Group: Sandworm, ELECTRUM
|Associated Groups||Sandworm, ELECTRUM|
|External Contributors||Dragos Threat Intelligence|
Sandworm is a threat group associated with the Kiev, Ukraine electrical transmission substation attacks which resulted in the impact of electric grid operations on December 17th, 2016.12 Sandworm has been cited as the authors of the Industroyer malware which was used in the 2016 Ukraine attacks.3
Associated Group Descriptions
- Internet Accessible Device - Sandworm actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet.56
- Valid Accounts - Sandworm used valid accounts to laterally move through VPN connections and dual-homed systems.17
- Dragos. (n.d.). Electrum. Retrieved October 27, 2019.
- Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.
- Dragos Inc.. (2017, June 13). Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations. Retrieved September 18, 2017.
- John Hultquist. (2016, January 07). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved March 8, 2019.
- ICS-CERT. (2014, December 10). ICS Alert (ICS-ALERT-14-281-01E) Ongoing Sophisticated Malware Campaign Compromising ICS (Update E). Retrieved October 11, 2019.
- ICS CERT. (2018, September 06). Advantech/Broadwin WebAccess RPC Vulnerability (Update B). Retrieved December 5, 2019.
- Dragos. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved October 14, 2019.
- Anton Cherepanov, Robert Lipovsky. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved December 2, 2019.
- Andy Greenberg. (n.d.). Retrieved October 16, 2019.