Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Sandworm Team
Реестр СЗИ
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Sandworm Team
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Sandworm Team

Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020) In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.(Citation: US District Court Indictment GRU Oct 2018)
ID: G0034
Associated Groups: Voodoo Bear, ELECTRUM, Quedagh, FROZENBARENTS, APT44, IRIDIUM, Seashell Blizzard, BlackEnergy (Group), Telebots, IRON VIKING
Version: 4.1
Created: 31 May 2017
Last Modified: 12 Sep 2024

Associated Group Descriptions
Name Description
Voodoo Bear (Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)
ELECTRUM (Citation: Dragos ELECTRUM)(Citation: UK NCSC Olympic Attacks October 2020)
Quedagh (Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020)
FROZENBARENTS (Citation: Leonard TAG 2023)
APT44 (Citation: mandiant_apt44_unearthing_sandworm)
IRIDIUM (Citation: Microsoft Prestige ransomware October 2022)
Seashell Blizzard (Citation: Microsoft Threat Actor Naming July 2023)
BlackEnergy (Group) (Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)
Telebots (Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)
IRON VIKING (Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)

Techniques Used
Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about usernames listed in AD.(Citation: ESET Telebots Dec 2016)

.003 Account Discovery: Email Account

Sandworm Team used malware to enumerate email settings, including usernames and passwords, from the M.E.Doc application.(Citation: ESET Telebots July 2017)

Enterprise T1583 .001 Acquire Infrastructure: Domains

Sandworm Team has registered domain names and created URLs that are often designed to mimic or spoof legitimate websites, such as email login pages, online file sharing and storage websites, and password reset pages, while also hosting these items on legitimate, compromised network infrastructure.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Slowik Sandworm 2021)
.004 Acquire Infrastructure: Server

Sandworm Team has leased servers from resellers instead of leasing infrastructure directly from hosting companies to enable its operations.(Citation: US District Court Indictment GRU Unit 74455 October 2020)

Enterprise T1595 .002 Active Scanning: Vulnerability Scanning

Sandworm Team has scanned network infrastructure for vulnerabilities as part of its operational planning.(Citation: US District Court Indictment GRU Unit 74455 October 2020)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Sandworm Team's BCS-server tool connects to the designated C2 server via HTTP.(Citation: ESET Telebots Dec 2016)

Enterprise T1110 .003 Brute Force: Password Spraying

Sandworm Team has used a script to attempt RPC authentication against a number of hosts.(Citation: Dragos Crashoverride 2018)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Sandworm Team has used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Dragos Crashoverride 2018)

.003 Command and Scripting Interpreter: Windows Command Shell

Sandworm Team has run the xp_cmdshell command in MS-SQL.(Citation: Dragos Crashoverride 2018)

.005 Command and Scripting Interpreter: Visual Basic

Sandworm Team has created VBScripts to run an SSH server.(Citation: ESET BlackEnergy Jan 2016)(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots June 2017)(Citation: Dragos Crashoverride 2018)

Enterprise T1586 .001 Compromise Accounts: Social Media Accounts

Sandworm Team creates credential capture webpages to compromise existing, legitimate social media accounts.(Citation: Slowik Sandworm 2021)
Enterprise T1584 .004 Compromise Infrastructure: Server

Sandworm Team compromised legitimate Linux servers running the EXIM mail transfer agent for use in subsequent campaigns.(Citation: NSA Sandworm 2020)(Citation: Leonard TAG 2023)
.005 Compromise Infrastructure: Botnet

Sandworm Team has used a large-scale botnet to target Small Office/Home Office (SOHO) network devices.(Citation: NCSC Cyclops Blink February 2022)

Enterprise T1136 .002 Create Account: Domain Account

Sandworm Team has created new domain accounts on an ICS access server.(Citation: Dragos Crashoverride 2018)
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Sandworm Team's CredRaptor tool can collect saved passwords from various internet browsers.(Citation: ESET Telebots Dec 2016)
Enterprise T1132 .001 Data Encoding: Standard Encoding

Sandworm Team's BCS-server tool uses base64 encoding and HTML tags for the communication traffic between the C2 server.(Citation: ESET Telebots Dec 2016)

Enterprise T1491 .002 Defacement: External Defacement

Sandworm Team defaced approximately 15,000 websites belonging to Georgian government, non-government, and private sector organizations in 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)
Enterprise T1587 .001 Develop Capabilities: Malware

Sandworm Team has developed malware for its operations, including malicious mobile applications and destructive malware such as NotPetya and Olympic Destroyer.(Citation: US District Court Indictment GRU Unit 74455 October 2020)
Enterprise T1561 .002 Disk Wipe: Disk Structure Wipe

Sandworm Team has used the BlackEnergy KillDisk component to corrupt the infected system's master boot record.(Citation: US-CERT Ukraine Feb 2016)(Citation: ESET Telebots June 2017)
Enterprise T1585 .001 Establish Accounts: Social Media Accounts

Sandworm Team has established social media accounts to disseminate victim internal-only documents and other sensitive data.(Citation: US District Court Indictment GRU Unit 74455 October 2020)
.002 Establish Accounts: Email Accounts

Sandworm Team has created email accounts that mimic legitimate organizations for its spearphishing operations.(Citation: US District Court Indictment GRU Unit 74455 October 2020)

Enterprise T1592 .002 Gather Victim Host Information: Software

Sandworm Team has researched software code to enable supply-chain operations, most notably for the 2017 NotPetya attack. Sandworm Team also collected a list of computers using specific software as part of its targeting efforts.(Citation: US District Court Indictment GRU Unit 74455 October 2020)
Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

Sandworm Team has obtained valid emails addresses while conducting research against target organizations that were subsequently used in spearphishing campaigns.(Citation: US District Court Indictment GRU Unit 74455 October 2020)
.003 Gather Victim Identity Information: Employee Names

Sandworm Team's research of potential victim organizations included the identification and collection of employee information.(Citation: US District Court Indictment GRU Unit 74455 October 2020)

Enterprise T1590 .001 Gather Victim Network Information: Domain Properties

Sandworm Team conducted technical reconnaissance of the Parliament of Georgia's official internet domain prior to its 2019 attack.(Citation: US District Court Indictment GRU Unit 74455 October 2020)
Enterprise T1591 .002 Gather Victim Org Information: Business Relationships

In preparation for its attack against the 2018 Winter Olympics, Sandworm Team conducted online research of partner organizations listed on an official PyeongChang Olympics partnership site.(Citation: US District Court Indictment GRU Unit 74455 October 2020)
Enterprise T1562 .002 Impair Defenses: Disable Windows Event Logging

Sandworm Team has disabled event logging on compromised systems.(Citation: Dragos Crashoverride 2018)
Enterprise T1070 .004 Indicator Removal: File Deletion

Sandworm Team has used backdoors that can delete files used in an attack from an infected system.(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots July 2017)(Citation: Mandiant-Sandworm-Ukraine-2022)

Enterprise T1056 .001 Input Capture: Keylogging

Sandworm Team has used a keylogger to capture keystrokes by using the SetWindowsHookEx function.(Citation: ESET Telebots Dec 2016)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Sandworm Team has avoided detection by naming a malicious binary explorer.exe.(Citation: ESET Telebots Dec 2016)(Citation: US District Court Indictment GRU Unit 74455 October 2020)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Sandworm Team has used its plainpwd tool, a modified version of Mimikatz, and comsvcs.dll to dump Windows credentials from system memory.(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots June 2017)(Citation: Microsoft Prestige ransomware October 2022)

.003 OS Credential Dumping: NTDS

Sandworm Team has used `ntdsutil.exe` to back up the Active Directory database, likely for credential access.(Citation: Microsoft Prestige ransomware October 2022)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Sandworm Team used UPX to pack a copy of Mimikatz.(Citation: Dragos Crashoverride 2018)

.010 Obfuscated Files or Information: Command Obfuscation

Sandworm Team has used ROT13 encoding, AES encryption and compression with the zlib library for their Python-based backdoor.(Citation: ESET Telebots Dec 2016)

Enterprise T1588 .002 Obtain Capabilities: Tool

Sandworm Team has acquired open-source tools for their operations, including Invoke-PSImage, which was used to establish an encrypted channel from a compromised host to Sandworm Team's C2 server in preparation for the 2018 Winter Olympics attack, as well as Impacket and RemoteExec, which were used in their 2022 Prestige operations.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Microsoft Prestige ransomware October 2022) Additionally, Sandworm Team has used Empire, Cobalt Strike and PoshC2.(Citation: mandiant_apt44_unearthing_sandworm)
.006 Obtain Capabilities: Vulnerabilities

In 2017, Sandworm Team conducted technical research related to vulnerabilities associated with websites used by the Korean Sport and Olympic Committee, a Korean power company, and a Korean airport.(Citation: US District Court Indictment GRU Unit 74455 October 2020)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Sandworm Team has delivered malicious Microsoft Office and ZIP file attachments via spearphishing emails.(Citation: iSight Sandworm Oct 2014)(Citation: US-CERT Ukraine Feb 2016)(Citation: ESET Telebots Dec 2016)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Google_WinRAR_vuln_2023)(Citation: mandiant_apt44_unearthing_sandworm)
.002 Phishing: Spearphishing Link

Sandworm Team has crafted phishing emails containing malicious hyperlinks.(Citation: US District Court Indictment GRU Unit 74455 October 2020)

Enterprise T1598 .003 Phishing for Information: Spearphishing Link

Sandworm Team has crafted spearphishing emails with hyperlinks designed to trick unwitting recipients into revealing their account credentials.(Citation: US District Court Indictment GRU Unit 74455 October 2020)
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Sandworm Team has copied payloads to the `ADMIN$` share of remote systems and run net use to connect to network shares.(Citation: Dragos Crashoverride 2018)(Citation: Microsoft Prestige ransomware October 2022)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Sandworm Team leveraged SHARPIVORY, a .NET dropper that writes embedded payload to disk and uses scheduled tasks to persist on victim machines.(Citation: mandiant_apt44_unearthing_sandworm)
Enterprise T1505 .001 Server Software Component: SQL Stored Procedures

Sandworm Team has used various MS-SQL stored procedures.(Citation: Dragos Crashoverride 2018)

.003 Server Software Component: Web Shell

Sandworm Team has used webshells including P.A.S. Webshell to maintain access to victim networks.(Citation: ANSSI Sandworm January 2021)

Enterprise T1608 .001 Stage Capabilities: Upload Malware

Sandworm Team staged compromised versions of legitimate software installers in forums to enable initial access to executing user.(Citation: mandiant_apt44_unearthing_sandworm)
Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

Sandworm Team has distributed NotPetya by compromising the legitimate Ukrainian accounting software M.E.Doc and replacing a legitimate software update with a malicious one.(Citation: Secureworks NotPetya June 2017)(Citation: ESET Telebots June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)
Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Sandworm Team used a backdoor which could execute a supplied DLL using rundll32.exe.(Citation: ESET Telebots July 2017)

Enterprise T1204 .001 User Execution: Malicious Link

Sandworm Team has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.(Citation: US District Court Indictment GRU Unit 74455 October 2020)
.002 User Execution: Malicious File

Sandworm Team has tricked unwitting recipients into clicking on spearphishing attachments and enabling malicious macros embedded within files.(Citation: ESET Telebots Dec 2016)(Citation: US District Court Indictment GRU Unit 74455 October 2020)

Enterprise T1078 .002 Valid Accounts: Domain Accounts

Sandworm Team has used stolen credentials to access administrative accounts within the domain.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Microsoft Prestige ransomware October 2022)
Enterprise T1102 .002 Web Service: Bidirectional Communication

Sandworm Team has used the Telegram Bot API from Telegram Messenger to send and receive commands to its Python backdoor. Sandworm Team also used legitimate M.E.Doc software update check requests for sending and receiving commands and hosted malicious payloads on putdrive.com.(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots June 2017)

Software
ID Name References Techniques
S0039 Net (Citation: Dragos Crashoverride 2018) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Additional Local or Domain Groups, Local Groups, SMB/Windows Admin Shares, Domain Account
S1125 AcidRain (Citation: AcidRain JAGS 2022) (Citation: AcidRain State Department 2022) (Citation: Vincens AcidPour 2024) System Shutdown/Reboot, Data Destruction, Disk Content Wipe, File and Directory Discovery
S0343 Exaramel for Windows (Citation: ESET TeleBots Oct 2018) Archive Collected Data, Visual Basic, Fileless Storage, Windows Service, Modify Registry, Windows Command Shell, Masquerade Task or Service, Local Data Staging
S0401 Exaramel for Linux (Citation: ANSSI Sandworm January 2021) (Citation: ESET TeleBots Oct 2018) Ingress Tool Transfer, System Owner/User Discovery, Web Protocols, Create or Modify System Process, Deobfuscate/Decode Files or Information, Fallback Channels, Systemd Service, File Deletion, Setuid and Setgid, Encrypted/Encoded File, Unix Shell, Cron
S1058 Prestige (Citation: mandiant_apt44_unearthing_sandworm) (Citation: Microsoft Prestige ransomware October 2022) Group Policy Modification, Service Stop, Data Encrypted for Impact, Scheduled Task, Inhibit System Recovery, Modify Registry, Native API, PowerShell, File and Directory Discovery
S0357 Impacket (Citation: Impacket Tools) (Citation: Microsoft Prestige ransomware October 2022) LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, Kerberoasting, Ccache Files, NTDS, Service Execution, LSASS Memory, Windows Management Instrumentation, Security Account Manager, LSA Secrets
S0606 Bad Rabbit (Citation: Dragos IT ICS Ransomware) (Citation: ESET Bad Rabbit) (Citation: Secure List Bad Rabbit) (Citation: Secureworks IRON VIKING ) Data Encrypted for Impact, Password Spraying, Firmware Corruption, Service Execution, Scheduled Task, Match Legitimate Name or Location, Drive-by Compromise, LSASS Memory, Bypass User Account Control, Process Discovery, Network Share Discovery, Exploitation of Remote Services, Rundll32, Malicious File, Native API
S0342 GreyEnergy (Citation: ESET GreyEnergy Oct 2018) (Citation: Secureworks IRON VIKING ) Multi-hop Proxy, Rundll32, File Deletion, Windows Service, Web Protocols, Code Signing, System Service Discovery, Asymmetric Cryptography, Windows Command Shell, Ingress Tool Transfer, Portable Executable Injection, Symmetric Cryptography, Modify Registry, Software Packing, Keylogging, Encrypted/Encoded File, LSASS Memory
S0365 Olympic Destroyer (Citation: CrowdStrike GTR 2019) (Citation: mandiant_apt44_unearthing_sandworm) (Citation: Secureworks IRON VIKING ) (Citation: Talos Olympic Destroyer 2018) (Citation: Trend Micro Cyclops Blink March 2022) (Citation: UK NCSC Olympic Attacks October 2020) (Citation: US District Court Indictment GRU Unit 74455 October 2020) System Network Configuration Discovery, Credentials from Web Browsers, Service Stop, System Shutdown/Reboot, Clear Windows Event Logs, Data Destruction, Lateral Tool Transfer, Windows Management Instrumentation, Remote System Discovery, Network Share Discovery, Service Execution, SMB/Windows Admin Shares, Inhibit System Recovery, LSASS Memory
S0363 Empire (Citation: EmPyre) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: mandiant_apt44_unearthing_sandworm) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) Video Capture, Distributed Component Object Model, LLMNR/NBT-NS Poisoning and SMB Relay, System Network Configuration Discovery, PowerShell, Domain Trust Discovery, Keylogging, Command Obfuscation, Local Account, Screen Capture, Network Service Discovery, Credentials In Files, Archive Collected Data, Group Policy Modification, Exfiltration Over C2 Channel, Commonly Used Port, System Information Discovery, Clipboard Data, Exploitation for Privilege Escalation, Automated Exfiltration, Accessibility Features, Automated Collection, Group Policy Discovery, Domain Account, Security Support Provider, SSH, Kerberoasting, SID-History Injection, Path Interception by Unquoted Path, Registry Run Keys / Startup Folder, Network Share Discovery, Path Interception by Search Order Hijacking, Golden Ticket, Exploitation of Remote Services, Service Execution, Exfiltration to Code Repository, File and Directory Discovery, Credential API Hooking, Path Interception by PATH Environment Variable, Native API, Windows Management Instrumentation, Process Injection, Pass the Hash, Browser Information Discovery, MSBuild, Private Keys, Exfiltration to Cloud Storage, Web Protocols, Access Token Manipulation, Network Sniffing, Local Email Collection, Windows Command Shell, Bidirectional Communication, Credentials from Web Browsers, Security Software Discovery, Local Account, Dylib Hijacking, System Network Connections Discovery, Scheduled Task, LSASS Memory, Asymmetric Cryptography, Create Process with Token, Windows Service, Command and Scripting Interpreter, Process Discovery, Ingress Tool Transfer, Timestomp, Shortcut Modification, DLL Search Order Hijacking, Domain Account, System Owner/User Discovery, Bypass User Account Control, Silver Ticket
S0598 P.A.S. Webshell (Citation: ANSSI Sandworm January 2021) (Citation: Fobushell) (Citation: NCCIC AR-17-20045 February 2017) Deobfuscate/Decode Files or Information, File and Directory Discovery, Web Shell, Data from Local System, Linux and Mac File and Directory Permissions Modification, Web Protocols, Command and Scripting Interpreter, Software Discovery, Obfuscated Files or Information, File Deletion, Network Service Discovery, Data from Information Repositories, Password Guessing, Ingress Tool Transfer, Local Account
S0378 PoshC2 (Citation: GitHub PoshC2) (Citation: mandiant_apt44_unearthing_sandworm) System Network Configuration Discovery, Credentials In Files, LLMNR/NBT-NS Poisoning and SMB Relay, Web Protocols, Windows Management Instrumentation, System Network Connections Discovery, Exploitation for Privilege Escalation, System Service Discovery, Create Process with Token, Bypass User Account Control, Service Execution, Local Account, Automated Collection, System Information Discovery, Keylogging, Domain Account, Archive via Utility, Pass the Hash, Local Groups, File and Directory Discovery, Proxy, Brute Force, LSASS Memory, Process Injection, Exploitation of Remote Services, Domain Trust Discovery, Access Token Manipulation, Network Service Discovery, Credentials from Password Stores, Network Sniffing, Windows Management Instrumentation Event Subscription, Password Policy Discovery
S0089 BlackEnergy (Citation: F-Secure BlackEnergy 2014) (Citation: iSIGHT Sandworm 2014) (Citation: Secureworks IRON VIKING ) (Citation: UK NCSC Olympic Attacks October 2020) (Citation: US District Court Indictment GRU Unit 74455 October 2020) Bypass User Account Control, Windows Management Instrumentation, Credentials from Web Browsers, Indicator Removal, Screen Capture, Dynamic-link Library Injection, Code Signing Policy Modification, Process Discovery, File and Directory Discovery, Network Service Discovery, SMB/Windows Admin Shares, System Network Connections Discovery, Peripheral Device Discovery, Shortcut Modification, Credentials In Files, Keylogging, Windows Service, Clear Windows Event Logs, Registry Run Keys / Startup Folder, Data Destruction, Services File Permissions Weakness, System Network Configuration Discovery, System Information Discovery, Fallback Channels, Web Protocols
S0368 NotPetya (Citation: Diskcoder.C) (Citation: ESET Telebots June 2017) (Citation: ExPetr) (Citation: GoldenEye) (Citation: mandiant_apt44_unearthing_sandworm) (Citation: NCSC Sandworm Feb 2020) (Citation: Nyetya) (Citation: Petrwrap) (Citation: Secureworks IRON VIKING ) (Citation: Talos Nyetya June 2017) (Citation: Trend Micro Cyclops Blink March 2022) (Citation: UK NCSC Olympic Attacks October 2020) (Citation: US District Court Indictment GRU Unit 74455 October 2020) (Citation: US-CERT NotPetya 2017) Clear Windows Event Logs, Service Execution, Scheduled Task, SMB/Windows Admin Shares, Security Software Discovery, Windows Management Instrumentation, Exploitation of Remote Services, File and Directory Discovery, LSASS Memory, System Shutdown/Reboot, Data Encrypted for Impact, Masquerading, Rundll32, Local Accounts
S1010 VPNFilter (Citation: Carl Hurd March 2019) (Citation: NCSC CISA Cyclops Blink Advisory February 2022) (Citation: William Largent June 2018) Disk Content Wipe
S1072 Industroyer2 (Citation: Industroyer2 Blackhat ESET) (Citation: Industroyer2 ESET April 2022) (Citation: mandiant_apt44_unearthing_sandworm) Process Discovery
S0154 Cobalt Strike (Citation: cobaltstrike manual) (Citation: mandiant_apt44_unearthing_sandworm) Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol or Service Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, File Transfer Protocols, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Dragos Crashoverride 2018) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0687 Cyclops Blink (Citation: NCSC CISA Cyclops Blink Advisory February 2022) (Citation: NCSC Cyclops Blink February 2022) (Citation: Trend Micro Cyclops Blink March 2022) Native API, Asymmetric Cryptography, Timestomp, Match Legitimate Name or Location, System Information Discovery, Component Firmware, Data from Local System, File and Directory Discovery, Disable or Modify System Firewall, Exfiltration Over C2 Channel, Process Discovery, System Network Configuration Discovery, Non-Standard Encoding, Multi-hop Proxy, Inter-Process Communication, Ingress Tool Transfer, Web Protocols, RC Scripts, Deobfuscate/Decode Files or Information, Protocol Tunneling, Non-Standard Port
S0231 Invoke-PSImage (Citation: GitHub Invoke-PSImage) (Citation: US District Court Indictment GRU Unit 74455 October 2020) Steganography, Embedded Payloads
S0195 SDelete (Citation: mandiant_apt44_unearthing_sandworm) (Citation: Microsoft SDelete July 2016) File Deletion, Data Destruction
S0607 KillDisk (Citation: ESEST Black Energy Jan 2016) (Citation: KillDisk Ransomware) (Citation: Secureworks IRON VIKING ) (Citation: Trend Micro KillDisk 1) (Citation: Trend Micro KillDisk 2) (Citation: US District Court Indictment GRU Unit 74455 October 2020) File and Directory Discovery, Native API, System Information Discovery, Shared Modules, Process Discovery, Obfuscated Files or Information, Service Stop, Clear Windows Event Logs, System Shutdown/Reboot, Disk Structure Wipe, Data Encrypted for Impact, File Deletion, Masquerade Task or Service, Access Token Manipulation, Data Destruction
S0604 Industroyer (Citation: CRASHOVERRIDE) (Citation: Dragos Crashoverride 2017) (Citation: Dragos Crashoverride 2018) (Citation: ESET Industroyer) (Citation: mandiant_apt44_unearthing_sandworm) (Citation: Secureworks IRON VIKING) (Citation: Win32/Industroyer) Windows Service, Data Destruction, Network Service Discovery, Valid Accounts, Compromise Host Software Binary, Ingress Tool Transfer, Remote System Discovery, File and Directory Discovery, Protocol Tunneling, System Network Configuration Discovery, Service Stop, Exfiltration Over C2 Channel, Web Protocols, Multi-hop Proxy, System Information Discovery, Application or System Exploitation, Deobfuscate/Decode Files or Information, Query Registry, Obfuscated Files or Information
S0029 PsExec (Citation: Dragos Crashoverride 2018) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

  1. Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.
  2. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  3. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  4. Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.
  5. Joseph Slowik, DomainTools. (2021, March 3). Centreon to Exim and Back: On the Trail of Sandworm. Retrieved April 6, 2024.
  6. Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.
  7. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  8. Ward, S.. (2014, October 14). iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign. Retrieved June 10, 2020.
  9. Wu, W. (2014, October 14). An Analysis of Windows Zero-day Vulnerability ‘CVE-2014-4114’ aka “Sandworm”. Retrieved June 18, 2020.
  10. Li, H. (2013, November 5). McAfee Labs Detects Zero-Day Exploit Targeting Microsoft Office. Retrieved June 18, 2020.
  11. National Security Agency. (2020, March 28). Sandworm Actors Exploiting Vulnerability In EXIM Mail Transfer Agent. Retrieved March 1, 2024.
  12. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
  13. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  14. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  15. Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020.
  16. Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020.
  17. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
  18. NCSC, CISA, FBI, NSA. (2022, February 23). New Sandworm malware Cyclops Blink replaces VPNFilter. Retrieved March 3, 2022.
  19. Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022.
  20. A.J. Vincens, CyberScoop. (2024, March 18). Researchers spot updated version of malware that hit Viasat. Retrieved March 25, 2024.
  21. Juan Andres Guerrero-Saade and Max van Amerongen, SentinelOne. (2022, March 31). AcidRain | A Modem Wiper Rains Down on Europe. Retrieved March 25, 2024.
  22. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
  23. Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.
  24. ESET. (2022, April 12). Industroyer2: Industroyer reloaded. Retrieved March 30, 2023.
  25. Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.
  26. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  27. UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.
  28. NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.
  29. CrowdStrike. (2019, January). 2019 Global Threat Report. Retrieved June 10, 2020.
  30. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
  31. Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.
  32. Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.
  33. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  34. Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017.
  35. Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved September 12, 2024.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.