Group: Sandworm Team, ELECTRUM, ...

From attackics
Jump to navigation Jump to search
Sandworm Team, ELECTRUM, ...
Group
ID G0007
Associated Groups Sandworm Team, ELECTRUM, Telebots, IRON VIKING, Quedagh, VOODOO BEAR
External Contributors Dragos Threat Intelligence

Sandworm Team is a destructive threat group that has been attributed to Russian GRU Unit 74455.1 Sandworm Team’s most notable attacks include the 2015 and 2016 targeting of Ukrainian electrical sector and the 2017 NotPetya attacks. 23 Sandworm Team has been active since at least 2009 and has been linked to Industroyer, BlackEnergy 3, and KillDisk malware.14

Associated Group Descriptions

  • Sandworm Team - 5
  • ELECTRUM - 2
  • Telebots - 6
  • IRON VIKING - 7
  • Quedagh - 89
  • VOODOO BEAR - 10

Techniques Used

  • Device Restart/Shutdown - In the 2015 attack on the Ukrainian power grid, the Sandworm Team scheduled disconnects of uninterruptable power supply (UPS) systems so that when power was disconnected from the substations, the devices would shut down and service could not be recovered.11
  • Spearphishing Attachment - In the Ukraine 2015 incident, Sandworm Team sent spearphishing attachments to three energy distribution companies containing malware to gain access to victim systems.1
  • Remote Services - In the Ukraine 2015 Incident, Sandworm Team used native remote access tools to directly interface with operator workstations and control ICS components.11
  • Unauthorized Command Message - In the Ukraine 2015 Incident, Sandworm Team issued unauthorized commands to substation breakers after gaining control of operator workstations and accessing a distribution management system (DMS) client application.11
  • Valid Accounts - Sandworm Team used valid accounts to laterally move through VPN connections and dual-homed systems.216 In the Ukraine 2015 Incident, Sandworm Team used the credentials of valid accounts to interact with client applications and access employee workstations hosting HMI applications.11

Software

References