskj.max-1200x1200.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig9_xskj.max-1200x1200.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><section class="glue-modal glue-modal--dark QHdDac" role="dialog" aria-modal="true"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig9_xskj.max-1200x1200.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig9_xskj.max-1200x1200.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><button class="glue-modal__close-btn" tabindex="0" aria-label="Close this modal"></button></section></section></figure><div class="nRhiJb-cHYyed nRhiJb-DbgRPb-R6PoUb-ma6Yeb ZpqjUe"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Figure 9: SCIL overview</p></span></div></section></div></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p dir="ltr">While we were unable to identify the SCIL commands executed, we believe they were probably commands to open circuit breakers in the victim’s substation environments. The SCIL commands would have caused the MicroSCADA server to relay the commands to the substation RTUs via either the IEC-60870-5-104 protocol for TCP/IP connections or the IEC-60870-5-101 protocol for serial connections.</p> <h3>Sandworm Deployed New CADDYWIPER Variant to Further Disrupt the Victim’s IT Environment</h3> <p dir="ltr">Two days following the OT activity, Sandworm deployed a new variant of CADDYWIPER throughout the IT environment. This CADDYWIPER variant, compiled in October 2022, contains some minor functionality improvements that allow threat actors to resolve functions at runtime. We have observed CADDYWIPER deployed across several verticals in Ukraine, including the government and financial sectors, throughout Russia’s invasion of Ukraine.</p> <p dir="ltr">CADDYWIPER is a disruptive wiper written in C that is focused on making data irrecoverable and causing maximum damage within an environment. CADDYWIPER will attempt to wipe all files before proceeding to wipe any mapped drives. It will then attempt to wipe the physical drive partition itself. Notably, CADDYWIPER has been the most frequently used <a href="https://cloud.google.com/blog/topics/threat-intelligence/gru-rise-telegram-minions" rel="noopener" target="_blank"><u>disruptive tool against Ukrainian entities</u></a> during the war and has seen consistent operational use since March 2022, based on public reporting. We have observed Sandworm utilize CADDYWIPER in disruptive operations across multiple intrusions.</p> <p dir="ltr">Sandworm deployed CADDYWIPER in this operation via two Group Policy Objects (GPO) from a Domain Controller using TANKTRAP. TANKTRAP is a utility written in PowerShell that utilizes Windows group policy to spread and launch a wiper. We have observed TANKTRAP being used with other disruptive tools including NEARMISS, SDELETE, PARTYTICKET, and CADDYWIPER. These group policies contained instructions to copy a file from a server to the local hard drive and to schedule a task to run the copied file at a particular time.</p></span></section><section class="QzPuud"><div><section><figure class="NEBdNd"><section class="PBkdHd DhGbH" jscontroller="SCGBie" jsaction="rcuQ6b:npT2md"><img class="JcsBte mZzdH H05fDc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig10.max-800x800.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig10.max-800x800.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><section class="glue-modal glue-modal--dark QHdDac" role="dialog" aria-modal="true"><img class="JcsBte mZzdH H05fDc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig10.max-800x800.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig10.max-800x800.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><button class="glue-modal__close-btn" tabindex="0" aria-label="Close this modal"></button></section></section></figure><div class="nRhiJb-cHYyed nRhiJb-DbgRPb-R6PoUb-ma6Yeb ZpqjUe"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Figure 10: Sandworm TANKTRAP GPO 1</p></span></div></section></div></section><section class="QzPuud"><div><section><figure class="NEBdNd"><section class="PBkdHd DhGbH" jscontroller="SCGBie" jsaction="rcuQ6b:npT2md"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig11.max-800x800.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig11.max-800x800.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><section class="glue-modal glue-modal--dark QHdDac" role="dialog" aria-modal="true"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig11.max-800x800.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig11.max-800x800.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><button class="glue-modal__close-btn" tabindex="0" aria-label="Close this modal"></button></section></section></figure><div class="nRhiJb-cHYyed nRhiJb-DbgRPb-R6PoUb-ma6Yeb ZpqjUe"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Figure 11: Sandworm TANKTRAP GPO 2</p></span></div></section></div></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p dir="ltr">Both TANKTRAP GPOs deployed CADDYWIPER from a staged directory to systems as msserver.exe. CADDYWIPER was then executed as a scheduled task at a predetermined time.</p> <div dir="ltr"><br> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"><table> <tbody> <tr> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr"><strong>Item</strong></p> </td> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr"><strong>Value</strong></p> </td> </tr> <tr> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">Task Name</p> </td> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">qAWZe</p> </td> </tr> <tr> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">Legacy Task Name</p> </td> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">QcWBX</p> </td> </tr> <tr> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">Command to Run</p> </td> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">C:\Windows\msserver.exe</p> </td> </tr> <tr> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">Trigger</p> </td> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">Run at 2022-10-12 16:50:40</p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div style="color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%"> <div> <div> <div>Table 2: Sandworm TANKTRAP GPO 1 Scheduled Task</div> </div> </div> </div> </div> </div> <div dir="ltr"><br> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"><table> <tbody> <tr> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr"><strong>Item</strong></p> </td> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr"><strong>Value</strong></p> </td> </tr> <tr> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">Task Name</p> </td> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">QJKWt</p> </td> </tr> <tr> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">Legacy Task Name</p> </td> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">zJMwY</p> </td> </tr> <tr> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">Command to Run</p> </td> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">C:\Windows\msserver.exe</p> </td> </tr> <tr> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">Trigger</p> </td> <td style="border:1px solid #000000;padding:16px"> <p dir="ltr">Run at 2022-10-12 17:15:59</p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div style="color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%;text-align:left">Table 3: Sandworm TANKTRAP GPO 2 Scheduled Task</div> </div> </div> <h2>Appendix A: Discovery and Hardening Guidance</h2> <p dir="ltr">In this incident, the attacker leveraged an EOL version of the MicroSCADA supervisory control system. The SCIL-API interface in MicroSCADA has been disabled-by-default since the release of MicroSCADA 9.4 in 2014. If required to continue using the interface, asset owners can refer to MRK511518 MicroSCADA X Cyber Security Deployment Guideline on how to harden the MicroSCADA. Please contact the Hitachi Energy MicroSCADA support team to obtain the documentation.</p> <p dir="ltr">We note that the MicroSCADA control system became a Hitachi Energy product in 2022 after a divestiture from ABB. Asset owners should reference both vendors in asset inventories and manual asset inspections to determine if the product is present in any OT environments.</p> <p dir="ltr">Harden MicroSCADA and other SCADA management hosts:</p> <ul> <li dir="ltr">Update MicroSCADA to supported versions.</li> <li dir="ltr">Configure MicroSCADA to require authentication and establish a least privilege design for user permissions.</li> <li dir="ltr">Establish robust network segmentation between MicroSCADA hosts and IT networks.</li> <li dir="ltr">Enable robust application logging for MicroSCADA and aggregate logs to a central location.</li> <li dir="ltr">If/where feasible, configure the base system in “read-only” mode and ensure no external SCIL-API programs (such as scilc.exe) are allowed.</li> <li dir="ltr">Consult with OEMs for installed SCADA software to identify similar methods of code execution within their software and to obtain guidance on mitigations.</li> </ul> <p dir="ltr">Monitor MicroSCADA systems and other SCADA management systems for:</p> <ul> <li dir="ltr">Command-line execution of MicroSCADA “Scilc.exe” binary and other native MicroSCADA binaries that may be leveraged to execute unauthorized SCIL program/commands.</li> <li dir="ltr">Network traffic and process related telemetry to/from host(s) operating the MicroSCADA software. Investigate anomalous activity and correlate findings with process telemetry.</li> <li dir="ltr">Files transferred or moved onto MicroSCADA hosts.</li> <li dir="ltr">Newly created files with MicroSCADA or SCIL programming language references.</li> <li dir="ltr">Unauthorized changes in MicroSCADA system configuration and data.</li> </ul> <h2>Appendix B: Indicators of Compromise (IOCs)</h2> <div dir="ltr"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"><table border="1" style="border-collapse:collapse;width:100%"> <tbody> <tr> <td style="width:50%"> <p><strong>Indicator</strong></p> </td> <td style="width:50%"> <p><strong>Description</strong></p> </td> </tr> <tr> <td style="width:50%"> <p>82.180.150[.]197</p> </td> <td style="width:50%"> <p>Source IP address for requests to Neo-REGEORG </p> </td> </tr> <tr> <td style="width:50%"> <p>176.119.195[.]113</p> </td> <td style="width:50%"> <p>Source IP address for requests to Neo-REGEORG </p> </td> </tr> <tr> <td style="width:50%"> <p>176.119.195[.]115</p> </td> <td style="width:50%"> <p>Source IP address for requests to Neo-REGEORG</p> </td> </tr> <tr> <td style="width:50%"> <p>185.220.101[.]58</p> </td> <td style="width:50%"> <p>Source IP address for requests to Neo-REGEORG</p> </td> </tr> <tr> <td style="width:50%"> <p>190.2.145[.]24</p> </td> <td style="width:50%"> <p>C2 for GOGETTER </p> </td> </tr> <tr> <td style="width:50%"> <p>Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0</p> </td> <td style="width:50%"> <p>User agent for requests to Neo-REGEORG </p> </td> </tr> <tr> <td style="width:50%"> <p>Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0</p> </td> <td style="width:50%"> <p>User agent for requests to Neo-REGEORG</p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow:auto hidden;width:100%;text-align:center"><span style="font-size:16px;font-style:italic;color:#5f6368;display:block;margin-top:8px;width:100%">Table 4: Network IOCs</span></div> <div style="color:#5f6368;overflow:auto hidden;width:100%;text-align:center"> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div style="color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"><table border="1" style="border-collapse:collapse;width:100%"> <tbody> <tr> <td style="width:21.7914%"> <p><strong>File Name</strong></p> </td> <td style="width:38.1016%"> <p><strong>MD5 Hash</strong></p> </td> <td style="width:40.107%"> <p><strong>Type</strong></p> </td> </tr> <tr> <td style="width:21.7914%"> <p>Functions.php</p> </td> <td style="width:38.1016%"> <p>3290cd8f948b8b15a3c53f8e7190f9b0</p> </td> <td style="width:40.107%"> <p>Neo-REGEORG</p> </td> </tr> <tr> <td style="width:21.7914%"> <p>cloud-online</p> </td> <td style="width:38.1016%"> <p>cea123ebf54b9d4f8811a47134528f12</p> </td> <td style="width:40.107%"> <p>GOGETTER</p> </td> </tr> <tr> <td style="width:21.7914%"> <p>lun.vbs</p> </td> <td style="width:38.1016%"> <p>26e2a41f26ab885bf409982cb823ffd1</p> </td> <td style="width:40.107%"> <p>Runs n.bat</p> </td> </tr> <tr> <td style="width:21.7914%"> <p>n.bat</p> </td> <td style="width:38.1016%"> <p>UNKNOWN</p> </td> <td style="width:40.107%"> <p>Likely runs scilc.exe</p> </td> </tr> <tr> <td style="width:21.7914%"> <p>a.iso</p> </td> <td style="width:38.1016%"> <p>UNKNOWN</p> </td> <td style="width:40.107%"> <p>Likely contains attacker files</p> </td> </tr> <tr> <td style="width:21.7914%"> <p>msserver.exe / lhh.exe</p> </td> <td style="width:38.1016%"> <p>b2557692a63e119af0a106add54950e6</p> </td> <td style="width:40.107%"> <p>CADDYWIPER</p> </td> </tr> <tr> <td style="width:21.7914%"> <p>Files.xml</p> </td> <td style="width:38.1016%"> <p>Not Applicable</p> </td> <td style="width:40.107%"> <p>Part of TANKTRAP Group Policy; File Copy</p> </td> </tr> <tr> <td style="width:21.7914%"> <p>ScheduledTasks.xml</p> </td> <td style="width:38.1016%"> <p>61c245a073bdb08158a3c9ad0219dc23</p> </td> <td style="width:40.107%"> <p>Part of TANKTRAP Group Policy; Task</p> </td> </tr> <tr> <td style="width:21.7914%"> <p>ScheduledTasks.xml</p> </td> <td style="width:38.1016%"> <p>82ab2c7e4d52bb2629aff200a4dc6630</p> </td> <td style="width:40.107%"> <p>Part of TANKTRAP Group Policy; Task</p> </td> </tr> <tr> <td style="width:21.7914%"> <p>s1.txt</p> </td> <td style="width:38.1016%"> <p>UNKNOWN</p> </td> <td style="width:40.107%"> <p>Likely contains SCIL commands</p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div style="color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%;text-align:center"><span style="color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%">Table 5: Endpoint IOCs</span></div> <h2>Appendix C: YARA Rules</h2> <pre><code>rule M_Methodology_MicroSCADA_SCILC_Strings { meta: author = "Mandiant" date = "2023-02-13" description = "Searching for files containing strings associated with the MicroSCADA Supervisory Control Implementation Language (SCIL) scilc.exe binary." disclaimer = "This rule is for hunting purposes only and has not been tested to run in a production environment." strings: $s1 = "scilc.exe" ascii wide $s2 = "Scilc.exe" ascii wide $s3 = "SCILC.exe" ascii wide $s4 = "SCILC.EXE" ascii wide condition: filesize < 1MB and any of them }</code></pre> <pre><code>rule M_Hunting_MicroSCADA_SCILC_Program_Execution_Strings { meta: author = "Mandiant" date = "2023-02-13" description = "Searching for files containing strings associated with execution of the MicroSCADA Supervisory Control Implementation Language (SCIL) scilc.exe binary." disclaimer = "This rule is for hunting purposes only and has not been tested to run in a production environment." strings: $s = "scilc.exe -do" nocase ascii wide condition: filesize < 1MB and all of them }</code></pre> <pre><code>rule M_Methodology_MicroSCADA_Path_Strings { meta: author = "Mandiant" date = "2023-02-27" description = "Searching for files containing references to MicroSCADA filesystem path containing native MicroSCADA binaries and resources." disclaimer = "This rule is for hunting purposes only and has not been tested to run in a production environment." strings: $s1 = "sc\\prog\\exec" nocase ascii wide condition: filesize < 1MB and $s1 }</code></pre> <pre><code>rule M_Hunting_VBS_Batch_Launcher_Strings { meta: author = "Mandiant" date = "2023-02-13" description = "Searching for VBS files used to launch a batch script." disclaimer = "This rule is for hunting purposes only and has not been tested to run in a production environment." strings: $s1 = "CreateObject(\"WScript.Shell\")" ascii $s2 = "WshShell.Run chr(34) &" ascii $s3 = "& Chr(34), 0" ascii $s4 = "Set WshShell = Nothing" ascii $s5 = ".bat" ascii condition: filesize < 400 and all of them }</code></pre> <pre><code>rule M_Hunting_APT_Webshell_PHP_NEOREGEORG { meta: author = "Mandiant" description = "Searching for REGEORG webshells." disclaimer = "This rule is for hunting purposes only and has not been tested to run in a production environment." strings: $php = "<?php" nocase $regeorg1 = {24 72 61 77 50 6f 73 74 44 61 74 61 20 3d 20 66 69 6c 65 5f 67 65 74 5f 63 6f 6e 74 65 6e 74 73 28 22 70 68 70 3a 2f 2f 69 6e 70 75 74 22 29 3b} $regeorg2 = {20 24 77 72 69 74 65 42 75 66 66 20 3d 20 24 5f 53 45 53 53 49 4f 4e 5b 24 77 72 69 74 65 62 75 66 5d 3b} $regeorg3 = {20 75 73 6c 65 65 70 28 35 30 30 30 30 29 3b} $regeorg4 = {20 24 61 72 68 5f 6b 65 79 20 3d 20 70 72 65 67 5f 72 65 70 6c 61 63 65 28 24 72 78 5f 68 74 74 70 2c 20 27 27 2c 20 24 6b 65 79 29 3b} $regeorg5 = {20 24 72 75 6e 6e 69 6e 67 20 3d 20 24 5f 53 45 53 53 49 4f 4e 5b 24 72 75 6e 5d 3b} $regeorg6 = {20 24 72 78 5f 68 74 74 70 20 3d 20 27 2f 5c 41 48 54 54 50 5f 2f 27 3b} condition: (5 of ($regeorg*)) and $php }</code></pre> <pre><code>rule M_Hunting_GOGETTER_SystemdConfiguration_1 { meta: author = "Mandiant" description = "Searching for Systemd Unit Configuration Files but with some known filenames observed with GOGETTER" disclaimer = "This rule is for hunting purposes only and has not been tested to run in a production environment." strings: $a1 = "[Install]" ascii fullword $a2 = "[Service]" ascii fullword $a3 = "[Unit]" ascii fullword $v1 = "Description=" ascii $v2 = "ExecStart=" ascii $v3 = "Restart=" ascii $v4 = "RestartSec=" ascii $v5 = "WantedBy=" ascii $f1 = "fail2ban-settings" ascii fullword $f2 = "system-sockets" ascii fullword $f3 = "oratredb" ascii fullword $f4 = "cloud-online" ascii fullword condition: filesize < 1MB and (3 of ($a*)) and (3 of ($v*)) and (1 of ($f*)) }</code></pre> <h2>Appendix D: SIGMA and YARA-L Rules</h2> <pre><code>title: MicroSCADA SCILC Command Execution description: Identification of Events or Host Commands that are related to the MicroSCADA SCILC programming language and specifically command execution author: Mandiant date: 2023/02/27 logsource: product: windows service: security detection: selection: NewProcessName|endswith: - \scilc.exe CommandLine|contains: - -do condition: selection falsepositives: - Red Team level: High tags: - attack.execution - attack.T1059 </code></pre> <pre><code>rule M_YARAL_Methodology_ProcessExec_SCILC_Do_1 { meta: author = "Mandiant" description = "YARA-L rule hunting for instances of process execution of the scilc.exe process with -do parameters. This is intended to be a hunting rule. Analysts would need to verify the legitimacy of the file passed in the -do parameter." severity = "Low" reference = " https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-overview" events: $e.metadata.event_type = "PROCESS_LAUNCH" $e.target.process.command_line = /\s+\-do\s+[^\-\s]+/ nocase $e.target.process.file.full_path = /scilc\.exe$/ nocase condition: $e }</code></pre> <h2>Appendix E: MITRE ATT&CK for ICS Mapping</h2> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"><table border="1" style="border-collapse:collapse;width:100%"> <tbody> <tr> <td style="width:12.8342%"> <p><strong>Tactic</strong></p> </td> <td style="width:24.8663%"> <p><strong>Technique</strong></p> </td> <td style="width:62.2995%"> <p><strong>Procedure</strong></p> </td> </tr> <tr> <td style="width:12.8342%"> <p>Initial Access</p> </td> <td style="width:24.8663%"> <p><strong>T0847: </strong>Replication Through Removable Media</p> </td> <td style="width:62.2995%"> <p>Sandworm accessed a hypervisor that hosted a SCADA management instance for the victim’s substation environment and leveraged an ISO image named "a.iso" as a logical CD-ROM inserted into the CD-ROM drive of the SCADA virtual machine. The system was configured to permit inserted CD-ROMs to autorun.</p> </td> </tr> <tr> <td style="width:12.8342%"> <p>Execution</p> </td> <td style="width:24.8663%"> <p><strong>T0807: </strong>Command-Line Interface</p> </td> <td style="width:62.2995%"> <p>Sandworm leveraged malicious files that led to at least the following command lines execution: </p> <p> </p> <ul> <li><em>wscript.exe "d:\pack\lun.vbs" </em></li> <li><em>cmd /c "D:\pack\n.bat" </em></li> </ul> <p> </p> <p>Additional fragments recovered include text consistent with Windows command line execution:</p> <p> </p> <ul> <li><em>C:\sc\prog\exec\scilc.exe -do pack\scil\s1.txt</em></li> </ul> </td> </tr> <tr> <td style="width:12.8342%"> <p>Execution</p> </td> <td style="width:24.8663%"> <p><strong>T0871: </strong>Execution Through API</p> </td> <td style="width:62.2995%"> <p>Sandworm utilized the native MicroSCADA “scilc.exe” binary to execute an external SCIL program via the SCIL-API.</p> </td> </tr> <tr> <td style="width:12.8342%"> <p>Execution</p> </td> <td style="width:24.8663%"> <p><strong>T0853: </strong>Scripting</p> </td> <td style="width:62.2995%"> <p>Sandworm leveraged Visual Basic Scripts, such as “lun.vbs”. The contents of “lun.vbs” include the following:</p> <p> </p> <p><em>Set WshShell = CreateObject(“WScript.Shell”)</em></p> <p><em>WshShell.Run chr(34) & “pack\n.bat” & Chr(34), 0</em></p> <p><em>Set WshShell = Nothing</em></p> </td> </tr> <tr> <td style="width:12.8342%"> <p>Evasion</p> </td> <td style="width:24.8663%"> <p><strong>T0872: </strong>Indicator Removal on Host</p> </td> <td style="width:62.2995%"> <p>Sandworm deployed CADDYWIPER malware and deleted files to remove forensic artifacts.</p> </td> </tr> <tr> <td style="width:12.8342%"> <p>Inhibit Response Function</p> </td> <td style="width:24.8663%"> <p><strong>T0809:</strong> Data Destruction</p> </td> <td style="width:62.2995%"> <p>Sandworm deployed CADDYWIPER to wipe all files, any mapped drives, and the physical drive partition of impacted systems. The actor deleted files related to the OT capability. </p> </td> </tr> <tr> <td style="width:12.8342%"> <p>Impair Process Control</p> </td> <td style="width:24.8663%"> <p><strong>T0855: </strong>Unauthorized Command Message</p> </td> <td style="width:62.2995%"> <p>Sandworm utilized “scilc.exe” to execute unauthorized SCIL commands that would have caused the MicroSCADA server to relay the commands to the substation RTUs via either the IEC-60870-5-104 protocol for TCP/IP connections or the IEC-68750-5-101 protocol for serial connections.</p> </td> </tr> <tr> <td style="width:12.8342%"> <p>Impact</p> </td> <td style="width:24.8663%"> <p><strong>T0831:</strong> Manipulation of Control</p> </td> <td style="width:62.2995%"> <p>Sandworm caused a manipulation of control of the power distribution system via unauthorized SCIL commands. These were likely commands to open circuit breakers in the victim’s substation environments.</p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div style="color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%;text-align:center"><span style="color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%">Table 6: MITRE ATT&CK for ICS mapping</span></div> <h2>Appendix F: Validation Content</h2> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"><table border="1" style="border-collapse:collapse;width:100%"> <tbody> <tr> <td style="width:10.1604%"> <p><strong>VID</strong></p> </td> <td style="width:89.8396%"> <p><strong>Title</strong></p> </td> </tr> <tr> <td style="width:10.1604%"> <p>A106-441</p> </td> <td style="width:89.8396%"> <p>Malicious File Transfer - REGEORG.NEO, Download, Variant #1</p> </td> </tr> <tr> <td style="width:10.1604%"> <p>A106-442</p> </td> <td style="width:89.8396%"> <p>Malicious File Transfer - Sandworm, GOGETTER, Download, Variant #5</p> </td> </tr> <tr> <td style="width:10.1604%"> <p>A106-443</p> </td> <td style="width:89.8396%"> <p>Web Shell Activity - REGEORG.NEO, Initial Connection, Variant #1</p> </td> </tr> <tr> <td style="width:10.1604%"> <p>A106-440</p> </td> <td style="width:89.8396%"> <p>Malicious File Transfer - CADDYWIPER, Download, Variant #6</p> </td> </tr> <tr> <td style="width:10.1604%"> <p>A106-438</p> </td> <td style="width:89.8396%"> <p>Host CLI - Sandworm, GOGETTER, Systemd Service</p> </td> </tr> <tr> <td style="width:10.1604%"> <p>A106-446</p> </td> <td style="width:89.8396%"> <p>Host CLI - Sandworm, CADDYWIPER, Scheduled Task, Variant #2</p> </td> </tr> <tr> <td style="width:10.1604%"> <p>A106-439</p> </td> <td style="width:89.8396%"> <p>Host CLI - Sandworm, CADDYWIPER, Scheduled Task, Variant #1</p> </td> </tr> <tr> <td style="width:10.1604%"> <p>A106-437</p> </td> <td style="width:89.8396%"> <p>Protected Theater - CADDYWIPER, Execution, Variant #2</p> </td> </tr> <tr> <td style="width:10.1604%"> <p>S100-280</p> </td> <td style="width:89.8396%"> <p>Malicious Activity Scenario - Sandworm Disrupts Power Using a Novel Attack Against Operational Technology Systems</p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></span></section><section class="kcBhad"><section class="Fabbec"><span class="WrMNjb">Posted in</span><ul class="FzXI4e"><li class="I4B51b"><a href="https://cloud.google.com/blog/topics/threat-intelligence" track-metadata-position="body"track-metadata-eventdetail="cloud.google.com/blog/topics/threat-intelligence"track-metadata-module="tag list"track-metadata-module_headline="posted in">Threat Intelligence</a></li></ul></section></section></div></div></div></div></div><section class="nRhiJb-DARUcf " track-metadata-module="related articles" track-metadata-module_headline="related articles"><div class="nRhiJb-DbgRPb-c5RTEf-ma6Yeb nRhiJb-DbgRPb-wNfPc-cGMI2b"><h5 class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-wNfPc nRhiJb-DbgRPb-II5mzb-cGMI2b">Related articles</h5><section class="m9cUGf HGev3 nJD2Qe nRhiJb-ObfsIf"><div class=" QaGyvd nRhiJb-kR0ZEf-OWXEXe-GV1x9e-c5RTEf nRhiJb-kR0ZEf-OWXEXe-GV1x9e-qWD73c-V2iZpe"><div class="mA0uBe"><a href="https://cloud.google.com/blog/topics/threat-intelligence/glassbridge-pro-prc-influence-operations" class="lD2oe" track-name="seeing through a glassbridge: understanding the digital marketing ecosystem spreading pro-prc influence operations"track-type="card"track-metadata-eventdetail="cloud.google.com/blog/topics/threat-intelligence/glassbridge-pro-prc-influence-operations"><div class="AhkbS "><div class="hqnDEf"><section class="PBkdHd "><img class=" D5RK8d" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png" loading="lazy"/></section></div><div class="JUOx5b"><div class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-qWD73c nRhiJb-DbgRPb-c5RTEf-ma6Yeb nRhiJb-BFbNVe-r8s4j-bMElCd FI6Gl nRhiJb-fmcmS-oXtfBe" track-name="threat intelligence"track-type="tag">Threat Intelligence</div><h3 class="Qwf2Db-MnozTc HGFKtc Qwf2Db-MnozTc-OWXEXe-MnozTc-wNfPc">Seeing Through a GLASSBRIDGE: Understanding the Digital Marketing Ecosystem Spreading Pro-PRC Influence Operations</h3><p class="nRhiJb-cHYyed dTIXyb nRhiJb-DbgRPb-R6PoUb-ma6Yeb">By Google Threat Intelligence Group • 6-minute read</p></div></div></a></div></div><div class=" QaGyvd nRhiJb-kR0ZEf-OWXEXe-GV1x9e-c5RTEf nRhiJb-kR0ZEf-OWXEXe-GV1x9e-qWD73c-V2iZpe"><div class="mA0uBe"><a href="https://cloud.google.com/blog/topics/threat-intelligence/gemini-malware-analysis-code-interpreter-threat-intelligence" class="lD2oe" track-name="empowering gemini for malware analysis with code interpreter and google threat intelligence"track-type="card"track-metadata-eventdetail="cloud.google.com/blog/topics/threat-intelligence/gemini-malware-analysis-code-interpreter-threat-intelligence"><div class="AhkbS "><div class="hqnDEf"><section class="PBkdHd "><img class=" D5RK8d" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png" loading="lazy"/></section></div><div class="JUOx5b"><div class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-qWD73c nRhiJb-DbgRPb-c5RTEf-ma6Yeb nRhiJb-BFbNVe-r8s4j-bMElCd FI6Gl nRhiJb-fmcmS-oXtfBe" track-name="threat intelligence"track-type="tag">Threat Intelligence</div><h3 class="Qwf2Db-MnozTc HGFKtc Qwf2Db-MnozTc-OWXEXe-MnozTc-wNfPc">Empowering Gemini for Malware Analysis with Code Interpreter and Google Threat Intelligence</h3><p class="nRhiJb-cHYyed dTIXyb nRhiJb-DbgRPb-R6PoUb-ma6Yeb">By Bernardo Quintero • 6-minute read</p></div></div></a></div></div><div class=" QaGyvd nRhiJb-kR0ZEf-OWXEXe-GV1x9e-c5RTEf nRhiJb-kR0ZEf-OWXEXe-GV1x9e-qWD73c-V2iZpe"><div class="mA0uBe"><a href="https://cloud.google.com/blog/topics/threat-intelligence/ai-enhancing-your-adversarial-emulation" class="lD2oe" track-name="pirates in the data sea: ai enhancing your adversarial emulation"track-type="card"track-metadata-eventdetail="cloud.google.com/blog/topics/threat-intelligence/ai-enhancing-your-adversarial-emulation"><div class="AhkbS "><div class="hqnDEf"><section class="PBkdHd "><img class=" D5RK8d" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png" loading="lazy"/></section></div><div class="JUOx5b"><div class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-qWD73c nRhiJb-DbgRPb-c5RTEf-ma6Yeb nRhiJb-BFbNVe-r8s4j-bMElCd FI6Gl nRhiJb-fmcmS-oXtfBe" track-name="threat intelligence"track-type="tag">Threat Intelligence</div><h3 class="Qwf2Db-MnozTc HGFKtc Qwf2Db-MnozTc-OWXEXe-MnozTc-wNfPc">Pirates in the Data Sea: AI Enhancing Your Adversarial Emulation</h3><p class="nRhiJb-cHYyed dTIXyb nRhiJb-DbgRPb-R6PoUb-ma6Yeb">By Mandiant • 25-minute read</p></div></div></a></div></div><div class=" QaGyvd nRhiJb-kR0ZEf-OWXEXe-GV1x9e-c5RTEf nRhiJb-kR0ZEf-OWXEXe-GV1x9e-qWD73c-V2iZpe"><div class="mA0uBe"><a href="https://cloud.google.com/blog/topics/threat-intelligence/cybersecurity-forecast-2025" class="lD2oe" track-name="emerging threats: cybersecurity forecast 2025"track-type="card"track-metadata-eventdetail="cloud.google.com/blog/topics/threat-intelligence/cybersecurity-forecast-2025"><div class="AhkbS "><div class="hqnDEf"><section class="PBkdHd "><img class=" D5RK8d" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png" loading="lazy"/></section></div><div class="JUOx5b"><div class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-qWD73c nRhiJb-DbgRPb-c5RTEf-ma6Yeb nRhiJb-BFbNVe-r8s4j-bMElCd FI6Gl nRhiJb-fmcmS-oXtfBe" track-name="threat intelligence"track-type="tag">Threat Intelligence</div><h3 class="Qwf2Db-MnozTc HGFKtc Qwf2Db-MnozTc-OWXEXe-MnozTc-wNfPc">Emerging Threats: Cybersecurity Forecast 2025</h3><p class="nRhiJb-cHYyed dTIXyb nRhiJb-DbgRPb-R6PoUb-ma6Yeb">By Adam Greenberg • 3-minute read</p></div></div></a></div></div></section></div></section></article></div></div><c-data id="i1" jsdata=" n2jFB;_;1"></c-data></c-wiz><script aria-hidden="true" nonce="7I0sTsvUKABcH_D7zfn1tw">window.wiz_progress&&window.wiz_progress();window.wiz_tick&&window.wiz_tick('zPZHOe');</script><script nonce="7I0sTsvUKABcH_D7zfn1tw">(function(){'use strict';var c=window,d=[];c.aft_counter=d;var e=[],f=0;function _recordIsAboveFold(a){if(!c._isLazyImage(a)&&!a.hasAttribute("data-noaft")&&a.src){var b=(c._isVisible||function(){})(c.document,a);a.setAttribute("data-atf",b);b&&(e.indexOf(a)!==-1||d.indexOf(a)!==-1||a.complete||d.push(a),a.hasAttribute("data-iml")&&(a=Number(a.getAttribute("data-iml")),a>f&&(f=a)))}} c.initAft=function(){f=0;e=Array.prototype.slice.call(document.getElementsByTagName("img")).filter(function(a){return!!a.getAttribute("data-iml")});[].forEach.call(document.getElementsByTagName("img"),function(a){try{_recordIsAboveFold(a)}catch(b){throw b.message=a.hasAttribute("data-iid")?b.message+"\nrecordIsAboveFold error for defer inlined image":b.message+("\nrecordIsAboveFold error for img element with <src: "+a.src+">"),b;}});if(d.length===0)c.onaft(f)};}).call(this); initAft()</script><script id="_ij" nonce="7I0sTsvUKABcH_D7zfn1tw">window.IJ_values = [[null,null,"",false,null,null,true,false],'0','https:\/\/cloud.google.com\/blog\/',["cloudblog","topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology",["en","de","fr","ko","ja"],"en",null,"https://cloud.google.com/blog","blog_article","cloud.google.com",["https://console.cloud.google.com/freetrial/","https://cloud.google.com/contact/","https://cloud.google.com/","https://cloud.google.com/blog","https://cloud.google.com/","https://www.google.com/","https://cloud.google.com/products/","https://about.google.com/products/","https://about.google/intl/en/","https://support.google.com"],["googlecloud","googlecloud","showcase/google-cloud","googlecloud/","googlecloud/"],true], null ,'boq_cloudx-web-blog-uiserver_20241121.08_p0','cloud.google.com',["SG",1],[[["bigquery_ftv",["bigquery_ftv",[["control",["control",[97716263,97716264],["/bigquery"]]],["variantA",["variantA",[97716265,97716266],["/bigquery"]]],["variantB",["variantB",[97716267,97716268],["/bigquery"]]],["variantC",["variantC",[97716269,97716270],["/bigquery"]]]]]],["jss",["jss",[["control",["control",[93803230,93804391],["/products/ai","/products/compute","/solutions/web-hosting"]]],["variantA",["variantA",[93803231,93804392],["/products/ai","/products/compute","/solutions/web-hosting"]]],["variantB",["variantB",[93803232,93804393],["/products/ai","/products/compute","/solutions/web-hosting"]]],["variantC",["variantC",[93803233,93804394],["/products/ai","/products/compute","/solutions/web-hosting"]]]]]]]], 0.0 ,["GTM-5CVQBG",[["en","\u202aEnglish\u202c",true,"en"],["de","\u202aDeutsch\u202c",true,"de"],["es","\u202aEspañol\u202c",true,"es"],["es-419","\u202aEspañol (Latinoamérica)\u202c",true,"es-419"],["fr","\u202aFrançais\u202c",true,"fr"],["id","\u202aIndonesia\u202c",true,"id"],["it","\u202aItaliano\u202c",true,"it"],["pt-BR","\u202aPortuguês (Brasil)\u202c",true,"pt-BR"],["zh-CN","\u202a简体中文\u202c",true,"zh-Hans"],["zh-TW","\u202a繁體中文\u202c",true,"zh-Hant"],["ja","\u202a日本語\u202c",true,"ja"],["ko","\u202a한국어\u202c",true,"ko"]],["83405","AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg"],"en",null,null,[],[["https://cloud.google.com/innovators","https://cloud.google.com/innovators/plus/activate","https://cloud.google.com/innovators/innovatorsplus"],["https://workspace.google.com/pricing","https://www.x.com/googleworkspace","https://www.facebook.com/googleworkspace","https://www.youtube.com/channel/UCBmwzQnSoj9b6HzNmFrg_yw","https://www.instagram.com/googleworkspace","https://www.linkedin.com/showcase/googleworkspace","https://about.google/?utm_source\u003dworkspace.google.com\u0026utm_medium\u003dreferral\u0026utm_campaign\u003dgsuite-footer-en","https://about.google/products/?tip\u003dexplore","https://workspace.google.com","https://workspace.google.com/contact/?source\u003dgafb-form-globalnav-en","https://workspace.google.com/business/signup/welcome?hl\u003den\u0026source\u003dgafb-form-globalnav-en","https://workspace.google.com/blog"],["https://www.cloudskillsboost.google","https://www.cloudskillsboost.google?utm_source\u003dcgc\u0026utm_medium\u003dwebsite\u0026utm_campaign\u003devergreen","https://www.cloudskillsboost.google/subscriptions?utm_source\u003dcgc\u0026utm_medium\u003dwebsite\u0026utm_campaign\u003devergreenlaunchpromo","https://www.cloudskillsboost.google/subscriptions?utm_source\u003dcgc\u0026utm_medium\u003dwebsite\u0026utm_campaign\u003devergreen","https://www.cloudskillsboost.google/catalog?utm_source\u003dcgc\u0026utm_medium\u003dwebsite\u0026utm_campaign\u003devergreen","https://www.cloudskillsboost.google/paths?utm_source\u003dcgc\u0026utm_medium\u003dwebsite\u0026utm_campaign\u003devergreen"],["https://mapsplatform.google.com"],["https://cloud.google.com/developers","https://cloud.google.com/developers/settings?utm_source\u003dinnovators"],["https://console.cloud.google.com/freetrial","https://console.cloud.google.com/","https://console.cloud.google.com/freetrial?redirectPath\u003dhttps://cloud.google.com/blog/topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology/"],["https://aitestkitchen.withgoogle.com/signup","https://blog.google/technology/ai/join-us-in-the-ai-test-kitchen/","https://cloud.google.com/ai"],["https://googlecloudplatform.blogspot.com/","https://github.com/GoogleCloudPlatform","https://www.linkedin.com/company/google-cloud","https://twitter.com/GoogleCloud_sg","https://www.facebook.com/googlecloud","https://www.youtube.com/GoogleCloudAPAC"]],[2024,11,25],[["en","x-default"],"x-default"],[null,true],null,"/blog/topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology/?hl\u003den",["6LcsrxUqAAAAAFhpR1lXsPN2j2nsTwy6JTbRKzJr"]],[],'','7I0sTsvUKABcH_D7zfn1tw','cbb7tgPh1zAAjQl0So98rg','DEFAULT','\/blog', 2024.0 ,'https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/sandworm-disrupts-power-ukraine-operational-technology\/', null ,'ltr', false ,'https:\/\/accounts.google.com\/AccountChooser?continue\x3dhttps:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/sandworm-disrupts-power-ukraine-operational-technology\/\x26hl\x3den-US','https:\/\/accounts.google.com\/ServiceLogin?hl\x3den-US\x26continue\x3dhttps:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/sandworm-disrupts-power-ukraine-operational-technology\/','https:\/\/accounts.google.com\/SignOutOptions?continue\x3dhttps:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/sandworm-disrupts-power-ukraine-operational-technology\/',[[[1]]], false , false , false ,'en','en-US','en_US','https:\/\/goto2.corp.google.com\/mdtredirect?data_id_filter\x3dcloud.google.com\x26system_name\x3dcloudx-web-blog-uiserver', null , null ,'https:\/\/myaccount.google.com\/privacypolicy?hl\x3den-US', false , null ,'https:\/\/www.gstatic.com\/_\/boq-cloudx-web-blog\/_\/r\/','https:\/\/myaccount.google.com\/termsofservice?hl\x3den-US',[[[["Solutions \u0026 technology",null,[[["AI \u0026 Machine Learning","/blog/products/ai-machine-learning"],["API Management","/blog/products/api-management"],["Application Development","/blog/products/application-development"],["Application Modernization","/blog/products/application-modernization"],["Chrome Enterprise","/blog/products/chrome-enterprise"],["Compute","/blog/products/compute"],["Containers \u0026 Kubernetes","/blog/products/containers-kubernetes"],["Data Analytics","/blog/products/data-analytics"],["Databases","/blog/products/databases"],["DevOps \u0026 SRE","/blog/products/devops-sre"],["Maps \u0026 Geospatial","/blog/topics/maps-geospatial"],["Security",null,[[["Security \u0026 Identity","/blog/products/identity-security"],["Threat Intelligence","/blog/topics/threat-intelligence"]]]],["Infrastructure","/blog/products/infrastructure"],["Infrastructure Modernization","/blog/products/infrastructure-modernization"],["Networking","/blog/products/networking"],["Productivity \u0026 Collaboration","/blog/products/productivity-collaboration"],["SAP on Google Cloud","/blog/products/sap-google-cloud"],["Storage \u0026 Data Transfer","/blog/products/storage-data-transfer"],["Sustainability","/blog/topics/sustainability"]]]],["Ecosystem",null,[[["IT Leaders","/transform"],["Industries",null,[[["Financial Services","/blog/topics/financial-services"],["Healthcare \u0026 Life Sciences","/blog/topics/healthcare-life-sciences"],["Manufacturing","/blog/topics/manufacturing"],["Media \u0026 Entertainment","/blog/products/media-entertainment"],["Public Sector","/blog/topics/public-sector"],["Retail","/blog/topics/retail"],["Supply Chain","/blog/topics/supply-chain-logistics"],["Telecommunications","/blog/topics/telecommunications"]]]],["Partners","/blog/topics/partners"],["Startups \u0026 SMB","/blog/topics/startups"],["Training \u0026 Certifications","/blog/topics/training-certifications"],["Inside Google Cloud","/blog/topics/inside-google-cloud"],["Google Cloud Next \u0026 Events","/blog/topics/google-cloud-next"],["Google Maps Platform","https://mapsplatform.google.com/resources/blog/"],["Google Workspace","https://workspace.google.com/blog"]]]],["Developers \u0026 Practitioners","/blog/topics/developers-practitioners"],["Transform with Google Cloud","/transform"]]],[["de",[[["Neuigkeiten","/blog/de/topics/whats-new/aktuelles-auf-dem-google-cloud-blog"],["Lösungen \u0026 Technologien",null,[[["Anwendungsentwicklung","/blog/de/products/application-development"],["Anwendungsmodernisierung","/blog/de/products/anwendungsmodernisierung"],["API-Verwaltung","/blog/de/products/api-management"],["Chrome Enterprise","/blog/de/products/chrome-enterprise"],["Computing","/blog/de/products/compute"],["Containers \u0026 Kubernetes","/blog/de/products/containers-kubernetes"],["Datenanalysen","/blog/de/products/data-analytics"],["Datenbanken","/blog/de/products/databases"],["DevOps \u0026 SRE","/blog/de/products/devops-sre"],["Infrastruktur","/blog/de/products/infrastructure"],["KI \u0026 Machine Learning","/blog/de/products/ai-machine-learning"],["Maps \u0026 Geospatial","/blog/de/topics/maps-geospatial"],["Modernisierung der Infrastruktur","/blog/de/products/modernisierung-der-infrastruktur"],["Nachhaltigkeit","/blog/de/topics/nachhaltigkeit"],["Netzwerk","/blog/de/products/networking"],["Produktivität und Zusammenarbeit","/blog/de/products/produktivitaet-und-kollaboration"],["SAP in Google Cloud","/blog/de/products/sap-google-cloud"],["Sicherheit \u0026 Identität","/blog/de/products/identity-security"],["Speicher und Datentransfer","/blog/de/products/storage-data-transfer"]]]],["Ökosystem",null,[[["IT Leader","/transform/de"],["Industrien",null,[[["Behörden und öffentlicher Sektor","/blog/de/topics/public-sector"],["Einzelhandel","/blog/de/topics/retail"],["Fertigung","/blog/de/topics/fertigung"],["Finanzdienstleistungen","/blog/de/topics/financial-services"],["Gesundheitswesen und Biowissenschaften","/blog/de/topics/healthcare-life-sciences"],["Lieferkette und Logistik","/blog/de/topics/lieferkette-und-logistik"],["Medien und Unterhaltung","/blog/de/products/media-entertainment"],["Telekommunikation","/blog/de/topics/telecommunications"]]]],["Entwickler*innen \u0026 Fachkräfte","/blog/de/topics/developers-practitioners"],["Google Cloud Next \u0026 Events","/blog/de/topics/events"],["Google Maps Platform","/blog/de/products/maps-platform"],["Google Workspace","https://workspace.google.com/blog/de"],["Inside Google Cloud","/blog/de/topics/inside-google-cloud"],["Kunden","/blog/de/topics/kunden"],["Partner","/blog/de/topics/partners"],["Start-ups und KMU","/blog/de/topics/startups"],["Training und Zertifizierung","/blog/de/topics/training-certifications"]]]],["Transformation mit Google Cloud","/transform/de"]]]],["en",[[["Solutions \u0026 technology",null,[[["AI \u0026 Machine Learning","/blog/products/ai-machine-learning"],["API Management","/blog/products/api-management"],["Application Development","/blog/products/application-development"],["Application Modernization","/blog/products/application-modernization"],["Chrome Enterprise","/blog/products/chrome-enterprise"],["Compute","/blog/products/compute"],["Containers \u0026 Kubernetes","/blog/products/containers-kubernetes"],["Data Analytics","/blog/products/data-analytics"],["Databases","/blog/products/databases"],["DevOps \u0026 SRE","/blog/products/devops-sre"],["Maps \u0026 Geospatial","/blog/topics/maps-geospatial"],["Security",null,[[["Security \u0026 Identity","/blog/products/identity-security"],["Threat Intelligence","/blog/topics/threat-intelligence"]]]],["Infrastructure","/blog/products/infrastructure"],["Infrastructure Modernization","/blog/products/infrastructure-modernization"],["Networking","/blog/products/networking"],["Productivity \u0026 Collaboration","/blog/products/productivity-collaboration"],["SAP on Google Cloud","/blog/products/sap-google-cloud"],["Storage \u0026 Data Transfer","/blog/products/storage-data-transfer"],["Sustainability","/blog/topics/sustainability"]]]],["Ecosystem",null,[[["IT Leaders","/transform"],["Industries",null,[[["Financial Services","/blog/topics/financial-services"],["Healthcare \u0026 Life Sciences","/blog/topics/healthcare-life-sciences"],["Manufacturing","/blog/topics/manufacturing"],["Media \u0026 Entertainment","/blog/products/media-entertainment"],["Public Sector","/blog/topics/public-sector"],["Retail","/blog/topics/retail"],["Supply Chain","/blog/topics/supply-chain-logistics"],["Telecommunications","/blog/topics/telecommunications"]]]],["Partners","/blog/topics/partners"],["Startups \u0026 SMB","/blog/topics/startups"],["Training \u0026 Certifications","/blog/topics/training-certifications"],["Inside Google Cloud","/blog/topics/inside-google-cloud"],["Google Cloud Next \u0026 Events","/blog/topics/google-cloud-next"],["Google Maps Platform","https://mapsplatform.google.com/resources/blog/"],["Google Workspace","https://workspace.google.com/blog"]]]],["Developers \u0026 Practitioners","/blog/topics/developers-practitioners"],["Transform with Google Cloud","/transform"]]]],["fr",[[["Les tendances","/blog/fr/topics/les-tendances/quelles-sont-les-nouveautes-de-google-cloud"],["Solutions et Technologie",null,[[["Analyse de données","/blog/fr/products/analyse-de-donnees/"],["Bases de données","/blog/fr/products/databases"],["Calcul","/blog/fr/products/calcul/"],["Chrome Entreprise","/blog/fr/products/chrome-enterprise/"],["Conteneurs et Kubernetes","/blog/fr/products/conteneurs-et-kubernetes/"],["Développement d'Applications","/blog/fr/products/application-development"],["Développement durable","/blog/fr/topics/developpement-durable"],["DevOps et ingénierie SRE","/blog/fr/products/devops-sre"],["Gestion des API","/blog/fr/products/api-management"],["IA et Machine Learning","/blog/fr/products/ai-machine-learning"],["Infrastructure","/blog/fr/products/infrastructure"],["Maps et Géospatial","/blog/fr/topics/maps-geospatial"],["Modernisation d'Applications","/blog/fr/products/modernisation-dapplications/"],["Modernisation d'Infrastructure","/blog/fr/products/modernisation-dinfrastructure/"],["Networking","/blog/fr/products/networking"],["Productivité et Collaboration","/blog/fr/products/productivite-et-collaboration"],["SAP sur Google Cloud","/blog/fr/products/sap-google-cloud"],["Sécurité et Identité","/blog/fr/products/identity-security"],["Stockage et transfert de données","/blog/fr/products/storage-data-transfer"]]]],["Écosystème",null,[[["Responsables IT","/transform/fr"],["Industries",null,[[["Commerce","/blog/fr/topics/retail"],["Manufacturing","/blog/fr/topics/manufacturing"],["Médias et Divertissement","/blog/fr/products/media-entertainment"],["Santé","/blog/fr/topics/healthcare-life-sciences"],["Secteur Public","/blog/fr/topics/public-sector"],["Services Financiers","/blog/fr/topics/financial-services"],["Supply Chain","/blog/fr/topics/supply-chain/"],["Telecommunications","/blog/fr/topics/telecommunications"]]]],["Clients","/blog/fr/topics/clients/"],["Développeurs et professionnels","/blog/fr/topics/developers-practitioners"],["Formations et certifications","/blog/fr/topics/training-certifications"],["Google Cloud Next et Événements","/blog/fr/topics/evenements"],["Google Maps Platform","/blog/fr/products/maps-platform"],["Google Workspace","https://workspace.google.com/blog/fr"],["Inside Google Cloud","/blog/fr/topics/inside-google-cloud"],["Partenaires","/blog/fr/topics/partners"],["Start-ups et PME","/blog/fr/topics/startups"]]]],["Transformer avec Google Cloud","/transform/fr"]]]],["ja",[[["ソリューションとテクノロジー",null,[[["AI \u0026 機械学習","/blog/ja/products/ai-machine-learning"],["API 管理","/blog/ja/products/api-management"],["アプリケーション開発","/blog/ja/products/application-development"],["アプリケーションモダナイゼーション","/blog/ja/products/application-modernization"],["Chrome Enterprise","/blog/ja/products/chrome-enterprise"],["コンピューティング","/blog/ja/products/compute"],["Containers \u0026 Kubernetes","/blog/ja/products/containers-kubernetes"],["データ分析","/blog/ja/products/data-analytics"],["データベース","/blog/ja/products/databases"],["DevOps \u0026 SRE","/blog/ja/products/devops-sre"],["Maps \u0026 Geospatial","/blog/ja/products/maps-platform"],["セキュリティ",null,[[["セキュリティ \u0026 アイデンティティ","/blog/ja/products/identity-security"],["脅威インテリジェンス","/blog/ja/topics/threat-intelligence"]]]],["インフラストラクチャ","/blog/ja/products/infrastructure"],["インフラモダナイゼーション","/blog/ja/products/infrastructure-modernization"],["ネットワーキング","/blog/ja/products/networking"],["生産性とコラボレーション","/blog/ja/products/productivity-collaboration"],["Google Cloud での SAP","/blog/ja/products/sap-google-cloud"],["ストレージとデータ転送","/blog/ja/products/storage-data-transfer"],["サステナビリティ","/blog/ja/topics/sustainability"]]]],["エコシステム",null,[[["ITリーダー","/transform/ja"],["業種",null,[[["金融サービス","/blog/ja/topics/financial-services"],["ヘルスケア、ライフサイエンス","/blog/ja/topics/healthcare-life-sciences"],["製造","/blog/ja/topics/manufacturing"],["メディア、エンターテイメント","/blog/ja/products/media-entertainment"],["公共部門","/blog/ja/topics/public-sector"],["小売業","/blog/ja/topics/retail"],["サプライチェーン","/blog/ja/topics/supply-chain-logistics"],["通信","/blog/ja/topics/telecommunications"]]]],["顧客事例","/blog/ja/topics/customers"],["パートナー","/blog/ja/topics/partners"],["スタートアップ \u0026 SMB","/blog/ja/topics/startups"],["トレーニングと認定","/blog/ja/topics/training-certifications"],["Inside Google Cloud","/blog/ja/topics/inside-google-cloud"],["Google Cloud Next とイベント","/blog/ja/topics/google-cloud-next"],["Google Maps Platform","/blog/ja/products/maps-platform"],["Google Workspace","https://workspace.google.com/blog/ja"]]]],["デベロッパー","/blog/ja/topics/developers-practitioners"],["Transform with Google Cloud","/transform/ja"]]]],["ko",[[["솔루션 및 기술",null,[[["AI 및 머신러닝","/blog/ko/products/ai-machine-learning"],["API 관리","/blog/ko/products/api-management"],["애플리케이션 개발","/blog/ko/products/application-development"],["애플리케이션 현대화","/blog/ko/products/application-modernization"],["Chrome Enterprise","/blog/products/chrome-enterprise"],["컴퓨팅","/blog/ko/products/compute"],["컨테이너 \u0026 Kubernetes","/blog/ko/products/containers-kubernetes"],["데이터 분석","/blog/ko/products/data-analytics"],["데이터베이스","/blog/ko/products/databases"],["DevOps 및 SRE","/blog/ko/products/devops-sre"],["Maps \u0026 Geospatial","/blog/ko/products/maps-platform"],["보안",null,[[["보안 \u0026 아이덴티티","/blog/ko/products/identity-security"],["위협 인텔리전스","/blog/ko/topics/threat-intelligence"]]]],["인프라","/blog/ko/products/infrastructure"],["Infrastructure Modernization","/blog/ko/products/infrastructure-modernization"],["네트워킹","/blog/ko/products/networking"],["생산성 및 공동작업","/blog/ko/products/productivity-collaboration"],["SAP on Google Cloud","/blog/ko/products/sap-google-cloud"],["스토리지 및 데이터 전송","/blog/ko/products/storage-data-transfer"],["지속가능성","/blog/ko/topics/sustainability"]]]],["에코시스템",null,[[["IT Leaders","/transform/ko"],["업종",null,[[["금융 서비스","/blog/ko/topics/financial-services"],["의료 및 생명과학","/blog/ko/topics/healthcare-life-sciences"],["제조업","/blog/ko/topics/manufacturing"],["미디어 및 엔터테인먼트","/blog/ko/products/media-entertainment"],["공공부문","/blog/ko/topics/public-sector"],["소매업","/blog/ko/topics/retail"],["공급망","/blog/topics/supply-chain-logistics"],["통신","/blog/ko/topics/telecommunications"]]]],["고객 사례","/blog/ko/topics/customers"],["파트너","/blog/ko/topics/partners"],["스타트업 \u0026 SMB","/blog/ko/topics/startups"],["교육 \u0026 인증","/blog/ko/topics/training-certifications"],["Inside Google Cloud","/blog/ko/topics/inside-google-cloud"],["Google Cloud Next 및 이벤트","/blog/ko/topics/google-cloud-next"],["Google Maps Platform","/blog/ko/products/maps-platform"],["Google Workspace","https://workspace.google.com/blog/ko"]]]],["개발 및 IT운영","/blog/ko/topics/developers-practitioners"],["Google Cloud와 함께 하는 디지털 혁신","/transform/ko"]]]]]],'cloud.google.com','https', null , false , null ,[[97656899,97785988,1706538,97684535,97442199,48897392,97863170,93778619,48554498,97517172,97535270,1714243,93874004,48830069,48887082,97863043,48489830,97716267,97656881,97785970,97684517,97442181,97517154,93873986,48887064],null,null,null,null,true],]; window.IJ_valuesCb && window.IJ_valuesCb();</script><script class="ds:0" nonce="7I0sTsvUKABcH_D7zfn1tw">AF_initDataCallback({key: 'ds:0', hash: '1', data:[["Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology",null,[1699520400],"https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplif.max-2600x2600.png","https://cloud.google.com/blog/topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology",[1711403057,307028000]],[["Mandiant "]],[null,"\u003cscript type\u003d\"application/ld+json\"\u003e{\"@context\":\"https://schema.org\",\"@type\":\"BlogPosting\",\"@id\":\"https://cloud.google.com/blog/topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology\",\"headline\":\"Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology\",\"description\":\"\",\"image\":\"https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplif.max-2600x2600.png\",\"author\":[{\"@type\":\"Person\",\"name\":\"Mandiant \",\"url\":\"\"}],\"datePublished\":\"2023-11-09\",\"publisher\":{\"@type\":\"Organization\",\"name\":\"Google Cloud\",\"logo\":{\"@type\":\"ImageObject\",\"url\":\"https://www.gstatic.com/devrel-devsite/prod/v8bb8fa0afe9a8c3a776ebeb25d421bb443344d789b3607754dfabea418b8c4be/cloud/images/cloud-logo.svg\"}},\"url\":\"https://cloud.google.com/blog/topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology\",\"keywords\":[\"Threat Intelligence\"],\"timeRequired\":\"PT29M\"}\u003c/script\u003e"],["Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology"],null,null,[[null,null,[null,[null,"\u003cp\u003eWritten by: Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler McLellan, Chris Sistrunk\u003c/p\u003e\n\u003chr\u003e"]]],[null,null,[null,[null,"\u003cp dir\u003d\"ltr\"\u003eIn late 2022, Mandiant responded to a disruptive cyber physical incident in which the Russia-linked threat actor Sandworm targeted a Ukrainian critical infrastructure organization. This incident was a multi-event cyber attack that leveraged a novel technique for impacting industrial control systems (ICS) / operational technology (OT). The actor first used OT-level living off the land (LotL) techniques to likely trip the victim\u2019s substation circuit breakers, causing an unplanned power outage that coincided with mass missile strikes on critical infrastructure across Ukraine. Sandworm later conducted a second disruptive event by deploying a new variant of CADDYWIPER in the victim\u2019s IT environment.\u003c/p\u003e\n\u003cp dir\u003d\"ltr\"\u003eThis attack represents the latest evolution in Russia\u2019s cyber physical attack capability, which has been increasingly visible since Russia\u2019s invasion of Ukraine. The techniques leveraged during the incident suggest a growing maturity of Russia\u2019s offensive OT arsenal, including an ability to recognize novel OT threat vectors, develop new capabilities, and leverage different types of OT infrastructure to execute attacks. By using LotL techniques, the actor likely decreased the time and resources required to conduct its cyber physical attack. While Mandiant was unable to determine the initial intrusion point, our analysis suggests the OT component of this attack may have been developed in as little as two months. This indicates that the threat actor is likely capable of quickly developing similar capabilities against other OT systems from different original equipment manufacturers (OEMs) leveraged across the world.\u003c/p\u003e\n\u003cp dir\u003d\"ltr\"\u003eWe initially tracked this activity as \u003ca href\u003d\"https://cloud.google.com/blog/topics/threat-intelligence/gru-disruptive-playbook\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003e\u003cu\u003eUNC3810\u003c/u\u003e\u003c/a\u003e before merging the cluster with Sandworm. Sandworm is a full-spectrum threat actor that has carried out espionage, influence and attack operations in support of Russia\u0026#39;s Main Intelligence Directorate (GRU) since at least 2009. The group\u0026#39;s long-standing center focus has been Ukraine, where it has carried out a campaign of disruptive and destructive attacks over the past decade using wiper malware, including during Russia\u0026#39;s re-invasion in 2022. Beyond Ukraine, the group continues to sustain espionage operations that are global in scope and illustrative of the Russian military\u0026#39;s far-reaching ambitions and interests in other regions. Government indictments have linked the group to the Main Center for Special Technologies (also known as GTsST and Military Unit 74455). Given Sandworm\u2019s global threat activity and novel OT capabilties, we urge OT asset owners to take action to mitigate this threat. We include a range of detections, hunting and hardening guidance, MITRE ATT\u0026amp;CK mappings and more in the appendices of this blog post.\u003c/p\u003e\n\u003cp dir\u003d\"ltr\"\u003e\u003cem\u003eIf you need support responding to related activity, please contact \u003c/em\u003e\u003ca href\u003d\"https://cloud.google.com/security/consulting/mandiant-incident-response-services\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003e\u003cem\u003e\u003cu\u003eMandiant Consulting\u003c/u\u003e\u003c/em\u003e\u003c/a\u003e\u003cem\u003e. Further analysis of Sandworm threat activity is available as part of \u003c/em\u003e\u003ca href\u003d\"https://cloud.google.com/security/products/threat-intelligence\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003e\u003cem\u003e\u003cu\u003eMandiant Advantage Threat Intelligence\u003c/u\u003e\u003c/em\u003e\u003c/a\u003e\u003cem\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003ch2\u003eIncident Summary\u003c/h2\u003e\n\u003cp dir\u003d\"ltr\"\u003eBased on our analysis, the intrusion began on, or prior to, June 2022 and culminated in two disruptive events on October 10 and 12, 2022. While we were unable to identify the initial access vector into the IT environment, Sandworm gained access to the OT environment through a hypervisor that hosted a supervisory control and data acquisition (SCADA) management instance for the victim\u2019s substation environment. Based on evidence of lateral movement, the attacker potentially had access to the SCADA system for up to three months.\u003c/p\u003e\n\u003cp dir\u003d\"ltr\"\u003eOn October 10, the actor leveraged an optical disc (ISO) image named \u201ca.iso\u201d to execute a native MicroSCADA binary in a likely attempt to execute malicious control commands to switch off substations. The ISO file contained at least the following:\u003c/p\u003e\n\u003cul\u003e\n\u003cli dir\u003d\"ltr\"\u003e\u201clun.vbs\u201d, which runs n.bat\u003c/li\u003e\n\u003cli dir\u003d\"ltr\"\u003e\u201cn.bat\u201d, which likely runs the native scilc.exe utility\u003c/li\u003e\n\u003cli dir\u003d\"ltr\"\u003e\u201cs1.txt\u201d, which likely contains the unauthorized MicroSCADA commands\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir\u003d\"ltr\"\u003eBased on a September 23 timestamp of \u201clun.vbs\u201d, there was potentially a two-month time period from when the attacker gained initial access to the SCADA system to when they developed the OT capability. Although we were not able to fully recover the ICS command execution implemented by the binary, we are aware that the attack resulted in an unscheduled power outage. Figure 1 contains a visualization of the execution chain resulting in the disruptive OT event.\u003c/p\u003e"]]],[null,null,null,null,null,null,null,null,[[[null,"\u003cp\u003eFigure 1: Execution chain of disruptive OT event\u003c/p\u003e"],["https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig1_ezxk.max-1400x1400.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig1_ezxk.max-1100x1100.png 1060w, https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig1_ezxk.max-1400x1400.png 1322w"," 1060px, 1322px","https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig1_ezxk.max-1400x1400.png"],null,3]]],[null,null,[null,[null,"\u003cp dir\u003d\"ltr\"\u003eTwo days after the OT event, Sandworm deployed a new variant of CADDYWIPER in the victim\u2019s IT environment to cause further disruption and potentially to remove forensic artifacts. However, we note that the wiper deployment was limited to the victim\u2019s IT environment and did not impact the hypervisor or the SCADA virtual machine. This is unusual since the threat actor had removed other forensic artifacts from the SCADA system in a possible attempt to cover their tracks, which would have been enhanced by the wiper activity. This could indicate a lack of coordination across different individuals or operational subteams involved in the attack.\u003c/p\u003e\n\u003cp dir\u003d\"ltr\"\u003eA deeper dive on the attack lifecycle and OT capability can be found in the Technical Analysis section of the blog post.\u003c/p\u003e\n\u003ch2\u003eSandworm\u2019s Threat Activity Reveals Insights into Russia\u2019s Offensive Cyber Capabilities\u003c/h2\u003e\n\u003cp dir\u003d\"ltr\"\u003eSandworm\u2019s substation attack reveals notable insights into Russia\u2019s continued investment in OT-oriented offensive cyber capabilities and overall approach to attacking OT systems. This incident and last year\u2019s INDUSTROYER.V2 incident both show efforts to streamline OT attack capabilities through simplified deployment features. We observed the same efforts in our analysis of a series of documents detailing project requirements to enhance Russian \u003ca href\u003d\"https://cloud.google.com/blog/topics/threat-intelligence/cyber-operations-russian-vulkan\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003e\u003cu\u003eoffensive cyber capabilities\u003c/u\u003e\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir\u003d\"ltr\"\u003eSimilarly, the evolution of suspected GRU-sponsored OT attacks shows a decrease in the scope of disruptive activities per attack. The 2015 and 2016 Ukraine blackout events each featured several discrete disruptive events against the OT environment (e.g., disabling UPS systems, bricking serial-to-ethernet converters, conducting a DoS attack against a SIPROTEC relay, wiping OT systems, etc.). By comparison, the \u003ca href\u003d\"https://cloud.google.com/blog/topics/threat-intelligence/industroyer-v2-old-malware-new-tricks\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003e\u003cu\u003eINDUSTROYER.V2 incidents\u003c/u\u003e\u003c/a\u003e lacked many of those same disruptive components and the malware did not feature the wiper module from the original INDUSTROYER. Likewise, Sandworm\u2019s activity in the OT network appears streamlined to only executing unauthorized ICS command messages, with the wiper activity limited to the IT environment. While this shift likely reflects the increased tempo of wartime cyber operations, it also reveals the GRU\u2019s priority objectives in OT attacks.\u003c/p\u003e\n\u003cp dir\u003d\"ltr\"\u003eSandworm\u2019s use of a native \u003ca href\u003d\"https://attack.mitre.org/techniques/T1218/\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003e\u003cu\u003eLiving off the Land binary (LotLBin)\u003c/u\u003e\u003c/a\u003e to disrupt an OT environment shows a significant shift in techniques. Using tools that are more lightweight and generic than those observed in prior OT incidents, the actor likely decreased the time and resources required to conduct a cyber physical attack. LotLBin techniques also make it difficult for defenders to detect threat activity as they need to not only remain vigilant for new files introduced to their environments, but also for modifications to files already present within their installed OT applications and services. As outlined in recent research detailing the \u003ca href\u003d\"https://cloud.google.com/blog/topics/threat-intelligence/gru-disruptive-playbook\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003e\u003cu\u003eGRU's disruptive playbook\u003c/u\u003e\u003c/a\u003e, we have observed Sandworm adopting LotL tactics across its wider operations to similarly increase the speed and scale at which it can operate while minimizing the odds of detection.\u003c/p\u003e\n\u003cp\u003eWhile we lack sufficient evidence to assess a possible link, we note that the timing of the attack overlaps with Russian kinetic operations. Sandworm potentially developed the disruptive capability as early as three weeks prior to the OT event, suggesting the attacker may have been waiting for a specific moment to deploy the capability. The eventual execution of the attack \u003ca href\u003d\"https://www.understandingwar.org/backgrounder/russian-offensive-campaign-assessment-october-10\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003e\u003cu\u003ecoincided\u003c/u\u003e\u003c/a\u003e with the start of a multi-day set of coordinated missile strikes on critical infrastructure across \u003ca href\u003d\"https://www.facebook.com/GeneralStaff.ua/posts/pfbid034WNoYsPX22Fd413PLchpSQFwRKVbkdFyn1arb1mgDE77bT6PRTLWSXNN64fXu41Ml\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003e\u003cu\u003eseveral\u003c/u\u003e\u003c/a\u003e Ukrainian cities, including the city in which the victim was located.\u003c/p\u003e"]]],[null,null,null,null,null,null,null,null,[[[null,"\u003cp\u003eFigure 2: Historical Russia-nexus activity impacting OT\u003c/p\u003e"],["https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig2_ebkw.max-1400x1400.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig2_ebkw.max-1100x1100.png 1060w, https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig2_ebkw.max-1400x1400.png 1322w"," 1060px, 1322px","https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig2_ebkw.max-1400x1400.png"],null,3]]],[null,null,[null,[null,"\u003ch2\u003eOutlook\u003c/h2\u003e\n\u003cp dir\u003d\"ltr\"\u003eThis attack represents an immediate threat to Ukrainian critical infrastructure environments leveraging the MicroSCADA supervisory control system. Given Sandworm's global threat activity and the worldwide deployment of MicroSCADA products, asset owners globally should take action to mitigate their tactics, techniques, and procedures against IT and OT systems. Furthermore, our analysis of the activity suggests Russia would be capable of developing similar capabilities against other SCADA systems and programming languages beyond MicroSCADA and SCIL. We urge asset owners to review and implement the following recommendations to mitigate and detect this activity.\u003c/p\u003e\n\u003ch2\u003eAcknowledgements\u003c/h2\u003e\n\u003cp dir\u003d\"ltr\"\u003eThis research was made possible thanks to the hard work of many people not listed on the byline. Mandiant would like to acknowledge the Security Service of Ukraine (SBU) for their continued partnership and contributions to this report as well as their on-going collaboration. This incident response engagement was funded through the UK\u2019s Ukraine Cyber Programme (cross-government Conflict, Stability and Security Fund) and delivered by the United Kingdom\u2019s Foreign, Commonwealth and Development Office.\u003c/p\u003e\n\u003ch2\u003eTechnical Analysis: Sandworm Attack Against Ukrainian Substations\u003c/h2\u003e"]]],[null,null,null,null,null,null,null,null,[[[null,"\u003cp\u003eFigure 3: Incident targeted attack lifecycle\u003c/p\u003e"],["https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig3_yjky.max-900x900.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig3_yjky.max-900x900.png 830w, https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig3_yjky.max-900x900.png 830w"," 830px, 830px","https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig3_yjky.max-900x900.png"],null,3]]],[null,null,[null,[null,"\u003ch3\u003eInitial Compromise and Maintaining Presence\u003c/h3\u003e\n\u003cp dir\u003d\"ltr\"\u003eAt this time, it is unknown how Sandworm gained initial access to the victim. Sandworm was first observed in the victim\u2019s environment in June 2022, when the actor deployed the \u003ca href\u003d\"https://github.com/L-codes/Neo-reGeorg\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003e\u003cu\u003eNeo-REGEORG\u003c/u\u003e\u003c/a\u003e webshell on an internet-facing server. This is consistent with the group\u2019s prior activity scanning and exploiting internet facing servers for initial access. Roughly one month later, Sandworm deployed GOGETTER, which is a tunneler written in Golang that proxies communications for its command and control (C2) server using the open-source library Yamux over TLS.\u003c/p\u003e\n\u003cp dir\u003d\"ltr\"\u003eWhen leveraging GOGETTER, Sandworm utilized a Systemd service unit to maintain persistence on systems. A Systemd service unit allows for a program to be run under certain conditions, and in this case, it was used to execute the GOGETTER binary on reboot.\u003c/p\u003e"]]],[null,null,null,null,null,null,null,null,[[[null,"\u003cp\u003eFigure 4: Sandworm GOGETTER Systemd configuration location\u003c/p\u003e"],["https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig4_enek.max-900x900.png",null,null,"https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig4_enek.max-900x900.png"],null,2]]],[null,null,[null,[null,"\u003cp\u003eThe Systemd configuration file leveraged by Sandworm enabled the group to maintain persistence on systems. The value \u201cWantedBy\u201d defines when the program should be run; in the configuration used by Sandworm, the setting \u201cmulti-user.target\u201d means that the program will be run when the host has reached a state when it will accept users logging on, for example after successful power on. This enables GOGETTER to maintain persistence across reboots. The \u201cExecStart\u201d value specifies the path of the program to be run, which in this case was GOGETTER.\u003c/p\u003e"]]],[null,null,null,null,null,null,null,null,[[[null,"\u003cp\u003eFigure 5: Sandworm GOGETTER Systemd configuration\u003c/p\u003e"],["https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig5_wwim.max-1200x1200.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig5_wwim.max-1100x1100.png 1060w, https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig5_wwim.max-1200x1200.png 1198w"," 1060px, 1198px","https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig5_wwim.max-1200x1200.png"],null,3]]],[null,null,[null,[null,"\u003cp dir\u003d\"ltr\"\u003eWhen deploying GOGETTER, Mandiant observed Sandworm leverage Systemd service units designed to masquerade as legitimate or seemingly legitimate services.\u003c/p\u003e\n\u003ch3\u003eLateral Movement to SCADA Hypervisor and OT Attack Execution\u003c/h3\u003e\n\u003cp dir\u003d\"ltr\"\u003eSandworm utilized a novel technique to impact the OT environment by executing code within an End-of-Life (EOL) MicroSCADA control system and issuing commands that impacted the victim\u2019s connected substations. Table 1 summarizes the malicious files containing the new OT capability. We note that given the attacker\u2019s use of anti-forensics techniques, we were not able to recover all the artifacts from the intrusion.\u003c/p\u003e\n\u003cdiv dir\u003d\"ltr\"\u003e\u003cbr\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\u003ctable\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003e\u003cstrong\u003eFilename\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003e\u003cstrong\u003eHash\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003e\u003cstrong\u003ePurpose\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003ea.iso\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003eUnknown\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003eContains attacker\u2019s files\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003elun.vbs\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003e26e2a41f26ab885bf409982cb823ffd1\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003eRuns n.bat\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003en.bat\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003eUnknown\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003eLikely runs native scilc.exe utility\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003es1.txt\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003eUnknown\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003eLikely contains SCIL commands\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003cdiv style\u003d\"color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%;text-align:center\"\u003e\u003cspan style\u003d\"color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%\"\u003eTable 1: Malicious OT files\u003c/span\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003cp dir\u003d\"ltr\"\u003eTo impact the OT systems, Sandworm accessed the hypervisor that hosted a SCADA management instance for the victim\u2019s substation environment and leveraged an ISO image named \"a.iso\" as a virtual CD-ROM. The system was configured to permit inserted CD-ROMs to autorun. The ISO file, at minimum, contained the following files: \"lun.vbs\" and \"n.bat\" as both files are referenced within the D volume and therefore contained within \u201ca.iso\u201d. The inserted ISO led to at least the following command lines execution:\u003c/p\u003e\n\u003cul\u003e\n\u003cli dir\u003d\"ltr\"\u003ewscript.exe \"d:\\pack\\lun.vbs\"\u003c/li\u003e\n\u003cli dir\u003d\"ltr\"\u003ecmd /c \"D:\\pack\\n.bat\"\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir\u003d\"ltr\"\u003eBased on forensic analysis, we believe \u201clun.vbs\u201d contents are the following (Figure 6):\u003c/p\u003e"]]],[null,null,null,null,null,null,null,null,[[[null,"\u003cp\u003eFigure 6: \u201clun.vbs\u201d contents\u003c/p\u003e"],["https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig6_kbSV9R9.max-800x800.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig6_kbSV9R9.max-800x800.png 800w, https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig6_kbSV9R9.max-800x800.png 800w"," 800px, 800px","https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig6_kbSV9R9.max-800x800.png"],null,3]]],[null,null,[null,[null,"\u003cp dir\u003d\"ltr\"\u003eThe contents in Figure 6 indicate that \u201clun.vbs\u201d executes \u201cn.bat\u201d. Additional fragments recovered include text consistent with Windows command line execution (Figure 7). This fragment was identified by analyzing images from the host. Reconstruction of the host\u2019s anti-virus logs indicates \u201clun.vbs\u201d and \u201cn.bat\u201d were executed in close time proximity. Because of this and the reference to the attacker\u2019s ISO folder path, we believe that the command fragment in Figure 7 is likely the contents of \u201cn.bat\u201d.\u003c/p\u003e"]]],[null,null,null,null,null,null,null,null,[[[null,"\u003cp\u003eFigure 7: Command fragment\u003c/p\u003e"],["https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig7_zzoHBUq.max-800x800.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig7_zzoHBUq.max-800x800.png 798w, https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig7_zzoHBUq.max-800x800.png 798w"," 798px, 798px","https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig7_zzoHBUq.max-800x800.png"],null,3]]],[null,null,[null,[null,"\u003cp dir\u003d\"ltr\"\u003eThe syntax of the command fragment includes \u201cscilc.exe\u201d, a native utility that is part of the MicroSCADA software suite. The utility is located in the \u201c\\sc\\prog\\exec\u201d folder within the MicroSCADA installation directory, amongst other utilities, libraries, and resources used by MicroSCADA. The impacted MicroSCADA system was running an EOL software version that allowed default access to the SCIL-API. The \u201c-do\u201d flag specifies a SCIL program file to execute (Figure 8). Lastly, the command supplies a file named \u201cs1.txt\u201d in the \"pack\\scil\\\" folder of the attacker's ISO. We assess \"pack\\scil\\s1.txt\" is likely a file containing SCIL commands the attackers executed in MicroSCADA. This file was unrecoverable at the time of analysis.\u003c/p\u003e"]]],[null,null,null,null,null,null,null,null,[[[null,"\u003cp\u003eFigure 8: Scilc.exe usage example\u003c/p\u003e"],["https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig8.max-800x800.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig8.max-800x800.png 800w, https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig8.max-800x800.png 800w"," 800px, 800px","https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig8.max-800x800.png"],null,3]]],[null,null,[null,[null,"\u003cp\u003eAccording to Hitachi Energy\u2019s \u003ca href\u003d\"https://datacloud.fun/Data/ABB/MicroSCADA/SYS600_Programming%20Language%20SCIL.pdf\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003e\u003cu\u003edocumentation\u003c/u\u003e\u003c/a\u003e, SCIL is a high level programming language designed for MicroSCADA control systems and can operate the system and its features (Figure 9). SCIL programs are generally text-based statements that can be composed of commands, objects, variables, calls to predefined functions, and expressions. There are several methods in which SCIL programs can execute, such as an engineer/operator clicking a button or image within the MicroSCADA system, scheduled or process derived changes, or in this case manual execution.\u003c/p\u003e"]]],[null,null,null,null,null,null,null,null,[[[null,"\u003cp\u003eFigure 9: SCIL overview\u003c/p\u003e"],["https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig9_xskj.max-1200x1200.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig9_xskj.max-1100x1100.png 1060w, https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig9_xskj.max-1200x1200.png 1153w"," 1060px, 1153px","https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig9_xskj.max-1200x1200.png"],null,3]]],[null,null,[null,[null,"\u003cp dir\u003d\"ltr\"\u003eWhile we were unable to identify the SCIL commands executed, we believe they were probably commands to open circuit breakers in the victim\u2019s substation environments. The SCIL commands would have caused the MicroSCADA server to relay the commands to the substation RTUs via either the IEC-60870-5-104 protocol for TCP/IP connections or the IEC-60870-5-101 protocol for serial connections.\u003c/p\u003e\n\u003ch3\u003eSandworm Deployed New CADDYWIPER Variant to Further Disrupt the Victim\u2019s IT Environment\u003c/h3\u003e\n\u003cp dir\u003d\"ltr\"\u003eTwo days following the OT activity, Sandworm deployed a new variant of CADDYWIPER throughout the IT environment. This CADDYWIPER variant, compiled in October 2022, contains some minor functionality improvements that allow threat actors to resolve functions at runtime. We have observed CADDYWIPER deployed across several verticals in Ukraine, including the government and financial sectors, throughout Russia\u2019s invasion of Ukraine.\u003c/p\u003e\n\u003cp dir\u003d\"ltr\"\u003eCADDYWIPER is a disruptive wiper written in C that is focused on making data irrecoverable and causing maximum damage within an environment. CADDYWIPER will attempt to wipe all files before proceeding to wipe any mapped drives. It will then attempt to wipe the physical drive partition itself. Notably, CADDYWIPER has been the most frequently used \u003ca href\u003d\"https://cloud.google.com/blog/topics/threat-intelligence/gru-rise-telegram-minions\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003e\u003cu\u003edisruptive tool against Ukrainian entities\u003c/u\u003e\u003c/a\u003e during the war and has seen consistent operational use since March 2022, based on public reporting. We have observed Sandworm utilize CADDYWIPER in disruptive operations across multiple intrusions.\u003c/p\u003e\n\u003cp dir\u003d\"ltr\"\u003eSandworm deployed CADDYWIPER in this operation via two Group Policy Objects (GPO) from a Domain Controller using TANKTRAP. TANKTRAP is a utility written in PowerShell that utilizes Windows group policy to spread and launch a wiper. We have observed TANKTRAP being used with other disruptive tools including NEARMISS, SDELETE, PARTYTICKET, and CADDYWIPER. These group policies contained instructions to copy a file from a server to the local hard drive and to schedule a task to run the copied file at a particular time.\u003c/p\u003e"]]],[null,null,null,null,null,null,null,null,[[[null,"\u003cp\u003eFigure 10: Sandworm TANKTRAP GPO 1\u003c/p\u003e"],["https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig10.max-800x800.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig10.max-800x800.png 800w, https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig10.max-800x800.png 800w"," 800px, 800px","https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig10.max-800x800.png"],null,2]]],[null,null,null,null,null,null,null,null,[[[null,"\u003cp\u003eFigure 11: Sandworm TANKTRAP GPO 2\u003c/p\u003e"],["https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig11.max-800x800.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig11.max-800x800.png 800w, https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig11.max-800x800.png 800w"," 800px, 800px","https://storage.googleapis.com/gweb-cloudblog-publish/images/sandworm-microscada-fig11.max-800x800.png"],null,3]]],[null,null,[null,[null,"\u003cp dir\u003d\"ltr\"\u003eBoth TANKTRAP GPOs deployed CADDYWIPER from a staged directory to systems as msserver.exe. CADDYWIPER was then executed as a scheduled task at a predetermined time.\u003c/p\u003e\n\u003cdiv dir\u003d\"ltr\"\u003e\u003cbr\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\u003ctable\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003e\u003cstrong\u003eItem\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003e\u003cstrong\u003eValue\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003eTask Name\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003eqAWZe\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003eLegacy Task Name\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003eQcWBX\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003eCommand to Run\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003eC:\\Windows\\msserver.exe\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003eTrigger\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003eRun at 2022-10-12 16:50:40\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003cdiv style\u003d\"color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%\"\u003e\n\u003cdiv\u003e\n\u003cdiv\u003e\n\u003cdiv\u003eTable 2: Sandworm TANKTRAP GPO 1 Scheduled Task\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003cdiv dir\u003d\"ltr\"\u003e\u003cbr\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\u003ctable\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003e\u003cstrong\u003eItem\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003e\u003cstrong\u003eValue\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003eTask Name\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003eQJKWt\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003eLegacy Task Name\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003ezJMwY\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003eCommand to Run\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003eC:\\Windows\\msserver.exe\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003eTrigger\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp dir\u003d\"ltr\"\u003eRun at 2022-10-12 17:15:59\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003cdiv style\u003d\"color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%;text-align:left\"\u003eTable 3: Sandworm TANKTRAP GPO 2 Scheduled Task\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003ch2\u003eAppendix A: Discovery and Hardening Guidance\u003c/h2\u003e\n\u003cp dir\u003d\"ltr\"\u003eIn this incident, the attacker leveraged an EOL version of the MicroSCADA supervisory control system. The SCIL-API interface in MicroSCADA has been disabled-by-default since the release of MicroSCADA 9.4 in 2014. If required to continue using the interface, asset owners can refer to MRK511518 MicroSCADA X Cyber Security Deployment Guideline on how to harden the MicroSCADA. Please contact the Hitachi Energy MicroSCADA support team to obtain the documentation.\u003c/p\u003e\n\u003cp dir\u003d\"ltr\"\u003eWe note that the MicroSCADA control system became a Hitachi Energy product in 2022 after a divestiture from ABB. Asset owners should reference both vendors in asset inventories and manual asset inspections to determine if the product is present in any OT environments.\u003c/p\u003e\n\u003cp dir\u003d\"ltr\"\u003eHarden MicroSCADA and other SCADA management hosts:\u003c/p\u003e\n\u003cul\u003e\n\u003cli dir\u003d\"ltr\"\u003eUpdate MicroSCADA to supported versions.\u003c/li\u003e\n\u003cli dir\u003d\"ltr\"\u003eConfigure MicroSCADA to require authentication and establish a least privilege design for user permissions.\u003c/li\u003e\n\u003cli dir\u003d\"ltr\"\u003eEstablish robust network segmentation between MicroSCADA hosts and IT networks.\u003c/li\u003e\n\u003cli dir\u003d\"ltr\"\u003eEnable robust application logging for MicroSCADA and aggregate logs to a central location.\u003c/li\u003e\n\u003cli dir\u003d\"ltr\"\u003eIf/where feasible, configure the base system in \u201cread-only\u201d mode and ensure no external SCIL-API programs (such as scilc.exe) are allowed.\u003c/li\u003e\n\u003cli dir\u003d\"ltr\"\u003eConsult with OEMs for installed SCADA software to identify similar methods of code execution within their software and to obtain guidance on mitigations.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir\u003d\"ltr\"\u003eMonitor MicroSCADA systems and other SCADA management systems for:\u003c/p\u003e\n\u003cul\u003e\n\u003cli dir\u003d\"ltr\"\u003eCommand-line execution of MicroSCADA \u201cScilc.exe\u201d binary and other native MicroSCADA binaries that may be leveraged to execute unauthorized SCIL program/commands.\u003c/li\u003e\n\u003cli dir\u003d\"ltr\"\u003eNetwork traffic and process related telemetry to/from host(s) operating the MicroSCADA software. Investigate anomalous activity and correlate findings with process telemetry.\u003c/li\u003e\n\u003cli dir\u003d\"ltr\"\u003eFiles transferred or moved onto MicroSCADA hosts.\u003c/li\u003e\n\u003cli dir\u003d\"ltr\"\u003eNewly created files with MicroSCADA or SCIL programming language references.\u003c/li\u003e\n\u003cli dir\u003d\"ltr\"\u003eUnauthorized changes in MicroSCADA system configuration and data.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eAppendix B: Indicators of Compromise (IOCs)\u003c/h2\u003e\n\u003cdiv dir\u003d\"ltr\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\u003ctable border\u003d\"1\" style\u003d\"border-collapse:collapse;width:100%\"\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:50%\"\u003e\n\u003cp\u003e\u003cstrong\u003eIndicator\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:50%\"\u003e\n\u003cp\u003e\u003cstrong\u003eDescription\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:50%\"\u003e\n\u003cp\u003e82.180.150[.]197\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:50%\"\u003e\n\u003cp\u003eSource IP address for requests to Neo-REGEORG\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:50%\"\u003e\n\u003cp\u003e176.119.195[.]113\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:50%\"\u003e\n\u003cp\u003eSource IP address for requests to Neo-REGEORG\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:50%\"\u003e\n\u003cp\u003e176.119.195[.]115\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:50%\"\u003e\n\u003cp\u003eSource IP address for requests to Neo-REGEORG\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:50%\"\u003e\n\u003cp\u003e185.220.101[.]58\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:50%\"\u003e\n\u003cp\u003eSource IP address for requests to Neo-REGEORG\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:50%\"\u003e\n\u003cp\u003e190.2.145[.]24\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:50%\"\u003e\n\u003cp\u003eC2 for GOGETTER\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:50%\"\u003e\n\u003cp\u003eMozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:50%\"\u003e\n\u003cp\u003eUser agent for requests to Neo-REGEORG\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:50%\"\u003e\n\u003cp\u003eMozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:50%\"\u003e\n\u003cp\u003eUser agent for requests to Neo-REGEORG\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow:auto hidden;width:100%;text-align:center\"\u003e\u003cspan style\u003d\"font-size:16px;font-style:italic;color:#5f6368;display:block;margin-top:8px;width:100%\"\u003eTable 4: Network IOCs\u003c/span\u003e\u003c/div\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow:auto hidden;width:100%;text-align:center\"\u003e\u00a0\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003cdiv style\u003d\"color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\u003ctable border\u003d\"1\" style\u003d\"border-collapse:collapse;width:100%\"\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:21.7914%\"\u003e\n\u003cp\u003e\u003cstrong\u003eFile Name\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:38.1016%\"\u003e\n\u003cp\u003e\u003cstrong\u003eMD5 Hash\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:40.107%\"\u003e\n\u003cp\u003e\u003cstrong\u003eType\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:21.7914%\"\u003e\n\u003cp\u003eFunctions.php\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:38.1016%\"\u003e\n\u003cp\u003e3290cd8f948b8b15a3c53f8e7190f9b0\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:40.107%\"\u003e\n\u003cp\u003eNeo-REGEORG\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:21.7914%\"\u003e\n\u003cp\u003ecloud-online\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:38.1016%\"\u003e\n\u003cp\u003ecea123ebf54b9d4f8811a47134528f12\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:40.107%\"\u003e\n\u003cp\u003eGOGETTER\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:21.7914%\"\u003e\n\u003cp\u003elun.vbs\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:38.1016%\"\u003e\n\u003cp\u003e26e2a41f26ab885bf409982cb823ffd1\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:40.107%\"\u003e\n\u003cp\u003eRuns n.bat\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:21.7914%\"\u003e\n\u003cp\u003en.bat\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:38.1016%\"\u003e\n\u003cp\u003eUNKNOWN\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:40.107%\"\u003e\n\u003cp\u003eLikely runs scilc.exe\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:21.7914%\"\u003e\n\u003cp\u003ea.iso\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:38.1016%\"\u003e\n\u003cp\u003eUNKNOWN\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:40.107%\"\u003e\n\u003cp\u003eLikely contains attacker files\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:21.7914%\"\u003e\n\u003cp\u003emsserver.exe / lhh.exe\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:38.1016%\"\u003e\n\u003cp\u003eb2557692a63e119af0a106add54950e6\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:40.107%\"\u003e\n\u003cp\u003eCADDYWIPER\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:21.7914%\"\u003e\n\u003cp\u003eFiles.xml\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:38.1016%\"\u003e\n\u003cp\u003eNot Applicable\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:40.107%\"\u003e\n\u003cp\u003ePart of TANKTRAP Group Policy; File Copy\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:21.7914%\"\u003e\n\u003cp\u003eScheduledTasks.xml\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:38.1016%\"\u003e\n\u003cp\u003e61c245a073bdb08158a3c9ad0219dc23\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:40.107%\"\u003e\n\u003cp\u003ePart of TANKTRAP Group Policy; Task\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:21.7914%\"\u003e\n\u003cp\u003eScheduledTasks.xml\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:38.1016%\"\u003e\n\u003cp\u003e82ab2c7e4d52bb2629aff200a4dc6630\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:40.107%\"\u003e\n\u003cp\u003ePart of TANKTRAP Group Policy; Task\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:21.7914%\"\u003e\n\u003cp\u003es1.txt\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:38.1016%\"\u003e\n\u003cp\u003eUNKNOWN\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:40.107%\"\u003e\n\u003cp\u003eLikely contains SCIL commands\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003cdiv style\u003d\"color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%;text-align:center\"\u003e\u003cspan style\u003d\"color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%\"\u003eTable 5: Endpoint IOCs\u003c/span\u003e\u003c/div\u003e\n\u003ch2\u003eAppendix C: YARA Rules\u003c/h2\u003e\n\u003cpre\u003e\u003ccode\u003erule M_Methodology_MicroSCADA_SCILC_Strings\r\n{\r\n meta:\r\n author \u003d \u0026quot;Mandiant\u0026quot;\r\n date \u003d \u0026quot;2023-02-13\u0026quot;\r\n description \u003d \u0026quot;Searching for files containing strings associated with the MicroSCADA Supervisory Control Implementation Language (SCIL) scilc.exe binary.\u0026quot; \r\n disclaimer \u003d \u0026quot;This rule is for hunting purposes only and has not been tested to run in a production environment.\u0026quot;\r\n strings:\r\n $s1 \u003d \u0026quot;scilc.exe\u0026quot; ascii wide\r\n $s2 \u003d \u0026quot;Scilc.exe\u0026quot; ascii wide\r\n $s3 \u003d \u0026quot;SCILC.exe\u0026quot; ascii wide\r\n $s4 \u003d \u0026quot;SCILC.EXE\u0026quot; ascii wide\r\n condition:\r\n filesize \u0026lt; 1MB and\r\n any of them\r\n}\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode\u003erule M_Hunting_MicroSCADA_SCILC_Program_Execution_Strings\r\n{\r\n meta:\r\n author \u003d \u0026quot;Mandiant\u0026quot;\r\n date \u003d \u0026quot;2023-02-13\u0026quot;\r\n description \u003d \u0026quot;Searching for files containing strings associated with execution of the MicroSCADA Supervisory Control Implementation Language (SCIL) scilc.exe binary.\u0026quot; \r\n disclaimer \u003d \u0026quot;This rule is for hunting purposes only and has not been tested to run in a production environment.\u0026quot;\r\n\r\n strings:\r\n $s \u003d \u0026quot;scilc.exe -do\u0026quot; nocase ascii wide\r\n \r\n condition:\r\n filesize \u0026lt; 1MB and \r\n all of them\r\n}\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode\u003erule M_Methodology_MicroSCADA_Path_Strings\r\n{\r\n meta:\r\n author \u003d \u0026quot;Mandiant\u0026quot;\r\n date \u003d \u0026quot;2023-02-27\u0026quot;\r\n description \u003d \u0026quot;Searching for files containing references to MicroSCADA filesystem path containing native MicroSCADA binaries and resources.\u0026quot; \r\n disclaimer \u003d \u0026quot;This rule is for hunting purposes only and has not been tested to run in a production environment.\u0026quot;\r\n strings:\r\n $s1 \u003d \u0026quot;sc\\\\prog\\\\exec\u0026quot; nocase ascii wide\r\n\r\n condition:\r\n filesize \u0026lt; 1MB and\r\n $s1\r\n}\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode\u003erule M_Hunting_VBS_Batch_Launcher_Strings\r\n{\r\n meta:\r\n author \u003d \u0026quot;Mandiant\u0026quot;\r\n date \u003d \u0026quot;2023-02-13\u0026quot;\r\n description \u003d \u0026quot;Searching for VBS files used to launch a batch script.\u0026quot;\r\n disclaimer \u003d \u0026quot;This rule is for hunting purposes only and has not been tested to run in a production environment.\u0026quot;\r\n strings:\r\n $s1 \u003d \u0026quot;CreateObject(\\\u0026quot;WScript.Shell\\\u0026quot;)\u0026quot; ascii\r\n $s2 \u003d \u0026quot;WshShell.Run chr(34) \u0026amp;\u0026quot; ascii\r\n $s3 \u003d \u0026quot;\u0026amp; Chr(34), 0\u0026quot; ascii\r\n $s4 \u003d \u0026quot;Set WshShell \u003d Nothing\u0026quot; ascii\r\n $s5 \u003d \u0026quot;.bat\u0026quot; ascii\r\n condition:\r\n filesize \u0026lt; 400 and \r\n all of them\r\n}\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode\u003erule M_Hunting_APT_Webshell_PHP_NEOREGEORG \r\n{\r\n meta:\r\n author \u003d \u0026quot;Mandiant\u0026quot;\r\n description \u003d \u0026quot;Searching for REGEORG webshells.\u0026quot;\r\n disclaimer \u003d \u0026quot;This rule is for hunting purposes only and has not been tested to run in a production environment.\u0026quot;\r\n strings:\r\n $php \u003d \u0026quot;\u0026lt;?php\u0026quot; nocase\r\n $regeorg1 \u003d {24 72 61 77 50 6f 73 74 44 61 74 61 20 3d 20 66 69 6c 65 5f 67 65 74 5f 63 6f 6e 74 65 6e 74 73 28 22 70 68 70 3a 2f 2f 69 6e 70 75 74 22 29 3b}\r\n $regeorg2 \u003d {20 24 77 72 69 74 65 42 75 66 66 20 3d 20 24 5f 53 45 53 53 49 4f 4e 5b 24 77 72 69 74 65 62 75 66 5d 3b}\r\n $regeorg3 \u003d {20 75 73 6c 65 65 70 28 35 30 30 30 30 29 3b}\r\n $regeorg4 \u003d {20 24 61 72 68 5f 6b 65 79 20 3d 20 70 72 65 67 5f 72 65 70 6c 61 63 65 28 24 72 78 5f 68 74 74 70 2c 20 27 27 2c 20 24 6b 65 79 29 3b}\r\n $regeorg5 \u003d {20 24 72 75 6e 6e 69 6e 67 20 3d 20 24 5f 53 45 53 53 49 4f 4e 5b 24 72 75 6e 5d 3b}\r\n $regeorg6 \u003d {20 24 72 78 5f 68 74 74 70 20 3d 20 27 2f 5c 41 48 54 54 50 5f 2f 27 3b}\r\n condition:\r\n (5 of ($regeorg*)) and\r\n $php\r\n}\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode\u003erule M_Hunting_GOGETTER_SystemdConfiguration_1\r\n{\r\n meta:\r\n author \u003d \u0026quot;Mandiant\u0026quot;\r\n description \u003d \u0026quot;Searching for Systemd Unit Configuration Files but with some known filenames observed with GOGETTER\u0026quot;\r\n disclaimer \u003d \u0026quot;This rule is for hunting purposes only and has not been tested to run in a production environment.\u0026quot;\r\n\r\n strings:\r\n $a1 \u003d \u0026quot;[Install]\u0026quot; ascii fullword\r\n $a2 \u003d \u0026quot;[Service]\u0026quot; ascii fullword\r\n $a3 \u003d \u0026quot;[Unit]\u0026quot; ascii fullword\r\n $v1 \u003d \u0026quot;Description\u003d\u0026quot; ascii \r\n $v2 \u003d \u0026quot;ExecStart\u003d\u0026quot; ascii \r\n $v3 \u003d \u0026quot;Restart\u003d\u0026quot; ascii \r\n $v4 \u003d \u0026quot;RestartSec\u003d\u0026quot; ascii \r\n $v5 \u003d \u0026quot;WantedBy\u003d\u0026quot; ascii \r\n $f1 \u003d \u0026quot;fail2ban-settings\u0026quot; ascii fullword\r\n $f2 \u003d \u0026quot;system-sockets\u0026quot; ascii fullword\r\n $f3 \u003d \u0026quot;oratredb\u0026quot; ascii fullword\r\n $f4 \u003d \u0026quot;cloud-online\u0026quot; ascii fullword\r\n\r\n condition:\r\n filesize \u0026lt; 1MB and (3 of ($a*)) and (3 of ($v*)) and (1 of ($f*))\r\n}\u003c/code\u003e\u003c/pre\u003e\n\u003ch2\u003eAppendix D: SIGMA and YARA-L Rules\u003c/h2\u003e\n\u003cpre\u003e\u003ccode\u003etitle: MicroSCADA SCILC Command Execution\r\ndescription: Identification of Events or Host Commands that are related to the MicroSCADA SCILC programming language and specifically command execution\r\nauthor: Mandiant\r\ndate: 2023/02/27\r\nlogsource:\r\n product: windows\r\n service: security\r\ndetection:\r\n selection:\r\n NewProcessName|endswith:\r\n - \\scilc.exe\r\n CommandLine|contains:\r\n - -do\r\n condition: selection\r\nfalsepositives:\r\n - Red Team\r\nlevel: High\r\ntags:\r\n - attack.execution\r\n - attack.T1059\r\n\u003c/code\u003e\u003c/pre\u003e\n\u003cpre\u003e\u003ccode\u003erule M_YARAL_Methodology_ProcessExec_SCILC_Do_1\r\n{\r\n meta:\r\n author \u003d \"Mandiant\"\r\n description \u003d \"YARA-L rule hunting for instances of process execution of the scilc.exe process with -do parameters. This is intended to be a hunting rule. Analysts would need to verify the legitimacy of the file passed in the -do parameter.\"\r\n severity \u003d \"Low\"\r\n reference \u003d \" https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-overview\"\r\n \r\n events:\r\n $e.metadata.event_type \u003d \"PROCESS_LAUNCH\"\r\n $e.target.process.command_line \u003d /\\s+\\-do\\s+[^\\-\\s]+/ nocase\r\n $e.target.process.file.full_path \u003d /scilc\\.exe$/ nocase\r\n\r\n condition:\r\n $e\r\n}\u003c/code\u003e\u003c/pre\u003e\n\u003ch2\u003eAppendix E: MITRE ATT\u0026amp;CK for ICS Mapping\u003c/h2\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\u003ctable border\u003d\"1\" style\u003d\"border-collapse:collapse;width:100%\"\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:12.8342%\"\u003e\n\u003cp\u003e\u003cstrong\u003eTactic\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:24.8663%\"\u003e\n\u003cp\u003e\u003cstrong\u003eTechnique\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:62.2995%\"\u003e\n\u003cp\u003e\u003cstrong\u003eProcedure\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:12.8342%\"\u003e\n\u003cp\u003eInitial Access\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:24.8663%\"\u003e\n\u003cp\u003e\u003cstrong\u003eT0847:\u00a0\u003c/strong\u003eReplication Through Removable Media\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:62.2995%\"\u003e\n\u003cp\u003eSandworm accessed a hypervisor that hosted a SCADA management instance for the victim\u2019s substation environment and leveraged an ISO image named \"a.iso\" as a logical CD-ROM inserted into the CD-ROM drive of the SCADA virtual machine. The system was configured to permit inserted CD-ROMs to autorun.\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:12.8342%\"\u003e\n\u003cp\u003eExecution\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:24.8663%\"\u003e\n\u003cp\u003e\u003cstrong\u003eT0807:\u00a0\u003c/strong\u003eCommand-Line Interface\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:62.2995%\"\u003e\n\u003cp\u003eSandworm leveraged malicious files that led to at least the following command lines execution:\u00a0\u003c/p\u003e\n\u003cp\u003e\u00a0\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cem\u003ewscript.exe \"d:\\pack\\lun.vbs\"\u00a0\u003c/em\u003e\u003c/li\u003e\n\u003cli\u003e\u003cem\u003ecmd /c \"D:\\pack\\n.bat\"\u00a0\u003c/em\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u00a0\u003c/p\u003e\n\u003cp\u003eAdditional fragments recovered include text consistent with Windows command line execution:\u003c/p\u003e\n\u003cp\u003e\u00a0\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cem\u003eC:\\sc\\prog\\exec\\scilc.exe -do pack\\scil\\s1.txt\u003c/em\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:12.8342%\"\u003e\n\u003cp\u003eExecution\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:24.8663%\"\u003e\n\u003cp\u003e\u003cstrong\u003eT0871:\u00a0\u003c/strong\u003eExecution Through API\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:62.2995%\"\u003e\n\u003cp\u003eSandworm utilized the native MicroSCADA \u201cscilc.exe\u201d binary to execute an external SCIL program via the SCIL-API.\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:12.8342%\"\u003e\n\u003cp\u003eExecution\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:24.8663%\"\u003e\n\u003cp\u003e\u003cstrong\u003eT0853:\u00a0\u003c/strong\u003eScripting\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:62.2995%\"\u003e\n\u003cp\u003eSandworm leveraged Visual Basic Scripts, such as \u201clun.vbs\u201d. The contents of \u201clun.vbs\u201d include the following:\u003c/p\u003e\n\u003cp\u003e\u00a0\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eSet WshShell \u003d CreateObject(\u201cWScript.Shell\u201d)\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eWshShell.Run chr(34) \u0026amp; \u201cpack\\n.bat\u201d \u0026amp; Chr(34), 0\u003c/em\u003e\u003c/p\u003e\n\u003cp\u003e\u003cem\u003eSet WshShell \u003d Nothing\u003c/em\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:12.8342%\"\u003e\n\u003cp\u003eEvasion\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:24.8663%\"\u003e\n\u003cp\u003e\u003cstrong\u003eT0872:\u00a0\u003c/strong\u003eIndicator Removal on Host\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:62.2995%\"\u003e\n\u003cp\u003eSandworm deployed CADDYWIPER malware and deleted files to remove forensic artifacts.\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:12.8342%\"\u003e\n\u003cp\u003eInhibit Response Function\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:24.8663%\"\u003e\n\u003cp\u003e\u003cstrong\u003eT0809:\u003c/strong\u003e\u00a0Data Destruction\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:62.2995%\"\u003e\n\u003cp\u003eSandworm deployed CADDYWIPER to wipe all files, any mapped drives, and the physical drive partition of impacted systems. The actor deleted files related to the OT capability.\u00a0\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:12.8342%\"\u003e\n\u003cp\u003eImpair Process Control\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:24.8663%\"\u003e\n\u003cp\u003e\u003cstrong\u003eT0855:\u00a0\u003c/strong\u003eUnauthorized Command Message\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:62.2995%\"\u003e\n\u003cp\u003eSandworm utilized \u201cscilc.exe\u201d to execute unauthorized SCIL commands that would have caused the MicroSCADA server to relay the commands to the substation RTUs via either the IEC-60870-5-104 protocol for TCP/IP connections or the IEC-68750-5-101 protocol for serial connections.\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:12.8342%\"\u003e\n\u003cp\u003eImpact\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:24.8663%\"\u003e\n\u003cp\u003e\u003cstrong\u003eT0831:\u003c/strong\u003e\u00a0Manipulation of Control\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:62.2995%\"\u003e\n\u003cp\u003eSandworm caused a manipulation of control of the power distribution system via unauthorized SCIL commands. These were likely commands to open circuit breakers in the victim\u2019s substation environments.\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003cdiv style\u003d\"color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%;text-align:center\"\u003e\u003cspan style\u003d\"color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%\"\u003eTable 6: MITRE ATT\u0026amp;CK for ICS mapping\u003c/span\u003e\u003c/div\u003e\n\u003ch2\u003eAppendix F: Validation Content\u003c/h2\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\u003ctable border\u003d\"1\" style\u003d\"border-collapse:collapse;width:100%\"\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:10.1604%\"\u003e\n\u003cp\u003e\u003cstrong\u003eVID\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:89.8396%\"\u003e\n\u003cp\u003e\u003cstrong\u003eTitle\u003c/strong\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:10.1604%\"\u003e\n\u003cp\u003eA106-441\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:89.8396%\"\u003e\n\u003cp\u003eMalicious File Transfer - REGEORG.NEO, Download, Variant #1\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:10.1604%\"\u003e\n\u003cp\u003eA106-442\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:89.8396%\"\u003e\n\u003cp\u003eMalicious File Transfer - Sandworm, GOGETTER, Download, Variant #5\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:10.1604%\"\u003e\n\u003cp\u003eA106-443\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:89.8396%\"\u003e\n\u003cp\u003eWeb Shell Activity - REGEORG.NEO, Initial Connection, Variant #1\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:10.1604%\"\u003e\n\u003cp\u003eA106-440\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:89.8396%\"\u003e\n\u003cp\u003eMalicious File Transfer - CADDYWIPER, Download, Variant #6\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:10.1604%\"\u003e\n\u003cp\u003eA106-438\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:89.8396%\"\u003e\n\u003cp\u003eHost CLI - Sandworm, GOGETTER, Systemd Service\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:10.1604%\"\u003e\n\u003cp\u003eA106-446\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:89.8396%\"\u003e\n\u003cp\u003eHost CLI - Sandworm, CADDYWIPER, Scheduled Task, Variant #2\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:10.1604%\"\u003e\n\u003cp\u003eA106-439\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:89.8396%\"\u003e\n\u003cp\u003eHost CLI - Sandworm, CADDYWIPER, Scheduled Task, Variant #1\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:10.1604%\"\u003e\n\u003cp\u003eA106-437\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:89.8396%\"\u003e\n\u003cp\u003eProtected Theater - CADDYWIPER, Execution, Variant #2\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"width:10.1604%\"\u003e\n\u003cp\u003eS100-280\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"width:89.8396%\"\u003e\n\u003cp\u003eMalicious Activity Scenario - Sandworm Disrupts Power Using a Novel Attack Against Operational Technology Systems\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e"]]]],[["Threat Intelligence","Seeing Through a GLASSBRIDGE: Understanding the Digital Marketing Ecosystem Spreading Pro-PRC Influence Operations","GLASSBRIDGE is an umbrella group of four different companies that operate networks of inauthentic news sites and newswire services.",["https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-400x400.png 324w, https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png 648w"," 324px, 648px","https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png"],null,6,null,"https://cloud.google.com/blog/topics/threat-intelligence/glassbridge-pro-prc-influence-operations",null,1,[["Google Threat Intelligence Group "]],null,"55620"],["Threat Intelligence","Empowering Gemini for Malware Analysis with Code Interpreter and Google Threat Intelligence","When used for malware analysis, Gemini now has capabilities to address obfuscation, and obtain insights on IOCs.",["https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-400x400.png 324w, https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png 648w"," 324px, 648px","https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png"],null,6,null,"https://cloud.google.com/blog/topics/threat-intelligence/gemini-malware-analysis-code-interpreter-threat-intelligence",null,1,[["Bernardo Quintero"],["Andr\u00e9s Ram\u00edrez"]],null,"55597"],["Threat Intelligence","Pirates in the Data Sea: AI Enhancing Your Adversarial Emulation","Learn how Mandiant Red Team is using Gemini and LLMs for adversarial emulation and defense.",["https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-400x400.png 324w, https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png 648w"," 324px, 648px","https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png"],null,25,null,"https://cloud.google.com/blog/topics/threat-intelligence/ai-enhancing-your-adversarial-emulation",null,1,[["Mandiant "]],null,"55578"],["Threat Intelligence","Emerging Threats: Cybersecurity Forecast 2025","The Cybersecurity Forecast 2025 is here to arm security professionals with knowledge about the year ahead.",["https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-400x400.png 324w, https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png 648w"," 324px, 648px","https://storage.googleapis.com/gweb-cloudblog-publish/images/threat-intelligence-default-banner-simplifie.max-700x700.png"],null,3,null,"https://cloud.google.com/blog/topics/threat-intelligence/cybersecurity-forecast-2025",null,1,[["Adam Greenberg","Content Marketing Manager, Mandiant"]],null,"55565"]],null,"Threat Intelligence",null,[["Threat Intelligence","https://cloud.google.com/blog/topics/threat-intelligence","threat-intelligence"]],null,null,29], sideChannel: {}});</script><script id="wiz_jd" nonce="7I0sTsvUKABcH_D7zfn1tw">if (window['_wjdc']) {const wjd = {}; window['_wjdc'](wjd); delete window['_wjdc'];}</script><script aria-hidden="true" id="WIZ-footer" nonce="7I0sTsvUKABcH_D7zfn1tw">window.wiz_progress&&window.wiz_progress(); window.stopScanForCss&&window.stopScanForCss(); ccTick('bl');</script></body></html><footer id="ZCHFDb"><footer class="nRhiJb-RWrDld nRhiJb-yePe5c QJnbF" jscontroller="NsSboe" track-metadata-module="footer"><h3 class="nRhiJb-VqCwd-L6cTce">Footer Links</h3><section class="nRhiJb-haF9Wb r2W5Od"><section class="nRhiJb-DX2B6"><div class="nRhiJb-j5y3u"><h4 class="nRhiJb-BkAck nRhiJb-BkAck-OWXEXe-TzA9Ye">Follow us</h4><ul class="nRhiJb-Qijihe c3Uqdd" role="list"><li class="nRhiJb-KKXgde"><a class="nRhiJb-ARYxNe" href="https://www.x.com/googlecloud" target="_blank" rel="noopener" track-name="x"track-type="social link"track-metadata-position="footer"track-metadata-eventdetail="www.x.com/googlecloud"track-metadata-module="footer"track-metadata-module_headline="follow us"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c nRhiJb-Bz112c-OWXEXe-DX2B6" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M13.9,10.5L21.1,2h-1.7l-6.3,7.4L8,2H2.2l7.6,11.1L2.2,22h1.7l6.7-7.8L16,22h5.8L13.9,10.5L13.9,10.5z M11.5,13.2l-0.8-1.1 L4.6,3.3h2.7l5,7.1l0.8,1.1l6.5,9.2h-2.7L11.5,13.2L11.5,13.2z"></path></svg></a></li><li class="nRhiJb-KKXgde"><a class="nRhiJb-ARYxNe" href="https://www.youtube.com/googlecloud" target="_blank" rel="noopener" track-name="youtube"track-type="social link"track-metadata-position="footer"track-metadata-eventdetail="www.youtube.com/googlecloud"track-metadata-module="footer"track-metadata-module_headline="follow us"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c nRhiJb-Bz112c-OWXEXe-DX2B6" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M23.74 7.1s-.23-1.65-.95-2.37c-.91-.96-1.93-.96-2.4-1.02C17.04 3.47 12 3.5 12 3.5s-5.02-.03-8.37.21c-.46.06-1.48.06-2.39 1.02C.52 5.45.28 7.1.28 7.1S.04 9.05 0 10.98V13c.04 1.94.28 3.87.28 3.87s.24 1.65.96 2.38c.91.95 2.1.92 2.64 1.02 1.88.18 7.91.22 8.12.22 0 0 5.05.01 8.4-.23.46-.06 1.48-.06 2.39-1.02.72-.72.96-2.37.96-2.37s.24-1.94.25-3.87v-2.02c-.02-1.93-.26-3.88-.26-3.88zM9.57 15.5V8.49L16 12.13 9.57 15.5z"></path></svg></a></li><li class="nRhiJb-KKXgde"><a class="nRhiJb-ARYxNe" href="https://www.linkedin.com/showcase/google-cloud" target="_blank" rel="noopener" track-name="linkedin"track-type="social link"track-metadata-position="footer"track-metadata-eventdetail="www.linkedin.com/showcase/google-cloud"track-metadata-module="footer"track-metadata-module_headline="follow us"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c nRhiJb-Bz112c-OWXEXe-DX2B6" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M20 2H4c-1.1 0-1.99.9-1.99 2L2 20c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V4c0-1.1-.9-2-2-2zM8 19H5v-9h3v9zM6.5 8.31c-1 0-1.81-.81-1.81-1.81S5.5 4.69 6.5 4.69s1.81.81 1.81 1.81S7.5 8.31 6.5 8.31zM19 19h-3v-5.3c0-.83-.67-1.5-1.5-1.5s-1.5.67-1.5 1.5V19h-3v-9h3v1.2c.52-.84 1.59-1.4 2.5-1.4 1.93 0 3.5 1.57 3.5 3.5V19z"></path></svg></a></li><li class="nRhiJb-KKXgde"><a class="nRhiJb-ARYxNe" href="https://www.instagram.com/googlecloud/" target="_blank" rel="noopener" track-name="instagram"track-type="social link"track-metadata-position="footer"track-metadata-eventdetail="www.instagram.com/googlecloud/"track-metadata-module="footer"track-metadata-module_headline="follow us"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c nRhiJb-Bz112c-OWXEXe-DX2B6" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M12,0 C15.3,0 15.7,0 17,0 C18.3,0.1 19.1,0.3 19.9,0.6 C20.7,0.9 21.3,1.3 22,2 C22.7,2.7 23.1,3.4 23.3,4.2 C23.6,5 23.8,5.8 23.9,7.1 C24,8.3 24,8.7 24,12 C24,15.3 24,15.7 23.9,16.9 C23.8,18.2 23.6,19 23.3,19.8 C23,20.6 22.6,21.2 21.9,21.9 C21.3,22.6 20.6,23 19.8,23.3 C19,23.6 18.2,23.8 16.9,23.9 C15.7,24 15.3,24 12,24 C8.7,24 8.3,24 7,24 C5.7,23.9 4.9,23.7 4.1,23.4 C3.3,23.1 2.7,22.7 2,22 C1.3,21.3 0.9,20.6 0.7,19.8 C0.4,19 0.2,18.2 0.1,16.9 C0,15.7 0,15.3 0,12 C0,8.7 0,8.3 0.1,7.1 C0.1,5.8 0.3,4.9 0.6,4.1 C0.9,3.4 1.3,2.7 2,2 C2.7,1.3 3.4,0.9 4.1,0.6 C4.9,0.3 5.8,0.1 7.1,0.1 C8.3,0 8.7,0 12,0 Z M12,2.2 C8.8,2.2 8.4,2.2 7.2,2.2 C6,2.3 5.3,2.5 4.9,2.6 C4.4,2.9 4,3.1 3.5,3.5 C3.1,3.9 2.8,4.3 2.6,4.9 C2.5,5.3 2.3,6 2.3,7.2 C2.2,8.4 2.2,8.8 2.2,12 C2.2,15.2 2.2,15.5 2.3,16.8 C2.3,17.9 2.5,18.6 2.7,19 C2.9,19.6 3.2,20 3.6,20.4 C4,20.8 4.4,21.1 5,21.3 C5.4,21.5 6,21.6 7.2,21.7 C8.4,21.8 8.8,21.8 12,21.8 C15.2,21.8 15.5,21.8 16.8,21.7 C17.9,21.7 18.6,21.5 19,21.3 C19.6,21.1 20,20.8 20.4,20.4 C20.8,20 21.1,19.6 21.3,19 C21.5,18.6 21.6,18 21.7,16.8 C21.8,15.6 21.8,15.2 21.8,12 C21.8,8.8 21.8,8.5 21.7,7.2 C21.7,6.1 21.5,5.4 21.3,5 C21.1,4.4 20.8,4 20.4,3.6 C20,3.2 19.6,2.9 19,2.7 C18.6,2.5 18,2.4 16.8,2.3 C15.6,2.2 15.2,2.2 12,2.2 Z M12,5.8 C15.4,5.8 18.2,8.6 18.2,12 C18.2,15.4 15.4,18.2 12,18.2 C8.6,18.2 5.8,15.4 5.8,12 C5.8,8.6 8.6,5.8 12,5.8 Z M12,16 C14.2,16 16,14.2 16,12 C16,9.8 14.2,8 12,8 C9.8,8 8,9.8 8,12 C8,14.2 9.8,16 12,16 Z M18.4,7 C17.6268014,7 17,6.37319865 17,5.6 C17,4.82680135 17.6268014,4.2 18.4,4.2 C19.1731986,4.2 19.8,4.82680135 19.8,5.6 C19.8,6.37319865 19.1731986,7 18.4,7 Z"></path></svg></a></li><li class="nRhiJb-KKXgde"><a class="nRhiJb-ARYxNe" href="https://www.facebook.com/googlecloud/" target="_blank" rel="noopener" track-name="facebook"track-type="social link"track-metadata-position="footer"track-metadata-eventdetail="www.facebook.com/googlecloud/"track-metadata-module="footer"track-metadata-module_headline="follow us"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c nRhiJb-Bz112c-OWXEXe-DX2B6" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M20 2H4c-1.1 0-1.99.9-1.99 2L2 20c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V4c0-1.1-.9-2-2-2zm-1 2v3h-2c-.55 0-1 .45-1 1v2h3v3h-3v7h-3v-7h-2v-3h2V7.5C13 5.57 14.57 4 16.5 4H19z"></path></svg></a></li></ul></div></section></section><section class="nRhiJb-hlZHHf rtKYfe"><div class="nRhiJb-vQnuyc UXgbsb"><a class="ZOs9zc" href="https://cloud.google.com/" title="Google Cloud" track-name="google"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="cloud.google.com/"track-metadata-module="footer"><svg class="nRhiJb-vQnuyc-RJLb9c" viewBox="0 0 64 64" role="presentation" aria-hidden="true" width="40" height="40"><path d="M40.37 20.29L42.3333 20.3267L47.67 14.99L47.93 12.73C43.69 8.95667 38.11 6.66 32 6.66C20.9367 6.66 11.6067 14.1833 8.84 24.3833C9.42334 23.98 10.6667 24.28 10.6667 24.28L21.3333 22.5267C21.3333 22.5267 21.8867 21.62 22.1567 21.6767C24.5967 19.0067 28.1067 17.3267 32 17.3267C35.1667 17.3267 38.08 18.44 40.37 20.29Z" fill="#ea4335"/><path d="M55.1667 24.3967C53.93 19.8233 51.37 15.79 47.9267 12.7267L40.3667 20.2867C43.3933 22.7333 45.3333 26.4733 45.3333 30.66V31.9933C49.01 31.9933 52 34.9833 52 38.66C52 42.3367 49.01 45.3267 45.3333 45.3267H32L30.6667 46.6667V54.6667L32 55.9933H45.3333C54.89 55.9933 62.6667 48.2167 62.6667 38.66C62.6667 32.75 59.6933 27.5267 55.1667 24.3967Z" fill="#4285f4"/><path d="M18.6667 55.9933H31.99V45.3267H18.6667C17.6867 45.3267 16.76 45.11 15.92 44.7267L14 45.3167L8.66 50.6567L8.19334 52.46C11.1033 54.6733 14.7333 55.9933 18.6667 55.9933Z" fill="#34a853"/><path d="M18.6667 21.3267C9.11 21.3267 1.33334 29.1033 1.33334 38.66C1.33334 44.2867 4.03 49.2967 8.2 52.4633L15.93 44.7333C13.6167 43.6867 12 41.36 12 38.66C12 34.9833 14.99 31.9933 18.6667 31.9933C21.3667 31.9933 23.6933 33.61 24.74 35.9233L32.47 28.1933C29.3033 24.0233 24.2933 21.3267 18.6667 21.3267Z" fill="#fbbc05"/></svg></a></div><ul class="nRhiJb-hlZHHf-PLDbbf nRhiJb-di8rgd-ZGNLv AXb5J" role="list"><li class="glue-footer__global-links-list-item"><a class="nRhiJb-Fx4vi " href="https://cloud.google.com/" track-name="google cloud"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="cloud.google.com/"track-metadata-module="footer">Google Cloud</a></li><li class="glue-footer__global-links-list-item"><a class="nRhiJb-Fx4vi " href="https://cloud.google.com/products/" track-name="google cloud products"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="cloud.google.com/products/"track-metadata-module="footer">Google Cloud Products</a></li><li class="glue-footer__global-links-list-item"><a class="nRhiJb-Fx4vi " href="https://myaccount.google.com/privacypolicy?hl=en-US" target="_blank" track-name="privacy"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="myaccount.google.com/privacypolicy?hl=en-US"track-metadata-module="footer">Privacy</a></li><li class="glue-footer__global-links-list-item"><a class="nRhiJb-Fx4vi " href="https://myaccount.google.com/termsofservice?hl=en-US" target="_blank" track-name="terms"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="myaccount.google.com/termsofservice?hl=en-US"track-metadata-module="footer">Terms</a></li><li aria-hidden="true" class="glue-footer__global-links-list-item"><a aria-hidden="true" role="button" tabindex="0" class="nRhiJb-Fx4vi glue-footer__link glue-cookie-notification-bar-control" href="#" target="_blank" track-name="cookies management controls"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="#"track-metadata-module="footer">Cookies management controls</a></li></ul><ul class="nRhiJb-hlZHHf-PLDbbf nRhiJb-hlZHHf-PLDbbf-OWXEXe-hOedQd nRhiJb-di8rgd-ZGNLv qkxr1" role="list"><li class="glue-footer__global-links-list-item nRhiJb-hlZHHf-PLDbbf-rymPhb-ibnC6b-OWXEXe-hOedQd"><a class="nRhiJb-Fx4vi" href="https://support.google.com" target="_blank" track-name="help"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="support.google.com"track-metadata-module="footer"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c nRhiJb-Bz112c-OWXEXe-yePe5c-h9d3hd" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M12 2C6.48 2 2 6.48 2 12s4.48 10 10 10 10-4.48 10-10S17.52 2 12 2zm1 17h-2v-2h2v2zm2.07-7.75l-.9.92C13.45 12.9 13 13.5 13 15h-2v-.5c0-1.1.45-2.1 1.17-2.83l1.24-1.26c.37-.36.59-.86.59-1.41 0-1.1-.9-2-2-2s-2 .9-2 2H8c0-2.21 1.79-4 4-4s4 1.79 4 4c0 .88-.36 1.68-.93 2.25z"></path></svg>Help</a></li><li class="glue-footer__global-links-list-item nRhiJb-hlZHHf-PLDbbf-rymPhb-ibnC6b-OWXEXe-hOedQd"><select jsaction="change:xU0iy" aria-label="Change language" class="nRhiJb-CL4aqd-j4gsHd"><option value="" selected disabled hidden>Language</option><option value="en" selected>‪English‬</option><option value="de">‪Deutsch‬</option><option value="fr">‪Français‬</option><option value="ko">‪한국어‬</option><option value="ja">‪日本語‬</option></select></li></ul></section></footer></footer>