Sandworm Team

Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]

In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]

ID: G0034
Associated Groups: ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh, VOODOO BEAR
Version: 2.1
Created: 31 May 2017
Last Modified: 15 October 2021

Associated Group Descriptions

Name Description
ELECTRUM

[8][2]

Telebots

[6][1][2]

IRON VIKING

[9][1][2]

BlackEnergy (Group)

[6][2]

Quedagh

[3] [10][2]

VOODOO BEAR

[4][1][2]

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about usernames listed in AD.[11]

.003 Account Discovery: Email Account

Sandworm Team used malware to enumerate email settings, including usernames and passwords, from the M.E.Doc application.[12]

Enterprise T1098 Account Manipulation

Sandworm Team used the sp_addlinkedsrvlogin command in MS-SQL to create a link between a created account and other servers in the network.[13]

Enterprise T1583 .001 Acquire Infrastructure: Domains

Sandworm Team has registered domain names and created URLs that are often designed to mimic or spoof legitimate websites, such as email login pages, online file sharing and storage websites, and password reset pages.[1]

.004 Acquire Infrastructure: Server

Sandworm Team has leased servers from resellers instead of leasing infrastructure directly from hosting companies to enable its operations.[1]

Enterprise T1595 .002 Active Scanning: Vulnerability Scanning

Sandworm Team has scanned network infrastructure for vulnerabilities as part of its operational planning.[1]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Sandworm Team's BCS-server tool connects to the designated C2 server via HTTP.[11]

Enterprise T1110 .003 Brute Force: Password Spraying

Sandworm Team has used a script to attempt RPC authentication against a number of hosts.[13]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Sandworm Team has used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.[1][13]

.003 Command and Scripting Interpreter: Windows Command Shell

Sandworm Team has run the xp_cmdshell command in MS-SQL.[13]

.005 Command and Scripting Interpreter: Visual Basic

Sandworm Team has created VBScripts to run an SSH server.[14][11][15][13]

Enterprise T1136 Create Account

Sandworm Team added a login to a SQL Server with sp_addlinkedsrvlogin.[13]

.002 Domain Account

Sandworm Team has created new domain accounts on an ICS access server.[13]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Sandworm Team's CredRaptor tool can collect saved passwords from various internet browsers.[11]

Enterprise T1485 Data Destruction

Sandworm Team has used the BlackEnergy KillDisk component to overwrite files on Windows-based Human-Machine Interfaces. [16][15]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Sandworm Team's BCS-server tool uses base64 encoding and HTML tags for the communication traffic between the C2 server.[11]

Enterprise T1005 Data from Local System

Sandworm Team has exfiltrated internal documents, files, and other data from compromised hosts.[1]

Enterprise T1491 .002 Defacement: External Defacement

Sandworm Team defaced approximately 15,000 websites belonging to Georgian government, non-government, and private sector organizations in 2019.[1][2]

Enterprise T1140 Deobfuscate/Decode Files or Information

Sandworm Team's VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and decompresses it using GZip.[11][12]

Enterprise T1587 .001 Develop Capabilities: Malware

Sandworm Team has developed malware for its operations, including malicious mobile applications and destructive malware such as NotPetya and Olympic Destroyer.[1]

Enterprise T1561 .002 Disk Wipe: Disk Structure Wipe

Sandworm Team has used the BlackEnergy KillDisk component to corrupt the infected system's master boot record.[16][15]

Enterprise T1499 Endpoint Denial of Service

Sandworm Team temporarily disrupted service to Georgian government, non-government, and private sector websites after compromising a Georgian web hosting provider in 2019.[1]

Enterprise T1585 .001 Establish Accounts: Social Media Accounts

Sandworm Team has established social media accounts to disseminate victim internal-only documents and other sensitive data.[1]

.002 Establish Accounts: Email Accounts

Sandworm Team has created email accounts that mimic legitimate organizations for its spearphishing operations.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Sandworm Team has sent system information to its C2 server using HTTP.[11]

Enterprise T1203 Exploitation for Client Execution

Sandworm Team has exploited vulnerabilities in Microsoft PowerPoint via OLE objects (CVE-2014-4114) and Microsoft Word via crafted TIFF images (CVE-2013-3906).[17][18][19]

Enterprise T1133 External Remote Services

Sandworm Team has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network. Sandworm Team has also used VPN tunnels established in legitimate software company infrastructure to gain access to internal networks of that software company's users.[14][15][20]

Enterprise T1083 File and Directory Discovery

Sandworm Team has enumerated files on a compromised host.[1][13]

Enterprise T1592 .002 Gather Victim Host Information: Software

Sandworm Team has researched software code to enable supply-chain operations, most notably for the 2017 NotPetya attack. Sandworm Team also collected a list of computers using specific software as part of its targeting efforts.[1]

Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

Sandworm Team has obtained valid emails addresses while conducting research against target organizations that were subsequently used in spearphishing campaigns.[1]

.003 Gather Victim Identity Information: Employee Names

Sandworm Team's research of potential victim organizations included the identification and collection of employee information.[1]

Enterprise T1590 .001 Gather Victim Network Information: Domain Properties

Sandworm Team conducted technical reconnaissance of the Parliament of Georgia's official internet domain prior to its 2019 attack.[1]

Enterprise T1591 .002 Gather Victim Org Information: Business Relationships

In preparation for its attack against the 2018 Winter Olympics, Sandworm Team conducted online research of partner organizations listed on an official PyeongChang Olympics partnership site.[1]

Enterprise T1562 .002 Impair Defenses: Disable Windows Event Logging

Sandworm Team has disabled event logging on compromised systems.[13]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Sandworm Team has used backdoors that can delete files used in an attack from an infected system.[11][12]

Enterprise T1105 Ingress Tool Transfer

Sandworm Team has pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data.[11][1]

Enterprise T1056 .001 Input Capture: Keylogging

Sandworm Team has used a keylogger to capture keystrokes by using the SetWindowsHookEx function.[11]

Enterprise T1570 Lateral Tool Transfer

Sandworm Team has used move to transfer files to a network share.[13]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Sandworm Team has avoided detection by naming a malicious binary explorer.exe.[11][1]

Enterprise T1040 Network Sniffing

Sandworm Team has used intercepter-NG to sniff passwords in network traffic.[11]

Enterprise T1571 Non-Standard Port

Sandworm Team has used port 6789 to accept connections on the group's SSH server.[14]

Enterprise T1027 Obfuscated Files or Information

Sandworm Team has used Base64 encoding within malware variants. Sandworm Team has also used ROT13 encoding, AES encryption and compression with the zlib library for their Python-based backdoor.[17][11]

.002 Software Packing

Sandworm Team used UPX to pack a copy of Mimikatz.[13]

Enterprise T1588 .002 Obtain Capabilities: Tool

Sandworm Team has acquired open-source tools for some of it's operations; for example it acquired Invoke-PSImage to establish an encrypted channel from a compromised host to Sandworm Team's C2 server as part of its preparation for the 2018 Winter Olympics attack.[1]

.006 Obtain Capabilities: Vulnerabilities

In 2017, Sandworm Team conducted technical research related to vulnerabilities associated with websites used by the Korean Sport and Olympic Committee, a Korean power company, and a Korean airport.[1]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Sandworm Team's plainpwd tool is a modified version of Mimikatz and dumps Windows credentials from system memory.[11][15]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Sandworm Team has delivered malicious Microsoft Office attachments via spearphishing emails.[17][16][11][1]

.002 Phishing: Spearphishing Link

Sandworm Team has crafted phishing emails containing malicious hyperlinks.[1]

Enterprise T1598 .003 Phishing for Information: Spearphishing Link

Sandworm Team has crafted spearphishing emails with hyperlinks designed to trick unwitting recipients into revealing their account credentials.[1]

Enterprise T1090 Proxy

Sandworm Team's BCS-server tool can create an internal proxy server to redirect traffic from the adversary-controlled C2 to internal servers which may not be connected to the internet, but are interconnected locally.[11]

Enterprise T1219 Remote Access Software

Sandworm Team has used remote administration tools or remote industrial control system client software to maliciously release electricity breakers.[16]

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Sandworm Team has run net use to connect to network shares.[13]

Enterprise T1018 Remote System Discovery

Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about computers listed in AD.[11][13]

Enterprise T1593 Search Open Websites/Domains

Sandworm Team researched Ukraine's unique legal entity identifier (called an "EDRPOU" number), including running queries on the EDRPOU website, in preparation for the NotPetya attack. Sandworm Team has also researched third-party websites to help it craft credible spearphishing emails.[1]

Enterprise T1594 Search Victim-Owned Websites

Sandworm Team has conducted research against potential victim websites as part of its operational planning.[1]

Enterprise T1505 .001 Server Software Component: SQL Stored Procedures

Sandworm Team has used various MS-SQL stored procedures.[13]

.003 Server Software Component: Web Shell

Sandworm Team has used webshells including P.A.S. Webshell to maintain access to victim networks.[20]

Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

Sandworm Team used a backdoor which could execute a supplied DLL using rundll32.exe.[12]

Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

Sandworm Team has distributed NotPetya by compromising the legitimate Ukrainian accounting software M.E.Doc and replacing a legitimate software update with a malicious one.[21][15][1]

Enterprise T1082 System Information Discovery

Sandworm Team used a backdoor to enumerate information about the infected system's operating system.[12][1]

Enterprise T1016 System Network Configuration Discovery

Sandworm Team checks for connectivity to other resources in the network.[13]

Enterprise T1049 System Network Connections Discovery

Sandworm Team had gathered user, IP address, and server data related to RDP sessions on a compromised host. It has also accessed network diagram files useful for understanding how a host's network was configured.[1][13]

Enterprise T1033 System Owner/User Discovery

Sandworm Team has collected the username from a compromised host.[1]

Enterprise T1199 Trusted Relationship

Sandworm Team has used dedicated network connections from one victim organization to gain unauthorized access to a separate organization.[1]

Enterprise T1204 .001 User Execution: Malicious Link

Sandworm Team has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.[1]

.002 User Execution: Malicious File

Sandworm Team has tricked unwitting recipients into clicking on spearphishing attachments and enabling malicious macros embedded within files.[11][1]

Enterprise T1078 Valid Accounts

Sandworm Team have used previously acquired legitimate credentials prior to attacks.[16]

.002 Domain Accounts

Sandworm Team has used stolen credentials to access administrative accounts within the domain.[1]

Enterprise T1102 .002 Web Service: Bidirectional Communication

Sandworm Team has used the Telegram Bot API from Telegram Messenger to send and receive commands to its Python backdoor. Sandworm Team also used legitimate M.E.Doc software update check requests for sending and receiving commands and hosted malicious payloads on putdrive.com.[11][15]

Enterprise T1047 Windows Management Instrumentation

Sandworm Team has used VBScript to run WMI queries.[13]

Software

ID Name References Techniques
S0089 BlackEnergy [3][10][1][2] Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Data Destruction, Fallback Channels, File and Directory Discovery, Hijack Execution Flow: Services File Permissions Weakness, Indicator Removal on Host: Clear Windows Event Logs, Indicator Removal on Host, Input Capture: Keylogging, Network Service Scanning, Peripheral Device Discovery, Process Discovery, Process Injection: Dynamic-link Library Injection, Remote Services: SMB/Windows Admin Shares, Screen Capture, Subvert Trust Controls: Code Signing Policy Modification, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, Unsecured Credentials: Credentials In Files, Windows Management Instrumentation
S0555 CHEMISTGAMES [22] Command-Line Interface, Data from Local System, Deliver Malicious App via Authorized App Store, Download New Code at Runtime, Location Tracking, Masquerade as Legitimate Application, Native Code, Obfuscated Files or Information, Standard Application Layer Protocol, Standard Cryptographic Protocol, Supply Chain Compromise, System Information Discovery
S0401 Exaramel for Linux [23][20] Abuse Elevation Control Mechanism: Setuid and Setgid, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Unix Shell, Create or Modify System Process: Systemd Service, Create or Modify System Process, Deobfuscate/Decode Files or Information, Fallback Channels, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information, Scheduled Task/Job: Cron, System Owner/User Discovery
S0343 Exaramel for Windows [23] Archive Collected Data, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Staged: Local Data Staging, Masquerading: Masquerade Task or Service, Modify Registry
S0604 Industroyer [13][24][25] Application Layer Protocol: Web Protocols, Compromise Client Software Binary, Create or Modify System Process: Windows Service, Data Destruction, Deobfuscate/Decode Files or Information, Endpoint Denial of Service: Application or System Exploitation, Exfiltration Over C2 Channel, File and Directory Discovery, Ingress Tool Transfer, Network Service Scanning, Obfuscated Files or Information, Protocol Tunneling, Proxy: Multi-hop Proxy, Query Registry, Remote System Discovery, Service Stop, System Information Discovery, System Network Configuration Discovery, Valid Accounts
S0231 Invoke-PSImage [1] Obfuscated Files or Information
S0607 KillDisk [1] Access Token Manipulation, Data Destruction, Data Encrypted for Impact, Disk Wipe: Disk Structure Wipe, File and Directory Discovery, Indicator Removal on Host: Clear Windows Event Logs, Masquerading: Masquerade Task or Service, Native API, Obfuscated Files or Information, Process Discovery, Service Stop, Shared Modules, System Information Discovery, System Shutdown/Reboot
S0002 Mimikatz [13] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0039 Net [13] Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0368 NotPetya [6][1][2] Data Encrypted for Impact, Exploitation of Remote Services, File and Directory Discovery, Indicator Removal on Host: Clear Windows Event Logs, Masquerading, OS Credential Dumping: LSASS Memory, Remote Services: SMB/Windows Admin Shares, Scheduled Task/Job: Scheduled Task, Signed Binary Proxy Execution: Rundll32, Software Discovery: Security Software Discovery, System Services: Service Execution, System Shutdown/Reboot, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0365 Olympic Destroyer [26][9][1][2] Credentials from Password Stores: Credentials from Web Browsers, Data Destruction, Indicator Removal on Host: Clear Windows Event Logs, Inhibit System Recovery, Lateral Tool Transfer, Network Share Discovery, OS Credential Dumping: LSASS Memory, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, Service Stop, System Network Configuration Discovery, System Services: Service Execution, System Shutdown/Reboot, Windows Management Instrumentation
S0598 P.A.S. Webshell [20] Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Brute Force: Password Guessing, Command and Scripting Interpreter, Data from Information Repositories, Data from Local System, Deobfuscate/Decode Files or Information, File and Directory Discovery, File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Network Service Scanning, Obfuscated Files or Information, Server Software Component: Web Shell, Software Discovery
S0029 PsExec [13] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution

References

  1. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  2. UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.
  3. Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.
  4. Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.
  5. Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020.
  6. NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.
  7. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
  8. Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.
  9. Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.
  10. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  11. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  12. Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020.
  13. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  1. Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020.
  2. Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020.
  3. US-CERT. (2016, February 25). ICS Alert (IR-ALERT-H-16-056-01) Cyber-Attack Against Ukrainian Critical Infrastructure. Retrieved June 10, 2020.
  4. Ward, S.. (2014, October 14). iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign. Retrieved June 10, 2020.
  5. Wu, W. (2014, October 14). An Analysis of Windows Zero-day Vulnerability ‘CVE-2014-4114’ aka “Sandworm”. Retrieved June 18, 2020.
  6. Li, H. (2013, November 5). McAfee Labs Detects Zero-Day Exploit Targeting Microsoft Office. Retrieved June 18, 2020.
  7. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  8. Counter Threat Research Team. (2017, June 28). NotPetya Campaign: What We Know About the Latest Global Ransomware Attack. Retrieved June 11, 2020.
  9. B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.
  10. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  11. Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.
  12. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
  13. CrowdStrike. (2019, January). 2019 Global Threat Report. Retrieved June 10, 2020.