← threatfilter.dev / all groups / Sandworm Team
Sandworm Team
Also known as: ELECTRUM · Telebots · IRON VIKING · BlackEnergy (Group) · Quedagh · Voodoo Bear · IRIDIUM · Seashell Blizzard · FROZENBARENTS · APT44
Overview
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455. This group has been active since at least 2009. In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019. Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.
Targets
Energy · Government · Industrial · Private sector
Regions
Azerbaijan · Belarus · Georgia · Iran · Israel · Kazakhstan · Kyrgyzstan · Lithuania · Poland · Russia · Ukraine
Capabilities
- Supply-chain compromise — ATT&CK T1195, T1195.002
- Destructive / data-wiping operations — ATT&CK T1485, T1561.002; software: AcidRain, Industroyer, Industroyer2, NotPetya, KillDisk, Olympic Destroyer
- Exploitation of public-facing / client applications — ATT&CK T1190, T1203
- Custom malware/implant development — ATT&CK: 19 attributed custom malware families
TTPs — 79 techniques across 13 tactics
Reconnaissance
-
T1589.002Email Addresses -
T1589.003Employee Names -
T1590.001Domain Properties -
T1591.002Business Relationships -
T1592.002Software -
T1593Search Open Websites/Domains -
T1594Search Victim-Owned Websites -
T1595.002Vulnerability Scanning -
T1598.003Spearphishing Link
Resource Development
-
T1583Acquire Infrastructure -
T1583.001Domains -
T1583.004Server -
T1584.004Server -
T1584.005Botnet -
T1585.001Social Media Accounts -
T1585.002Email Accounts -
T1586.001Social Media Accounts -
T1587.001Malware -
T1588.002Tool -
T1588.006Vulnerabilities -
T1608.001Upload Malware
Initial Access
-
T1190Exploit Public-Facing Application -
T1195Supply Chain Compromise -
T1195.002Compromise Software Supply Chain -
T1199Trusted Relationship -
T1566.001Spearphishing Attachment -
T1566.002Spearphishing Link
Execution
-
T1047Windows Management Instrumentation -
T1053.005Scheduled Task -
T1059.001PowerShell -
T1059.005Visual Basic -
T1072Software Deployment Tools -
T1106Native API -
T1203Exploitation for Client Execution -
T1204.001Malicious Link -
T1204.002Malicious File
Persistence
-
T1133External Remote Services -
T1505.003Web Shell
Stealth
-
T1027Obfuscated Files or Information -
T1027.010Command Obfuscation -
T1036Masquerading -
T1036.005Match Legitimate Resource Name or Location -
T1070.004File Deletion -
T1078Valid Accounts -
T1078.002Domain Accounts -
T1140Deobfuscate/Decode Files or Information -
T1218.011Rundll32
Credential Access
-
T1003.001LSASS Memory -
T1003.003NTDS -
T1040Network Sniffing -
T1539Steal Web Session Cookie -
T1555.003Credentials from Web Browsers
Discovery
-
T1018Remote System Discovery -
T1033System Owner/User Discovery -
T1049System Network Connections Discovery -
T1082System Information Discovery -
T1083File and Directory Discovery -
T1087.002Domain Account -
T1087.003Email Account
Lateral Movement
-
T1021.002SMB/Windows Admin Shares -
T1570Lateral Tool Transfer
Collection
-
T1005Data from Local System -
T1056.001Keylogging -
T1213.006Databases
Command and Control
-
T1071.001Web Protocols -
T1090Proxy -
T1102.002Bidirectional Communication -
T1105Ingress Tool Transfer -
T1132.001Standard Encoding -
T1219Remote Access Tools -
T1571Non-Standard Port
Exfiltration
Impact
-
T1485Data Destruction -
T1486Data Encrypted for Impact -
T1489Service Stop -
T1490Inhibit System Recovery -
T1491.002External Defacement -
T1499Endpoint Denial of Service -
T1561.002Disk Structure Wipe
Tools & malware (27)
Bad Rabbit · Mimikatz · Exaramel for Linux · Exaramel for Windows · GreyEnergy · PsExec · Prestige · P.A.S. Webshell · AcidPour · VPNFilter · Neo-reGeorg · Cyclops Blink · SDelete · Empire · Kapeka · AcidRain · Industroyer · Industroyer2 · BlackEnergy · Cobalt Strike · NotPetya · KillDisk · Net · PoshC2 · Impacket · Invoke-PSImage · Olympic Destroyer