Group: Sandworm Team, ELECTRUM, ...

From attackics
Revision as of 14:10, 7 April 2021 by Jsteele (talk | contribs)
Jump to navigation Jump to search
Sandworm Team, ELECTRUM, ...
ID G0007
Associated Groups Sandworm Team, ELECTRUM, Telebots, IRON VIKING, Quedagh, VOODOO BEAR
External Contributors Dragos Threat Intelligence

Sandworm Team is a destructive threat group that has been attributed to Russian GRU Unit 74455.1 Sandworm Team’s most notable attacks include the 2015 and 2016 targeting of Ukrainian electrical sector and the 2017 NotPetya attacks. 23 Sandworm Team has been active since at least 2009 and has been linked to Industroyer, BlackEnergy 3, and KillDisk malware.14

Associated Group Descriptions

  • Sandworm Team - 5
  • ELECTRUM - 2
  • Telebots - 6
  • Quedagh - 89
  • VOODOO BEAR - 10

Techniques Used

  • Valid Accounts - Sandworm Team used valid accounts to laterally move through VPN connections and dual-homed systems.213 In the Ukraine 2015 Incident, Sandworm Team used the credentials of valid accounts to interact with client applications and access employee workstations hosting HMI applications.14
  • - Sandworm Team actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet.1112
  • Spearphishing Attachment - In the Ukraine 2015 incident, Sandworm Team sent spearphishing attachments to three energy distribution companies containing malware to gain access to victim systems.1
  • Unauthorized Command Message - In the Ukraine 2015 Incident, Sandworm Team issued unauthorized commands to substation breakers after gaining control of operator workstations and accessing a distribution management system (DMS) client application.14