Skip to content

G0034 Sandworm Team

Sandworm Team is a destructive threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.1315 This group has been active since at least 2009.561110

In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.1315 Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.2

Item Value
ID G0034
Associated Names ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh, Voodoo Bear, IRIDIUM, Seashell Blizzard, FROZENBARENTS, APT44
Version 4.2
Created 31 May 2017
Last Modified 04 December 2024
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
ELECTRUM 315
Telebots 101315
IRON VIKING 141315
BlackEnergy (Group) 1015
Quedagh 5 415
Voodoo Bear 61315
IRIDIUM 8
Seashell Blizzard 7
FROZENBARENTS 1
APT44 12

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about usernames listed in AD.16
enterprise T1087.003 Email Account Sandworm Team used malware to enumerate email settings, including usernames and passwords, from the M.E.Doc application.29
enterprise T1098 Account Manipulation During the 2016 Ukraine Electric Power Attack, Sandworm Team used the sp_addlinkedsrvlogin command in MS-SQL to create a link between a created account and other servers in the network.18
enterprise T1583 Acquire Infrastructure Sandworm Team used various third-party email campaign management services to deliver phishing emails.1
enterprise T1583.001 Domains Sandworm Team has registered domain names and created URLs that are often designed to mimic or spoof legitimate websites, such as email login pages, online file sharing and storage websites, and password reset pages, while also hosting these items on legitimate, compromised network infrastructure.1317
enterprise T1583.004 Server Sandworm Team has leased servers from resellers instead of leasing infrastructure directly from hosting companies to enable its operations.13
enterprise T1595 Active Scanning -
enterprise T1595.002 Vulnerability Scanning Sandworm Team has scanned network infrastructure for vulnerabilities as part of its operational planning.13
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Sandworm Team’s BCS-server tool connects to the designated C2 server via HTTP.16
enterprise T1110 Brute Force During the 2016 Ukraine Electric Power Attack, Sandworm Team used a script to attempt RPC authentication against a number of hosts.18
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Sandworm Team has used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.1318
enterprise T1059.003 Windows Command Shell During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL.18
enterprise T1059.005 Visual Basic Sandworm Team has created VBScripts to run an SSH server.24162518
enterprise T1586 Compromise Accounts -
enterprise T1586.001 Social Media Accounts Sandworm Team creates credential capture webpages to compromise existing, legitimate social media accounts.17
enterprise T1554 Compromise Host Software Binary During the 2016 Ukraine Electric Power Attack, Sandworm Team used a trojanized version of Windows Notepad to add a layer of persistence for Industroyer.42
enterprise T1584 Compromise Infrastructure -
enterprise T1584.004 Server Sandworm Team compromised legitimate Linux servers running the EXIM mail transfer agent for use in subsequent campaigns.221
enterprise T1584.005 Botnet Sandworm Team has used a large-scale botnet to target Small Office/Home Office (SOHO) network devices.26
enterprise T1136 Create Account During the 2016 Ukraine Electric Power Attack, Sandworm Team added a login to a SQL Server with sp_addlinkedsrvlogin.18
enterprise T1136.002 Domain Account During the 2015 Ukraine Electric Power Attack, Sandworm Team created privileged domain accounts to be used for further exploitation and lateral movement. 38
enterprise T1543 Create or Modify System Process -
enterprise T1543.002 Systemd Service During the 2022 Ukraine Electric Power Attack, Sandworm Team configured Systemd to maintain persistence of GOGETTER, specifying the WantedBy=multi-user.target configuration to run GOGETTER when the system begins accepting user logins.30
enterprise T1543.003 Windows Service During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary. 41
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers Sandworm Team’s CredRaptor tool can collect saved passwords from various internet browsers.16
enterprise T1485 Data Destruction Sandworm Team has used CaddyWiper, SDelete, and the BlackEnergy KillDisk component to overwrite files on victim systems. 272530 Additionally, Sandworm Team has used the JUNKMAIL tool to overwrite files with null bytes.12
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Sandworm Team’s BCS-server tool uses base64 encoding and HTML tags for the communication traffic between the C2 server.16
enterprise T1486 Data Encrypted for Impact Sandworm Team has used Prestige ransomware to encrypt data at targeted organizations in transportation and related logistics industries in Ukraine and Poland.8
enterprise T1213 Data from Information Repositories -
enterprise T1213.006 Databases Sandworm Team exfiltrates data of interest from enterprise databases using Adminer.1
enterprise T1005 Data from Local System Sandworm Team has exfiltrated internal documents, files, and other data from compromised hosts.13
enterprise T1491 Defacement -
enterprise T1491.002 External Defacement Sandworm Team defaced approximately 15,000 websites belonging to Georgian government, non-government, and private sector organizations in 2019.1315
enterprise T1140 Deobfuscate/Decode Files or Information Sandworm Team’s VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and decompresses it using GZip.1629
enterprise T1587 Develop Capabilities -
enterprise T1587.001 Malware Sandworm Team has developed malware for its operations, including malicious mobile applications and destructive malware such as NotPetya and Olympic Destroyer.13
enterprise T1561 Disk Wipe -
enterprise T1561.002 Disk Structure Wipe Sandworm Team has used the BlackEnergy KillDisk component to corrupt the infected system’s master boot record.2725
enterprise T1484 Domain or Tenant Policy Modification -
enterprise T1484.001 Group Policy Modification During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Group Policy Objects (GPOs) to deploy and execute malware.30
enterprise T1499 Endpoint Denial of Service Sandworm Team temporarily disrupted service to Georgian government, non-government, and private sector websites after compromising a Georgian web hosting provider in 2019.13
enterprise T1585 Establish Accounts -
enterprise T1585.001 Social Media Accounts Sandworm Team has established social media accounts to disseminate victim internal-only documents and other sensitive data.13
enterprise T1585.002 Email Accounts Sandworm Team has created email accounts that mimic legitimate organizations for its spearphishing operations.13
enterprise T1041 Exfiltration Over C2 Channel Sandworm Team has sent system information to its C2 server using HTTP.16
enterprise T1190 Exploit Public-Facing Application Sandworm Team exploits public-facing applications for initial access and to acquire infrastructure, such as exploitation of the EXIM mail transfer agent in Linux systems.221
enterprise T1203 Exploitation for Client Execution Sandworm Team has exploited vulnerabilities in Microsoft PowerPoint via OLE objects (CVE-2014-4114) and Microsoft Word via crafted TIFF images (CVE-2013-3906).202119
enterprise T1133 External Remote Services Sandworm Team has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network. Sandworm Team has also used VPN tunnels established in legitimate software company infrastructure to gain access to internal networks of that software company’s users.24252312
enterprise T1083 File and Directory Discovery Sandworm Team has enumerated files on a compromised host.1318
enterprise T1592 Gather Victim Host Information -
enterprise T1592.002 Software Sandworm Team has researched software code to enable supply-chain operations, most notably for the 2017 NotPetya attack. Sandworm Team also collected a list of computers using specific software as part of its targeting efforts.13
enterprise T1589 Gather Victim Identity Information -
enterprise T1589.002 Email Addresses Sandworm Team has obtained valid emails addresses while conducting research against target organizations that were subsequently used in spearphishing campaigns.13
enterprise T1589.003 Employee Names Sandworm Team’s research of potential victim organizations included the identification and collection of employee information.13
enterprise T1590 Gather Victim Network Information -
enterprise T1590.001 Domain Properties Sandworm Team conducted technical reconnaissance of the Parliament of Georgia’s official internet domain prior to its 2019 attack.13
enterprise T1591 Gather Victim Org Information -
enterprise T1591.002 Business Relationships In preparation for its attack against the 2018 Winter Olympics, Sandworm Team conducted online research of partner organizations listed on an official PyeongChang Olympics partnership site.13
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools During the 2015 Ukraine Electric Power Attack, Sandworm Team modified in-registry internet settings to lower internet security. 38
enterprise T1562.002 Disable Windows Event Logging During the 2016 Ukraine Electric Power Attack, Sandworm Team disabled event logging on compromised systems.18
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Sandworm Team has used backdoors that can delete files used in an attack from an infected system.162930
enterprise T1105 Ingress Tool Transfer Sandworm Team has pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data.1613
enterprise T1490 Inhibit System Recovery Sandworm Team uses Prestige to delete the backup catalog from the target system using: C:\Windows\System32\wbadmin.exe delete catalog -quiet and to delete volume shadow copies using: C:\Windows\System32\vssadmin.exe delete shadows /all /quiet. 8
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Sandworm Team has used a keylogger to capture keystrokes by using the SetWindowsHookEx function.16
enterprise T1570 Lateral Tool Transfer Sandworm Team has used move to transfer files to a network share and has copied payloads–such as Prestige ransomware–to an Active Directory Domain Controller and distributed via the Default Domain Group Policy Object.188 Additionally, Sandworm Team has transferred an ISO file into the OT network to gain initial access.30
enterprise T1036 Masquerading Sandworm Team masqueraded malicious installers as Windows update packages to evade defense and entice users to execute binaries.1
enterprise T1036.004 Masquerade Task or Service During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Systemd service units to masquerade GOGETTER malware as legitimate or seemingly legitimate services.30
enterprise T1036.005 Match Legitimate Resource Name or Location Sandworm Team has avoided detection by naming a malicious binary explorer.exe.1613
enterprise T1036.008 Masquerade File Type During the 2016 Ukraine Electric Power Attack, Sandworm Team masqueraded executables as .txt files.18
enterprise T1036.010 Masquerade Account Name During the 2016 Ukraine Electric Power Attack, Sandworm Team created two new accounts, “admin” and “система” (System).18
enterprise T1112 Modify Registry During the 2015 Ukraine Electric Power Attack, Sandworm Team modified in-registry Internet settings to lower internet security before launching rundll32.exe, which in-turn launches the malware and communicates with C2 servers over the Internet. 38.
enterprise T1106 Native API Sandworm Team uses Prestige to disable and restore file system redirection by using the following functions: Wow64DisableWow64FsRedirection() and Wow64RevertWow64FsRedirection().8
enterprise T1040 Network Sniffing Sandworm Team has used intercepter-NG to sniff passwords in network traffic.16
enterprise T1095 Non-Application Layer Protocol During the 2022 Ukraine Electric Power Attack, Sandworm Team proxied C2 communications within a TLS-based tunnel.30
enterprise T1571 Non-Standard Port Sandworm Team has used port 6789 to accept connections on the group’s SSH server.24
enterprise T1027 Obfuscated Files or Information Sandworm Team has used Base64 encoding within malware variants.20
enterprise T1027.002 Software Packing During the 2016 Ukraine Electric Power Attack, Sandworm Team used UPX to pack a copy of Mimikatz.18
enterprise T1027.010 Command Obfuscation Sandworm Team has used ROT13 encoding, AES encryption and compression with the zlib library for their Python-based backdoor.16
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Sandworm Team has acquired open-source tools for their operations, including Invoke-PSImage, which was used to establish an encrypted channel from a compromised host to Sandworm Team’s C2 server in preparation for the 2018 Winter Olympics attack, as well as Impacket and RemoteExec, which were used in their 2022 Prestige operations.138 Additionally, Sandworm Team has used Empire, Cobalt Strike and PoshC2.12
enterprise T1588.006 Vulnerabilities In 2017, Sandworm Team conducted technical research related to vulnerabilities associated with websites used by the Korean Sport and Olympic Committee, a Korean power company, and a Korean airport.13
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Sandworm Team has used its plainpwd tool, a modified version of Mimikatz, and comsvcs.dll to dump Windows credentials from system memory.16258
enterprise T1003.003 NTDS Sandworm Team has used ntdsutil.exe to back up the Active Directory database, likely for credential access.8
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Sandworm Team has delivered malicious Microsoft Office and ZIP file attachments via spearphishing emails.202716132812
enterprise T1566.002 Spearphishing Link Sandworm Team has crafted phishing emails containing malicious hyperlinks.13
enterprise T1598 Phishing for Information -
enterprise T1598.003 Spearphishing Link Sandworm Team has crafted spearphishing emails with hyperlinks designed to trick unwitting recipients into revealing their account credentials.13
enterprise T1055 Process Injection During the 2015 Ukraine Electric Power Attack, Sandworm Team loaded BlackEnergy into svchost.exe, which then launched iexplore.exe for their C2. 38
enterprise T1572 Protocol Tunneling During the 2022 Ukraine Electric Power Attack, Sandworm Team deployed the GOGETTER tunneler software to establish a “Yamux” TLS-based C2 channel with an external server(s).30
enterprise T1090 Proxy Sandworm Team’s BCS-server tool can create an internal proxy server to redirect traffic from the adversary-controlled C2 to internal servers which may not be connected to the internet, but are interconnected locally.16
enterprise T1219 Remote Access Tools Sandworm Team has used remote administration tools or remote industrial control system client software for execution and to maliciously release electricity breakers.278
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Sandworm Team has copied payloads to the ADMIN$ share of remote systems and run net use to connect to network shares.188
enterprise T1018 Remote System Discovery Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about computers listed in AD.1618
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Sandworm Team leveraged SHARPIVORY, a .NET dropper that writes embedded payload to disk and uses scheduled tasks to persist on victim machines.12
enterprise T1593 Search Open Websites/Domains Sandworm Team researched Ukraine’s unique legal entity identifier (called an “EDRPOU” number), including running queries on the EDRPOU website, in preparation for the NotPetya attack. Sandworm Team has also researched third-party websites to help it craft credible spearphishing emails.13
enterprise T1594 Search Victim-Owned Websites Sandworm Team has conducted research against potential victim websites as part of its operational planning.13
enterprise T1505 Server Software Component -
enterprise T1505.001 SQL Stored Procedures During the 2016 Ukraine Electric Power Attack, Sandworm Team used various MS-SQL stored procedures.18
enterprise T1505.003 Web Shell Sandworm Team has used webshells including P.A.S. Webshell to maintain access to victim networks.23
enterprise T1489 Service Stop Sandworm Team attempts to stop the MSSQL Windows service to ensure successful encryption of locked files.8
enterprise T1072 Software Deployment Tools Sandworm Team has used the commercially available tool RemoteExec for agentless remote code execution.8
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware Sandworm Team staged compromised versions of legitimate software installers in forums to enable initial access to executing user.12
enterprise T1539 Steal Web Session Cookie Sandworm Team used information stealer malware to collect browser session cookies.1
enterprise T1195 Supply Chain Compromise Sandworm Team staged compromised versions of legitimate software installers on forums to achieve initial, untargetetd access in victim environments.12
enterprise T1195.002 Compromise Software Supply Chain Sandworm Team has distributed NotPetya by compromising the legitimate Ukrainian accounting software M.E.Doc and replacing a legitimate software update with a malicious one.312513
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 Sandworm Team used a backdoor which could execute a supplied DLL using rundll32.exe.29
enterprise T1082 System Information Discovery Sandworm Team used a backdoor to enumerate information about the infected system’s operating system.2913
enterprise T1049 System Network Connections Discovery Sandworm Team had gathered user, IP address, and server data related to RDP sessions on a compromised host. It has also accessed network diagram files useful for understanding how a host’s network was configured.1318
enterprise T1033 System Owner/User Discovery Sandworm Team has collected the username from a compromised host.13
enterprise T1199 Trusted Relationship Sandworm Team has used dedicated network connections from one victim organization to gain unauthorized access to a separate organization.13 Additionally, Sandworm Team has accessed Internet service providers and telecommunication entities that provide mobile connectivity.12
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Sandworm Team has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.13
enterprise T1204.002 Malicious File Sandworm Team has tricked unwitting recipients into clicking on spearphishing attachments and enabling malicious macros embedded within files.1613
enterprise T1078 Valid Accounts Sandworm Team have used previously acquired legitimate credentials prior to attacks.27
enterprise T1078.002 Domain Accounts Sandworm Team has used stolen credentials to access administrative accounts within the domain.138
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication Sandworm Team has used the Telegram Bot API from Telegram Messenger to send and receive commands to its Python backdoor. Sandworm Team also used legitimate M.E.Doc software update check requests for sending and receiving commands and hosted malicious payloads on putdrive.com.1625
enterprise T1047 Windows Management Instrumentation Sandworm Team has used Impacket’s WMIexec module for remote code execution and VBScript to run WMI queries.188
mobile T1676 Linked Devices Sandworm Team has used the linked devices feature to connect Signal accounts on devices captured on the battlefield to adversary-controlled infrastructure for follow-on exploitation.32
mobile T1660 Phishing Sandworm Team used SMS-based phishing to target victims with malicious links.1
mobile T1409 Stored Application Data Sandworm Team can collect encrypted Telegram and Signal communications.12
ics T0895 Autorun Image During the 2022 Ukraine Electric Power Attack, Sandworm Team used existing hypervisor access to map an ISO image named a.iso to a virtual machine running a SCADA server. The SCADA server’s operating system was configured to autorun CD-ROM images, and as a result, a malicious VBS script on the ISO image was automatically executed.30
ics T0803 Block Command Message During the 2015 Ukraine Electric Power Attack, Sandworm Team blocked command messages by using malicious firmware to render serial-to-ethernet converters inoperable. 37
ics T0804 Block Reporting Message During the 2015 Ukraine Electric Power Attack, Sandworm Team blocked reporting messages by using malicious firmware to render serial-to-ethernet converters inoperable. 37
ics T0805 Block Serial COM During the 2015 Ukraine Electric Power Attack, Sandworm Team overwrote the serial-to-ethernet converter firmware, rendering the devices not operational. This meant that communication to the downstream serial devices was either not possible or more difficult. 38
ics T0807 Command-Line Interface Sandworm Team uses the MS-SQL server xp_cmdshell command, and PowerShell to execute commands. 33
ics T0885 Commonly Used Port During the 2015 Ukraine Electric Power Attack, Sandworm Team used port 443 to communicate with their C2 servers. 38
ics T0884 Connection Proxy Sandworm Team establishes an internal proxy prior to the installation of backdoors within the network. 36
ics T0813 Denial of Control During the 2015 Ukraine Electric Power Attack, KillDisk rendered devices that were necessary for remote recovery unusable, including at least one RTU. Additionally, Sandworm Team overwrote the firmware for serial-to-ethernet converters, denying operators control of the downstream devices. 3837
ics T0814 Denial of Service During the 2015 Ukraine Electric Power Attack, power company phone line operators were hit with a denial of service attack so that they couldn’t field customers’ calls about outages. Operators were also denied service to their downstream devices when their serial-to-ethernet converters had their firmware overwritten, which bricked the devices. 37
ics T0816 Device Restart/Shutdown During the 2015 Ukraine Electric Power Attack, Sandworm Team scheduled the uninterruptable power supplies (UPS) to shutdown data and telephone servers via the UPS management interface. 3738
ics T0819 Exploit Public-Facing Application Sandworm Team actors exploited vulnerabilities in GE’s Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet. 35 34
ics T0822 External Remote Services During the 2015 Ukraine Electric Power Attack, Sandworm Team used Valid Accounts taken from the Windows Domain Controller to access the control system Virtual Private Network (VPN) used by grid operators. 38
ics T0823 Graphical User Interface During the 2015 Ukraine Electric Power Attack, Sandworm Team utilized HMI GUIs in the SCADA environment to open breakers. 37
ics T0867 Lateral Tool Transfer During the 2015 Ukraine Electric Power Attack, Sandworm Team moved their tools laterally within the ICS network. 38
ics T0826 Loss of Availability During the 2015 Ukraine Electric Power Attack, Sandworm Team opened the breakers at the infected sites, shutting the power off for thousands of businesses and households for around 6 hours. 3738
ics T0827 Loss of Control During the 2015 Ukraine Electric Power Attack, operators were shut out of their equipment either through the denial of peripheral use or the degradation of equipment. Operators were therefore unable to recover from the incident through their traditional means. Much of the power was restored manually. 37
ics T0828 Loss of Productivity and Revenue During the 2015 Ukraine Electric Power Attack, power breakers were opened which caused the operating companies to be unable to deliver power, and left thousands of businesses and households without power for around 6 hours. 3738
ics T0831 Manipulation of Control During the 2015 Ukraine Electric Power Attack, Sandworm Team opened live breakers via remote commands to the HMI, causing blackouts. 37
ics T0849 Masquerading During the 2016 Ukraine Electric Power Attack, Sandworm Team transferred executable files as .txt and then renamed them to .exe, likely to avoid detection through extension tracking.18
ics T0886 Remote Services During the 2015 Ukraine Electric Power Attack, Sandworm Team used an IT helpdesk software to move the mouse on ICS control devices to maliciously release electricity breakers. 40
ics T0846 Remote System Discovery During the 2015 Ukraine Electric Power Attack, Sandworm Team remotely discovered operational assets once on the OT network. 39 38
ics T0853 Scripting During the 2016 Ukraine Electric Power Attack, Sandworm Team utilized VBS and batch scripts for file movement and as wrappers for PowerShell execution.18
ics T0894 System Binary Proxy Execution During the 2022 Ukraine Electric Power Attack, Sandworm Team executed a MicroSCADA application binary scilc.exe to send a predefined list of SCADA instructions specified in a file defined by the adversary, s1.txt. The executed command C:\sc\prog\exec\scilc.exe -do pack\scil\s1.txt leverages the SCADA software to send unauthorized command messages to remote substations.30
ics T0857 System Firmware During the 2015 Ukraine Electric Power Attack, Sandworm Team overwrote the serial-to-ethernet gateways with custom firmware to make systems either disabled, shutdown, and/or unrecoverable. 37
ics T0855 Unauthorized Command Message During the 2015 Ukraine Electric Power Attack, Sandworm Team issued unauthorized commands to substation breaks after gaining control of operator workstations and accessing a distribution management system (DMS) application. 37
ics T0859 Valid Accounts During the 2015 Ukraine Electric Power Attack, Sandworm Team used valid accounts to laterally move through VPN connections and dual-homed systems. Sandworm Team used the credentials of valid accounts to interact with client applications and access employee workstations hosting HMI applications. 3738

Software

ID Name References Techniques
S1167 AcidPour AcidPour is associated with Sandworm Team.46 Data Destruction Disk Content Wipe:Disk Wipe File and Directory Discovery File Deletion:Indicator Removal Peripheral Device Discovery System Information Discovery System Shutdown/Reboot
S1125 AcidRain Sandworm Team is linked to AcidRain deployment during the ViaSat KA-SAT incident in 2022.5152 Data Destruction Disk Content Wipe:Disk Wipe File and Directory Discovery System Shutdown/Reboot
S0606 Bad Rabbit 14 Bypass User Account Control:Abuse Elevation Control Mechanism Password Spraying:Brute Force Data Encrypted for Impact Drive-by Compromise Drive-by Compromise Exploitation of Remote Services Exploitation of Remote Services Firmware Corruption Lateral Tool Transfer Loss of Productivity and Revenue Match Legitimate Resource Name or Location:Masquerading Native API Network Share Discovery LSASS Memory:OS Credential Dumping Process Discovery Scheduled Task:Scheduled Task/Job Rundll32:System Binary Proxy Execution Service Execution:System Services Malicious File:User Execution User Execution
S0089 BlackEnergy 54131514 Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Data Destruction Fallback Channels File and Directory Discovery Services File Permissions Weakness:Hijack Execution Flow Indicator Removal Clear Windows Event Logs:Indicator Removal Keylogging:Input Capture Network Service Discovery Peripheral Device Discovery Process Discovery Dynamic-link Library Injection:Process Injection SMB/Windows Admin Shares:Remote Services Screen Capture Spearphishing Attachment Standard Application Layer Protocol Code Signing Policy Modification:Subvert Trust Controls System Information Discovery System Network Configuration Discovery System Network Connections Discovery Credentials In Files:Unsecured Credentials Valid Accounts Windows Management Instrumentation
S0693 CaddyWiper 30 Data Destruction Disk Structure Wipe:Disk Wipe File and Directory Discovery Windows File and Directory Permissions Modification:File and Directory Permissions Modification Native API Process Discovery System Information Discovery
S0555 CHEMISTGAMES 56 Web Protocols:Application Layer Protocol Unix Shell:Command and Scripting Interpreter Data from Local System Download New Code at Runtime Asymmetric Cryptography:Encrypted Channel Location Tracking Match Legitimate Name or Location:Masquerading Native API Obfuscated Files or Information Compromise Software Supply Chain:Supply Chain Compromise System Information Discovery
S0154 Cobalt Strike Sandworm Team has used multiple publicly available tools during operations, such as Cobalt Strike.12 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Parent PID Spoofing:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Domain Account:Account Discovery DNS:Application Layer Protocol Web Protocols:Application Layer Protocol File Transfer Protocols:Application Layer Protocol BITS Jobs Browser Session Hijacking JavaScript:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Python:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol or Service Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Process Hollowing:Process Injection Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Remote Desktop Protocol:Remote Services SSH:Remote Services Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0687 Cyclops Blink 4748 Web Protocols:Application Layer Protocol RC Scripts:Boot or Logon Initialization Scripts Non-Standard Encoding:Data Encoding Data from Local System Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery Disable or Modify System Firewall:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Inter-Process Communication Match Legitimate Resource Name or Location:Masquerading Native API Non-Standard Port Component Firmware:Pre-OS Boot Process Discovery Protocol Tunneling Multi-hop Proxy:Proxy System Information Discovery System Network Configuration Discovery
S0363 Empire Sandworm Team has used multiple publicly available tools during operations, such as Empire.12 Bypass User Account Control:Abuse Elevation Control Mechanism SID-History Injection:Access Token Manipulation Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Automated Collection Automated Exfiltration Security Support Provider:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Shortcut Modification:Boot or Logon Autostart Execution Browser Information Discovery Clipboard Data PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Command and Scripting Interpreter Local Account:Create Account Domain Account:Create Account Windows Service:Create or Modify System Process Keychain:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain or Tenant Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Code Repository:Exfiltration Over Web Service Exfiltration to Cloud Storage:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Unquoted Path:Hijack Execution Flow Path Interception by Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow DLL:Hijack Execution Flow Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Credential API Hooking:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Kerberoasting:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Credentials In Files:Unsecured Credentials Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0401 Exaramel for Linux 4523 Setuid and Setgid:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Unix Shell:Command and Scripting Interpreter Create or Modify System Process Systemd Service:Create or Modify System Process Deobfuscate/Decode Files or Information Fallback Channels File Deletion:Indicator Removal Ingress Tool Transfer Encrypted/Encoded File:Obfuscated Files or Information Cron:Scheduled Task/Job System Owner/User Discovery
S0343 Exaramel for Windows 45 Archive Collected Data Visual Basic:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Local Data Staging:Data Staged Masquerade Task or Service:Masquerading Modify Registry Fileless Storage:Obfuscated Files or Information
S0342 GreyEnergy 14 Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Software Packing:Obfuscated Files or Information Encrypted/Encoded File:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Portable Executable Injection:Process Injection Multi-hop Proxy:Proxy Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Service Discovery
S0357 Impacket 8 LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Lateral Tool Transfer Network Sniffing NTDS:OS Credential Dumping LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Kerberoasting:Steal or Forge Kerberos Tickets Ccache Files:Steal or Forge Kerberos Tickets Service Execution:System Services Windows Management Instrumentation
S0604 Industroyer 1841425312 Activate Firmware Update Mode Web Protocols:Application Layer Protocol Automated Collection Block Command Message Block Reporting Message Block Serial COM Brute Force I/O Command-Line Interface Compromise Host Software Binary Connection Proxy Windows Service:Create or Modify System Process Data Destruction Data Destruction Denial of Control Denial of Service Denial of View Deobfuscate/Decode Files or Information Device Restart/Shutdown Application or System Exploitation:Endpoint Denial of Service Exfiltration Over C2 Channel File and Directory Discovery Ingress Tool Transfer Loss of Control Loss of Protection Loss of View Manipulation of Control Manipulation of View Monitor Process State Network Connection Enumeration Network Service Discovery Obfuscated Files or Information Protocol Tunneling Multi-hop Proxy:Proxy Query Registry Remote System Discovery Remote System Discovery Remote System Information Discovery Service Stop Service Stop System Information Discovery System Network Configuration Discovery Unauthorized Command Message Valid Accounts
S1072 Industroyer2 5412 Automated Collection Brute Force I/O Modify Parameter Monitor Process State Process Discovery Remote System Information Discovery Service Stop Unauthorized Command Message
S0231 Invoke-PSImage 13 Steganography:Obfuscated Files or Information Embedded Payloads:Obfuscated Files or Information
S1190 Kapeka Kapeka is associated with Sandworm Team operations and previous malware variants such as GreyEnergy.4950 Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Clear Persistence:Indicator Removal Masquerade File Type:Masquerading Modify Registry Native API Encrypted/Encoded File:Obfuscated Files or Information Proxy Query Registry Scheduled Task:Scheduled Task/Job Rundll32:System Binary Proxy Execution System Information Discovery
S0607 KillDisk 1314 Access Token Manipulation Data Destruction Data Destruction Data Encrypted for Impact Disk Structure Wipe:Disk Wipe File and Directory Discovery Clear Windows Event Logs:Indicator Removal File Deletion:Indicator Removal Indicator Removal on Host Local Storage Discovery Loss of View Masquerade Task or Service:Masquerading Native API Obfuscated Files or Information Process Discovery Service Stop Service Stop Shared Modules System Shutdown/Reboot
S0002 Mimikatz 18 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Golden Ticket:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S1189 Neo-reGeorg 30 Web Protocols:Application Layer Protocol Python:Command and Scripting Interpreter Non-Standard Encoding:Data Encoding Ingress Tool Transfer Non-Application Layer Protocol Protocol Tunneling Proxy Web Shell:Server Software Component
S0039 Net 18 Domain Account:Account Discovery Local Account:Account Discovery Additional Local or Domain Groups:Account Manipulation Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0368 NotPetya 101315144812 Data Encrypted for Impact Exploitation of Remote Services Exploitation of Remote Services File and Directory Discovery Clear Windows Event Logs:Indicator Removal Lateral Tool Transfer Loss of Productivity and Revenue Masquerading LSASS Memory:OS Credential Dumping SMB/Windows Admin Shares:Remote Services Scheduled Task:Scheduled Task/Job Security Software Discovery:Software Discovery Rundll32:System Binary Proxy Execution Service Execution:System Services System Shutdown/Reboot Local Accounts:Valid Accounts Windows Management Instrumentation
S0365 Olympic Destroyer 551413154812 Credentials from Web Browsers:Credentials from Password Stores Data Destruction Clear Windows Event Logs:Indicator Removal Inhibit System Recovery Lateral Tool Transfer Network Share Discovery LSASS Memory:OS Credential Dumping SMB/Windows Admin Shares:Remote Services Remote System Discovery Service Stop System Network Configuration Discovery Service Execution:System Services System Shutdown/Reboot Windows Management Instrumentation
S0598 P.A.S. Webshell 23 Local Account:Account Discovery Web Protocols:Application Layer Protocol Password Guessing:Brute Force Command and Scripting Interpreter Databases:Data from Information Repositories Data from Local System Deobfuscate/Decode Files or Information File and Directory Discovery Linux and Mac File and Directory Permissions Modification:File and Directory Permissions Modification File Deletion:Indicator Removal Ingress Tool Transfer Network Service Discovery Obfuscated Files or Information Web Shell:Server Software Component Software Discovery
S0378 PoshC2 Sandworm Team has used multiple publicly available tools during operations, such as PoshC2.12 Bypass User Account Control:Abuse Elevation Control Mechanism Create Process with Token:Access Token Manipulation Access Token Manipulation Local Account:Account Discovery Domain Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data Automated Collection Brute Force Credentials from Password Stores Domain Trust Discovery Windows Management Instrumentation Event Subscription:Event Triggered Execution Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Keylogging:Input Capture Network Service Discovery Network Sniffing LSASS Memory:OS Credential Dumping Password Policy Discovery Local Groups:Permission Groups Discovery Process Injection Proxy System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Credentials In Files:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Windows Management Instrumentation
S1058 Prestige 812 PowerShell:Command and Scripting Interpreter Data Encrypted for Impact Group Policy Modification:Domain or Tenant Policy Modification File and Directory Discovery Inhibit System Recovery Modify Registry Native API Scheduled Task:Scheduled Task/Job Service Stop
S0029 PsExec 18 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0195 SDelete Sandworm Team has used SDelete for wartime operations in 2022-2023.12 Data Destruction File Deletion:Indicator Removal
S1010 VPNFilter VPNFilter is associated with Sandworm Team operations based on reporting on VPNFilter replacement software, Cyclops Blink.47 Adversary-in-the-Middle Disk Content Wipe:Disk Wipe Network Sniffing

References

  1. Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024. 

  2. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. 

  3. Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020. 

  4. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. 

  5. Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017. 

  6. Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018. 

  7. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. 

  8. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023. 

  9. Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017. 

  10. NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020. 

  11. Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved September 12, 2024. 

  12. Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024. 

  13. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. 

  14. Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020. 

  15. UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020. 

  16. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020. 

  17. Joseph Slowik, DomainTools. (2021, March 3). Centreon to Exim and Back: On the Trail of Sandworm. Retrieved April 6, 2024. 

  18. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020. 

  19. Li, H. (2013, November 5). McAfee Labs Detects Zero-Day Exploit Targeting Microsoft Office. Retrieved June 18, 2020. 

  20. Ward, S.. (2014, October 14). iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign. Retrieved November 17, 2024. 

  21. Wu, W. (2014, October 14). An Analysis of Windows Zero-day Vulnerability ‘CVE-2014-4114’ aka “Sandworm”. Retrieved June 18, 2020. 

  22. National Security Agency. (2020, March 28). Sandworm Actors Exploiting Vulnerability In EXIM Mail Transfer Agent. Retrieved March 1, 2024. 

  23. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. 

  24. Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020. 

  25. Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020. 

  26. US-CERT. (2016, February 25). ICS Alert (IR-ALERT-H-16-056-01) Cyber-Attack Against Ukrainian Critical Infrastructure. Retrieved June 10, 2020. 

  27. Morgan, K. (2023, October 18). Government-backed actors exploiting WinRAR vulnerability. Retrieved July 19, 2024. 

  28. Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020. 

  29. Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024. 

  30. Counter Threat Research Team. (2017, June 28). NotPetya Campaign: What We Know About the Latest Global Ransomware Attack. Retrieved June 11, 2020. 

  31. Black, D. (2025, February 19). Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger. Retrieved April 30, 2025. 

  32. Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14  

  33. ICS CERT 2018, September 06 Advantech/Broadwin WebAccess RPC Vulnerability (Update B) Retrieved. 2019/12/05  

  34. ICS-CERT 2014, December 10 ICS Alert (ICS-ALERT-14-281-01E) Ongoing Sophisticated Malware Campaign Compromising ICS (Update E) Retrieved. 2019/10/11  

  35. Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18  

  36. Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018. 

  37. Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024. 

  38. Charles McLellan. (2016, March 4). How hackers attacked Ukraine’s power grid: Implications for Industrial IoT security. Retrieved September 27, 2023. 

  39. Andy Greenberg. (2017, June 28). How an Entire Nation Became Russia’s Test Lab for Cyberwar. Retrieved September 27, 2023. 

  40. Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020. 

  41. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020. 

  42. Joe Slowik 2019, August 15 CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack Retrieved. 2019/10/22  

  43. Dragos, Inc.. (2023, December 11). ELECTRUM Targeted Ukrainian Electric Entity Using Custom Tools and CaddyWiper Malware, October 2022. Retrieved March 28, 2024. 

  44. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018. 

  45. Juan Andrés Guerrero-Saade & Tom Hegel. (2024, March 21). AcidPour | New Embedded Wiper Variant of AcidRain Appears in Ukraine. Retrieved November 25, 2024. 

  46. Microsoft. (2024, February 14). Backdoor:Win64/KnuckleTouch.A!dha. Retrieved January 6, 2025. 

  47. Mohammad Kazem Hassan Nejad, WithSecure. (2024, April 17). KAPEKA A novel backdoor spotted in Eastern Europe. Retrieved January 6, 2025. 

  48. A.J. Vincens, CyberScoop. (2024, March 18). Researchers spot updated version of malware that hit Viasat. Retrieved March 25, 2024. 

  49. Juan Andres Guerrero-Saade and Max van Amerongen, SentinelOne. (2022, March 31). AcidRain | A Modem Wiper Rains Down on Europe. Retrieved March 25, 2024. 

  50. Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020. 

  51. ESET. (2022, April 12). Industroyer2: Industroyer reloaded. Retrieved March 30, 2023. 

  52. CrowdStrike. (2019, January). 2019 Global Threat Report. Retrieved June 10, 2020. 

  53. B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.