This site has been deprecated in favor of and will remain in place until 11/1/22.

Group: Sandworm Team, ELECTRUM, ...

From attackics
Revision as of 14:42, 8 October 2021 by Jsteele (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Sandworm Team, ELECTRUM, ...
ID G0007
Associated Groups Sandworm Team, ELECTRUM, Telebots, IRON VIKING, Quedagh, VOODOO BEAR
External Contributors Dragos Threat Intelligence

Sandworm Team is a destructive threat group that has been attributed to Russian GRU Unit 74455.1 Sandworm Team’s most notable attacks include the 2015 and 2016 targeting of Ukrainian electrical sector and the 2017 NotPetya attacks. 23 Sandworm Team has been active since at least 2009 and has been linked to Industroyer, BlackEnergy 3, and KillDisk malware.14

Associated Group Descriptions

  • Sandworm Team - 5
  • ELECTRUM - 2
  • Telebots - 6
  • Quedagh - 89
  • VOODOO BEAR - 10

Techniques Used

  • Device Restart/Shutdown - In the 2015 attack on the Ukrainian power grid, the Sandworm Team scheduled disconnects of uninterruptable power supply (UPS) systems so that when power was disconnected from the substations, the devices would shut down and service could not be recovered.11
  • Spearphishing Attachment - In the Ukraine 2015 incident, Sandworm Team sent spearphishing attachments to three energy distribution companies containing malware to gain access to victim systems.1
  • Remote Services - In the Ukraine 2015 Incident, Sandworm Team used native remote access tools to directly interface with operator workstations and control ICS components.11
  • Unauthorized Command Message - In the Ukraine 2015 Incident, Sandworm Team issued unauthorized commands to substation breakers after gaining control of operator workstations and accessing a distribution management system (DMS) client application.11
  • Valid Accounts - Sandworm Team used valid accounts to laterally move through VPN connections and dual-homed systems.216 In the Ukraine 2015 Incident, Sandworm Team used the credentials of valid accounts to interact with client applications and access employee workstations hosting HMI applications.11
  • Lateral Tool Transfer - Sandworm Team used a VBS script to facilitate lateral tool transfer. The VBS script was used to copy ICS-specific payloads with the following command: cscript C:\Backinfo\ufn.vbs <TargetIP> “C:\Backinfo\101.dll” “C:\Delta\101.dll”16
  • Masquerading - Sandworm Team transfers executable files as .txt. and then renames them to .exe, likely to avoid detection through extension tracking.16