Group: Sandworm Team, ELECTRUM, ...
|Sandworm Team, ELECTRUM, ...|
|Associated Groups||Sandworm Team, ELECTRUM, Telebots, IRON VIKING, Quedagh, VOODOO BEAR|
|External Contributors||Dragos Threat Intelligence|
Sandworm Team is a destructive threat group that has been attributed to Russian GRU Unit 74455.1 Sandworm Team’s most notable attacks include the 2015 and 2016 targeting of Ukrainian electrical sector and the 2017 NotPetya attacks. 23 Sandworm Team has been active since at least 2009 and has been linked to Industroyer, BlackEnergy 3, and KillDisk malware.14
Associated Group Descriptions
- Block Command Message - In the Ukraine 2015 Incident, Sandworm Team blocked command messages by using malicious firmware to render communication devices inoperable.11
- Block Reporting Message - In the Ukraine 2015 Incident, Sandworm Team blocked reporting messages by using malicious firmware to render communication devices inoperable.11
- Device Restart/Shutdown - In the 2015 attack on the Ukrainian power grid, the Sandworm Team scheduled disconnects of uninterruptable power supply (UPS) systems so that when power was disconnected from the substations, the devices would shut down and service could not be recovered.11
- Exploit Public-Facing Application - Sandworm Team actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet.1213
- External Remote Services - In the Ukraine 2015 Incident, Sandworm Team harvested VPN worker credentials and used them to remotely log into control system networks.1114155
- Graphical User Interface - In the Ukraine 2015 Incident, Sandworm Team utilized HMI GUIs in the SCADA environment to open breakers.11
- Spearphishing Attachment - In the Ukraine 2015 incident, Sandworm Team sent spearphishing attachments to three energy distribution companies containing malware to gain access to victim systems.1
- System Firmware - In the Ukraine 2015 Incident, Sandworm Team developed and used malicious firmware to render communication devices inoperable.11
- Remote Services - In the Ukraine 2015 Incident, Sandworm Team used native remote access tools to directly interface with operator workstations and control ICS components.11
- Unauthorized Command Message - In the Ukraine 2015 Incident, Sandworm Team issued unauthorized commands to substation breakers after gaining control of operator workstations and accessing a distribution management system (DMS) client application.11
- Valid Accounts - Sandworm Team used valid accounts to laterally move through VPN connections and dual-homed systems.216 In the Ukraine 2015 Incident, Sandworm Team used the credentials of valid accounts to interact with client applications and access employee workstations hosting HMI applications.11
- Connection Proxy - Sandworm Team establishes an internal proxy prior to the installation of backdoors within the network.4
- Scripting - Sandworm Team utilized VBS and batch scripts for file movement and as wrappers for PowerShell execution.16
- Command-Line Interface - Sandworm Team uses the MS-SQL server xp_cmdshell command, and PowerShell to execute commands.16
- Lateral Tool Transfer - Sandworm Team used a VBS script to facilitate lateral tool transfer. The VBS script was used to copy ICS-specific payloads with the following command:
cscript C:\Backinfo\ufn.vbs <TargetIP> “C:\Backinfo\101.dll” “C:\Delta\101.dll”16
- Masquerading - Sandworm Team transfers executable files as .txt. and then renames them to .exe, likely to avoid detection through extension tracking.16
- Remote Services - Sandworm Team appears to use MS-SQL access to a pivot machine, allowing code execution throughout the ICS network.16
- UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA. (2020, October 15). Indictment: Conspiracy to Commit an Offense Against the United States. Retrieved April 7, 2021.
- Dragos. (n.d.). Electrum. Retrieved October 27, 2019.
- Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.
- Dragos Inc.. (2017, June 13). Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations. Retrieved September 18, 2017.
- John Hultquist. (2016, January 07). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved March 8, 2019.
- Anton Cherepanov. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved April 7, 2021.
- Secureworks. (n.d.). IRON VIKING. Retrieved April 7, 2021.
- Foreign, Commonwealth & Development Office. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games. Retrieved April 7, 2021.
- F-Secure. (n.d.). BLACKENERGY & QUEDAGH: The convergence of crimeware and APT attacks. Retrieved April 7, 2021.
- Adam Meyers. (2018, January 29). CrowdStrike’s January Adversary of the Month: VOODOO BEAR. Retrieved April 7, 2021.
- Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.
- ICS-CERT. (2014, December 10). ICS Alert (ICS-ALERT-14-281-01E) Ongoing Sophisticated Malware Campaign Compromising ICS (Update E). Retrieved October 11, 2019.
- ICS CERT. (2018, September 06). Advantech/Broadwin WebAccess RPC Vulnerability (Update B). Retrieved December 5, 2019.
- Zetter, Kim. (2016, March 03). INSIDE THE CUNNING, UNPRECEDENTED HACK OF UKRAINE'S POWER GRID. Retrieved March 8, 2019.
- ICS-CERT. (2016, February 25). Cyber-Attack Against Ukrainian Critical Infrastructure. Retrieved March 8, 2019.
- Dragos. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved October 14, 2019.
- Anton Cherepanov, Robert Lipovsky. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved December 2, 2019.
- Andy Greenberg. (n.d.). Retrieved October 16, 2019.