Skip to content

G0034 Sandworm Team

Sandworm Team is a destructive threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.911 This group has been active since at least 2009.4587

In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.911 Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.1

Item Value
ID G0034
Associated Names ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh, VOODOO BEAR
Version 2.2
Created 31 May 2017
Last Modified 14 April 2022
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
ELECTRUM 211
Telebots 7911
IRON VIKING 10911
BlackEnergy (Group) 711
Quedagh 4 311
VOODOO BEAR 5911

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about usernames listed in AD.12
enterprise T1087.003 Email Account Sandworm Team used malware to enumerate email settings, including usernames and passwords, from the M.E.Doc application.19
enterprise T1098 Account Manipulation Sandworm Team used the sp_addlinkedsrvlogin command in MS-SQL to create a link between a created account and other servers in the network.15
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains Sandworm Team has registered domain names and created URLs that are often designed to mimic or spoof legitimate websites, such as email login pages, online file sharing and storage websites, and password reset pages.9
enterprise T1583.004 Server Sandworm Team has leased servers from resellers instead of leasing infrastructure directly from hosting companies to enable its operations.9
enterprise T1595 Active Scanning -
enterprise T1595.002 Vulnerability Scanning Sandworm Team has scanned network infrastructure for vulnerabilities as part of its operational planning.9
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Sandworm Team‘s BCS-server tool connects to the designated C2 server via HTTP.12
enterprise T1110 Brute Force -
enterprise T1110.003 Password Spraying Sandworm Team has used a script to attempt RPC authentication against a number of hosts.15
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Sandworm Team has used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.915
enterprise T1059.003 Windows Command Shell Sandworm Team has run the xp_cmdshell command in MS-SQL.15
enterprise T1059.005 Visual Basic Sandworm Team has created VBScripts to run an SSH server.16121315
enterprise T1584 Compromise Infrastructure -
enterprise T1584.005 Botnet Sandworm Team has used a large-scale botnet to target Small Office/Home Office (SOHO) network devices.14
enterprise T1136 Create Account Sandworm Team added a login to a SQL Server with sp_addlinkedsrvlogin.15
enterprise T1136.002 Domain Account Sandworm Team has created new domain accounts on an ICS access server.15
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers Sandworm Team‘s CredRaptor tool can collect saved passwords from various internet browsers.12
enterprise T1485 Data Destruction Sandworm Team has used the BlackEnergy KillDisk component to overwrite files on Windows-based Human-Machine Interfaces. 1813
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Sandworm Team‘s BCS-server tool uses base64 encoding and HTML tags for the communication traffic between the C2 server.12
enterprise T1005 Data from Local System Sandworm Team has exfiltrated internal documents, files, and other data from compromised hosts.9
enterprise T1491 Defacement -
enterprise T1491.002 External Defacement Sandworm Team defaced approximately 15,000 websites belonging to Georgian government, non-government, and private sector organizations in 2019.911
enterprise T1140 Deobfuscate/Decode Files or Information Sandworm Team‘s VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and decompresses it using GZip.1219
enterprise T1587 Develop Capabilities -
enterprise T1587.001 Malware Sandworm Team has developed malware for its operations, including malicious mobile applications and destructive malware such as NotPetya and Olympic Destroyer.9
enterprise T1561 Disk Wipe -
enterprise T1561.002 Disk Structure Wipe Sandworm Team has used the BlackEnergy KillDisk component to corrupt the infected system’s master boot record.1813
enterprise T1499 Endpoint Denial of Service Sandworm Team temporarily disrupted service to Georgian government, non-government, and private sector websites after compromising a Georgian web hosting provider in 2019.9
enterprise T1585 Establish Accounts -
enterprise T1585.001 Social Media Accounts Sandworm Team has established social media accounts to disseminate victim internal-only documents and other sensitive data.9
enterprise T1585.002 Email Accounts Sandworm Team has created email accounts that mimic legitimate organizations for its spearphishing operations.9
enterprise T1041 Exfiltration Over C2 Channel Sandworm Team has sent system information to its C2 server using HTTP.12
enterprise T1203 Exploitation for Client Execution Sandworm Team has exploited vulnerabilities in Microsoft PowerPoint via OLE objects (CVE-2014-4114) and Microsoft Word via crafted TIFF images (CVE-2013-3906).172122
enterprise T1133 External Remote Services Sandworm Team has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network. Sandworm Team has also used VPN tunnels established in legitimate software company infrastructure to gain access to internal networks of that software company’s users.161320
enterprise T1083 File and Directory Discovery Sandworm Team has enumerated files on a compromised host.915
enterprise T1592 Gather Victim Host Information -
enterprise T1592.002 Software Sandworm Team has researched software code to enable supply-chain operations, most notably for the 2017 NotPetya attack. Sandworm Team also collected a list of computers using specific software as part of its targeting efforts.9
enterprise T1589 Gather Victim Identity Information -
enterprise T1589.002 Email Addresses Sandworm Team has obtained valid emails addresses while conducting research against target organizations that were subsequently used in spearphishing campaigns.9
enterprise T1589.003 Employee Names Sandworm Team‘s research of potential victim organizations included the identification and collection of employee information.9
enterprise T1590 Gather Victim Network Information -
enterprise T1590.001 Domain Properties Sandworm Team conducted technical reconnaissance of the Parliament of Georgia’s official internet domain prior to its 2019 attack.9
enterprise T1591 Gather Victim Org Information -
enterprise T1591.002 Business Relationships In preparation for its attack against the 2018 Winter Olympics, Sandworm Team conducted online research of partner organizations listed on an official PyeongChang Olympics partnership site.9
enterprise T1562 Impair Defenses -
enterprise T1562.002 Disable Windows Event Logging Sandworm Team has disabled event logging on compromised systems.15
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion Sandworm Team has used backdoors that can delete files used in an attack from an infected system.1219
enterprise T1105 Ingress Tool Transfer Sandworm Team has pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data.129
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Sandworm Team has used a keylogger to capture keystrokes by using the SetWindowsHookEx function.12
enterprise T1570 Lateral Tool Transfer Sandworm Team has used move to transfer files to a network share.15
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Sandworm Team has avoided detection by naming a malicious binary explorer.exe.129
enterprise T1040 Network Sniffing Sandworm Team has used intercepter-NG to sniff passwords in network traffic.12
enterprise T1571 Non-Standard Port Sandworm Team has used port 6789 to accept connections on the group’s SSH server.16
enterprise T1027 Obfuscated Files or Information Sandworm Team has used Base64 encoding within malware variants. Sandworm Team has also used ROT13 encoding, AES encryption and compression with the zlib library for their Python-based backdoor.1712
enterprise T1027.002 Software Packing Sandworm Team used UPX to pack a copy of Mimikatz.15
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Sandworm Team has acquired open-source tools for some of it’s operations; for example it acquired Invoke-PSImage to establish an encrypted channel from a compromised host to Sandworm Team‘s C2 server as part of its preparation for the 2018 Winter Olympics attack.9
enterprise T1588.006 Vulnerabilities In 2017, Sandworm Team conducted technical research related to vulnerabilities associated with websites used by the Korean Sport and Olympic Committee, a Korean power company, and a Korean airport.9
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Sandworm Team‘s plainpwd tool is a modified version of Mimikatz and dumps Windows credentials from system memory.1213
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Sandworm Team has delivered malicious Microsoft Office attachments via spearphishing emails.1718129
enterprise T1566.002 Spearphishing Link Sandworm Team has crafted phishing emails containing malicious hyperlinks.9
enterprise T1598 Phishing for Information -
enterprise T1598.003 Spearphishing Link Sandworm Team has crafted spearphishing emails with hyperlinks designed to trick unwitting recipients into revealing their account credentials.9
enterprise T1090 Proxy Sandworm Team‘s BCS-server tool can create an internal proxy server to redirect traffic from the adversary-controlled C2 to internal servers which may not be connected to the internet, but are interconnected locally.12
enterprise T1219 Remote Access Software Sandworm Team has used remote administration tools or remote industrial control system client software to maliciously release electricity breakers.18
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Sandworm Team has run net use to connect to network shares.15
enterprise T1018 Remote System Discovery Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about computers listed in AD.1215
enterprise T1593 Search Open Websites/Domains Sandworm Team researched Ukraine’s unique legal entity identifier (called an “EDRPOU” number), including running queries on the EDRPOU website, in preparation for the NotPetya attack. Sandworm Team has also researched third-party websites to help it craft credible spearphishing emails.9
enterprise T1594 Search Victim-Owned Websites Sandworm Team has conducted research against potential victim websites as part of its operational planning.9
enterprise T1505 Server Software Component -
enterprise T1505.001 SQL Stored Procedures Sandworm Team has used various MS-SQL stored procedures.15
enterprise T1505.003 Web Shell Sandworm Team has used webshells including P.A.S. Webshell to maintain access to victim networks.20
enterprise T1195 Supply Chain Compromise -
enterprise T1195.002 Compromise Software Supply Chain Sandworm Team has distributed NotPetya by compromising the legitimate Ukrainian accounting software M.E.Doc and replacing a legitimate software update with a malicious one.23139
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 Sandworm Team used a backdoor which could execute a supplied DLL using rundll32.exe.19
enterprise T1082 System Information Discovery Sandworm Team used a backdoor to enumerate information about the infected system’s operating system.199
enterprise T1016 System Network Configuration Discovery Sandworm Team checks for connectivity to other resources in the network.15
enterprise T1049 System Network Connections Discovery Sandworm Team had gathered user, IP address, and server data related to RDP sessions on a compromised host. It has also accessed network diagram files useful for understanding how a host’s network was configured.915
enterprise T1033 System Owner/User Discovery Sandworm Team has collected the username from a compromised host.9
enterprise T1199 Trusted Relationship Sandworm Team has used dedicated network connections from one victim organization to gain unauthorized access to a separate organization.9
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Sandworm Team has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.9
enterprise T1204.002 Malicious File Sandworm Team has tricked unwitting recipients into clicking on spearphishing attachments and enabling malicious macros embedded within files.129
enterprise T1078 Valid Accounts Sandworm Team have used previously acquired legitimate credentials prior to attacks.18
enterprise T1078.002 Domain Accounts Sandworm Team has used stolen credentials to access administrative accounts within the domain.9
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication Sandworm Team has used the Telegram Bot API from Telegram Messenger to send and receive commands to its Python backdoor. Sandworm Team also used legitimate M.E.Doc software update check requests for sending and receiving commands and hosted malicious payloads on putdrive.com.1213
enterprise T1047 Windows Management Instrumentation Sandworm Team has used VBScript to run WMI queries.15

Software

ID Name References Techniques
S0606 Bad Rabbit 10 Bypass User Account Control:Abuse Elevation Control Mechanism Password Spraying:Brute Force Data Encrypted for Impact Drive-by Compromise Exploitation of Remote Services Firmware Corruption Match Legitimate Name or Location:Masquerading Native API Network Share Discovery LSASS Memory:OS Credential Dumping Process Discovery Scheduled Task:Scheduled Task/Job Rundll32:System Binary Proxy Execution Service Execution:System Services Malicious File:User Execution
S0089 BlackEnergy - Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Data Destruction Fallback Channels File and Directory Discovery Services File Permissions Weakness:Hijack Execution Flow Indicator Removal on Host Clear Windows Event Logs:Indicator Removal on Host Keylogging:Input Capture Network Service Discovery Peripheral Device Discovery Process Discovery Dynamic-link Library Injection:Process Injection SMB/Windows Admin Shares:Remote Services Screen Capture Code Signing Policy Modification:Subvert Trust Controls System Information Discovery System Network Configuration Discovery System Network Connections Discovery Credentials In Files:Unsecured Credentials Windows Management Instrumentation
S0555 CHEMISTGAMES - Command-Line Interface Data from Local System Deliver Malicious App via Authorized App Store Download New Code at Runtime Location Tracking Masquerade as Legitimate Application Native Code Obfuscated Files or Information Standard Application Layer Protocol Standard Cryptographic Protocol Supply Chain Compromise System Information Discovery
S0687 Cyclops Blink - Web Protocols:Application Layer Protocol RC Scripts:Boot or Logon Initialization Scripts Non-Standard Encoding:Data Encoding Data from Local System Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery Disable or Modify System Firewall:Impair Defenses Timestomp:Indicator Removal on Host Ingress Tool Transfer Inter-Process Communication Match Legitimate Name or Location:Masquerading Native API Non-Standard Port Component Firmware:Pre-OS Boot Process Discovery Protocol Tunneling Multi-hop Proxy:Proxy System Information Discovery System Network Configuration Discovery
S0401 Exaramel for Linux - Setuid and Setgid:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Unix Shell:Command and Scripting Interpreter Create or Modify System Process Systemd Service:Create or Modify System Process Deobfuscate/Decode Files or Information Fallback Channels File Deletion:Indicator Removal on Host Ingress Tool Transfer Obfuscated Files or Information Cron:Scheduled Task/Job System Owner/User Discovery
S0343 Exaramel for Windows - Archive Collected Data Visual Basic:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Local Data Staging:Data Staged Masquerade Task or Service:Masquerading Modify Registry
S0342 GreyEnergy - Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel File Deletion:Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information Software Packing:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Portable Executable Injection:Process Injection Multi-hop Proxy:Proxy Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Service Discovery
S0604 Industroyer - Web Protocols:Application Layer Protocol Compromise Client Software Binary Windows Service:Create or Modify System Process Data Destruction Deobfuscate/Decode Files or Information Application or System Exploitation:Endpoint Denial of Service Exfiltration Over C2 Channel File and Directory Discovery Ingress Tool Transfer Network Service Discovery Obfuscated Files or Information Protocol Tunneling Multi-hop Proxy:Proxy Query Registry Remote System Discovery Service Stop System Information Discovery System Network Configuration Discovery Valid Accounts
S0231 Invoke-PSImage - Obfuscated Files or Information
S0607 KillDisk - Access Token Manipulation Data Destruction Data Encrypted for Impact Disk Structure Wipe:Disk Wipe File and Directory Discovery Clear Windows Event Logs:Indicator Removal on Host File Deletion:Indicator Removal on Host Masquerade Task or Service:Masquerading Native API Obfuscated Files or Information Process Discovery Service Stop Shared Modules System Information Discovery System Shutdown/Reboot
S0002 Mimikatz - SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores LSA Secrets:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Rogue Domain Controller Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0039 Net - Domain Account:Account Discovery Local Account:Account Discovery Domain Account:Create Account Local Account:Create Account Network Share Connection Removal:Indicator Removal on Host Network Share Discovery Password Policy Discovery Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0368 NotPetya - Data Encrypted for Impact Exploitation of Remote Services File and Directory Discovery Clear Windows Event Logs:Indicator Removal on Host Masquerading LSASS Memory:OS Credential Dumping SMB/Windows Admin Shares:Remote Services Scheduled Task:Scheduled Task/Job Security Software Discovery:Software Discovery Rundll32:System Binary Proxy Execution Service Execution:System Services System Shutdown/Reboot Local Accounts:Valid Accounts Windows Management Instrumentation
S0365 Olympic Destroyer - Credentials from Web Browsers:Credentials from Password Stores Data Destruction Clear Windows Event Logs:Indicator Removal on Host Inhibit System Recovery Lateral Tool Transfer Network Share Discovery LSASS Memory:OS Credential Dumping SMB/Windows Admin Shares:Remote Services Remote System Discovery Service Stop System Network Configuration Discovery Service Execution:System Services System Shutdown/Reboot Windows Management Instrumentation
S0598 P.A.S. Webshell - Local Account:Account Discovery Web Protocols:Application Layer Protocol Password Guessing:Brute Force Command and Scripting Interpreter Data from Information Repositories Data from Local System Deobfuscate/Decode Files or Information File and Directory Discovery Linux and Mac File and Directory Permissions Modification:File and Directory Permissions Modification File Deletion:Indicator Removal on Host Ingress Tool Transfer Network Service Discovery Obfuscated Files or Information Web Shell:Server Software Component Software Discovery
S0029 PsExec - Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services

References


  1. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. 

  2. Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020. 

  3. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. 

  4. Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017. 

  5. Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018. 

  6. Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017. 

  7. NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020. 

  8. Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020. 

  9. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. 

  10. Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020. 

  11. UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020. 

  12. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020. 

  13. Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020. 

  14. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020. 

  15. Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020. 

  16. Ward, S.. (2014, October 14). iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign. Retrieved June 10, 2020. 

  17. US-CERT. (2016, February 25). ICS Alert (IR-ALERT-H-16-056-01) Cyber-Attack Against Ukrainian Critical Infrastructure. Retrieved June 10, 2020. 

  18. Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020. 

  19. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. 

  20. Wu, W. (2014, October 14). An Analysis of Windows Zero-day Vulnerability ‘CVE-2014-4114’ aka “Sandworm”. Retrieved June 18, 2020. 

  21. Li, H. (2013, November 5). McAfee Labs Detects Zero-Day Exploit Targeting Microsoft Office. Retrieved June 18, 2020. 

  22. Counter Threat Research Team. (2017, June 28). NotPetya Campaign: What We Know About the Latest Global Ransomware Attack. Retrieved June 11, 2020. 

  23. CrowdStrike. (2019, January). 2019 Global Threat Report. Retrieved June 10, 2020. 

  24. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018. 

  25. Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020. 

  26. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020. 

  27. B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020. 

Back to top