Group: Sandworm Team, ELECTRUM, ...
|Sandworm Team, ELECTRUM, ...|
|Associated Groups||Sandworm Team, ELECTRUM, Telebots, IRON VIKING, Quedagh, VOODOO BEAR|
|External Contributors||Dragos Threat Intelligence|
Sandworm Team is a destructive threat group that has been attributed to Russian GRU Unit 74455.1 Sandworm Team’s most notable attacks include the 2015 and 2016 targeting of Ukrainian electrical sector and the 2017 NotPetya attacks. 23 Sandworm Team has been active since at least 2009 and has been linked to Industroyer, BlackEnergy 3, and KillDisk malware.14
Associated Group Descriptions
- Internet Accessible Device - Sandworm Team actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet.1112
- Valid Accounts - Sandworm Team used valid accounts to laterally move through VPN connections and dual-homed systems.213 In the Ukraine 2015 Incident, Sandworm Team used the credentials of valid accounts to interact with client applications and access employee workstations hosting HMI applications.14
- - Sandworm Team actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet.1112
- Spearphishing Attachment - In the Ukraine 2015 incident, Sandworm Team sent spearphishing attachments to three energy distribution companies containing malware to gain access to victim systems.1
- Block Command Message - In the Ukraine 2015 Incident, Sandworm Team blocked command messages by using malicious firmware to render communication devices inoperable.14
- Block Reporting Message - In the Ukraine 2015 Incident, Sandworm Team blocked reporting messages by using malicious firmware to render communication devices inoperable.14
- Device Restart/Shutdown - In the Ukraine 2015 Incident, Sandworm Team disconnected uninterruptable power supply (UPS) systems to shut down devices and make service unrecoverable.14
- External Remote Services - In the Ukraine 2015 Incident, Sandworm Team harvested VPN worker credentials and used them to remotely log into control system networks.14
- Graphical User Interface - In the Ukraine 2015 Incident, Sandworm Team utilized HMI GUIs in the SCADA environment to open breakers.14
- Unauthorized Command Message - In the Ukraine 2015 Incident, Sandworm Team issued unauthorized commands to substation breakers after gaining control of operator workstations and accessing a distribution management system (DMS) client application.14
- System Firmware - In the Ukraine 2015 Incident, Sandworm Team developed and used malicious firmware to render communication devices inoperable.14
- UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA. (2020, October 15). Indictment: Conspiracy to Commit an Offense Against the United States. Retrieved April 7, 2021.
- Dragos. (n.d.). Electrum. Retrieved October 27, 2019.
- Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.
- Dragos Inc.. (2017, June 13). Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations. Retrieved September 18, 2017.
- John Hultquist. (2016, January 07). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved March 8, 2019.
- Anton Cherepanov. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved April 7, 2021.
- Secureworks. (n.d.). IRON VIKING. Retrieved April 7, 2021.
- Foreign, Commonwealth & Development Office. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games. Retrieved April 7, 2021.
- F-Secure. (n.d.). BLACKENERGY & QUEDAGH: The convergence of crimeware and APT attacks. Retrieved April 7, 2021.
- Adam Meyers. (2018, January 29). CrowdStrike’s January Adversary of the Month: VOODOO BEAR. Retrieved April 7, 2021.
- ICS-CERT. (2014, December 10). ICS Alert (ICS-ALERT-14-281-01E) Ongoing Sophisticated Malware Campaign Compromising ICS (Update E). Retrieved October 11, 2019.
- ICS CERT. (2018, September 06). Advantech/Broadwin WebAccess RPC Vulnerability (Update B). Retrieved December 5, 2019.
- Dragos. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved October 14, 2019.
- Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.
- Anton Cherepanov, Robert Lipovsky. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved December 2, 2019.
- Andy Greenberg. (n.d.). Retrieved October 16, 2019.