Group: Sandworm Team, ELECTRUM, ...

From attackics
Jump to navigation Jump to search
Sandworm Team, ELECTRUM, ...
Group
ID G0007
Associated Groups Sandworm Team, ELECTRUM, Telebots, IRON VIKING, Quedagh, VOODOO BEAR
External Contributors Dragos Threat Intelligence

Sandworm Team is a destructive threat group that has been attributed to Russian GRU Unit 74455.1 Sandworm Team’s most notable attacks include the 2015 and 2016 targeting of Ukrainian electrical sector and the 2017 NotPetya attacks. 23 Sandworm Team has been active since at least 2009 and has been linked to Industroyer, BlackEnergy 3, and KillDisk malware.14

Associated Group Descriptions

  • Sandworm Team - 5
  • ELECTRUM - 2
  • Telebots - 6
  • IRON VIKING - 7
  • Quedagh - 89
  • VOODOO BEAR - 10

Techniques Used

  • Device Restart/Shutdown - In the 2015 attack on the Ukrainian power grid, the Sandworm Team scheduled disconnects of uninterruptable power supply (UPS) systems so that when power was disconnected from the substations, the devices would shut down and service could not be recovered.11
  • Spearphishing Attachment - In the Ukraine 2015 incident, Sandworm Team sent spearphishing attachments to three energy distribution companies containing malware to gain access to victim systems.1
  • Remote Services - In the Ukraine 2015 Incident, Sandworm Team used native remote access tools to directly interface with operator workstations and control ICS components.11
  • Unauthorized Command Message - In the Ukraine 2015 Incident, Sandworm Team issued unauthorized commands to substation breakers after gaining control of operator workstations and accessing a distribution management system (DMS) client application.11
  • Valid Accounts - Sandworm Team used valid accounts to laterally move through VPN connections and dual-homed systems.216 In the Ukraine 2015 Incident, Sandworm Team used the credentials of valid accounts to interact with client applications and access employee workstations hosting HMI applications.11
  • Lateral Tool Transfer - Sandworm Team used a VBS script to facilitate lateral tool transfer. The VBS script was used to copy ICS-specific payloads with the following command: cscript C:\Backinfo\ufn.vbs <TargetIP> “C:\Backinfo\101.dll” “C:\Delta\101.dll”16
  • Masquerading - Sandworm Team transfers executable files as .txt. and then renames them to .exe, likely to avoid detection through extension tracking.16

Software

References

  1. a b c d e  UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA. (2020, October 15). Indictment: Conspiracy to Commit an Offense Against the United States. Retrieved April 7, 2021.
  2. a b c  Dragos. (n.d.). Electrum. Retrieved October 27, 2019.
  3. ^  Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.
  4. a b  Dragos Inc.. (2017, June 13). Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations. Retrieved September 18, 2017.
  5. a b  John Hultquist. (2016, January 07). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved March 8, 2019.
  6. ^  Anton Cherepanov. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved April 7, 2021.
  7. ^  Secureworks. (n.d.). IRON VIKING. Retrieved April 7, 2021.
  8. ^  Foreign, Commonwealth & Development Office. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games. Retrieved April 7, 2021.
  9. ^  F-Secure. (n.d.). BLACKENERGY & QUEDAGH: The convergence of crimeware and APT attacks. Retrieved April 7, 2021.
  1. ^  Adam Meyers. (2018, January 29). CrowdStrike’s January Adversary of the Month: VOODOO BEAR. Retrieved April 7, 2021.
  2. a b c d e f g h i  Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.
  3. ^  ICS-CERT. (2014, December 10). ICS Alert (ICS-ALERT-14-281-01E) Ongoing Sophisticated Malware Campaign Compromising ICS (Update E). Retrieved October 11, 2019.
  4. ^  ICS CERT. (2018, September 06). Advantech/Broadwin WebAccess RPC Vulnerability (Update B). Retrieved December 5, 2019.
  5. ^  Zetter, Kim. (2016, March 03). INSIDE THE CUNNING, UNPRECEDENTED HACK OF UKRAINE'S POWER GRID. Retrieved March 8, 2019.
  6. ^  ICS-CERT. (2016, February 25). Cyber-Attack Against Ukrainian Critical Infrastructure. Retrieved March 8, 2019.
  7. a b c d e f  Dragos. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved October 14, 2019.
  8. ^  Anton Cherepanov, Robert Lipovsky. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved December 2, 2019.
  9. ^  Andy Greenberg. (n.d.). Retrieved October 16, 2019.

Retrieved from "https://collaborate.mitre.org/attackics/index.php?title=Group/G0007&oldid=9570"