ELECTRUM Targeted Ukrainian Electric Entity Using Custom Tools and CaddyWiper Malware, October 2022

Executive summary: Dragos and Mandiant reporting describes ELECTRUM (linked to Sandworm) operations against Ukrainian electric substations in 2022 that involved compromise of an end-of-life MicroSCADA hypervisor, long dwell times, and deployment of destructive tooling including a CaddyWiper variant and Industroyer2. The initial access vector remains unknown, but investigators highlight the importance of OT-specific detection and proactive threat hunting (monitoring file transfers into OT, unexpected script execution, and anomalous SCADA commands) to detect similar adversary activity.