Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Sandworm Team
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Sandworm Team
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Sandworm Team

Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020) In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.(Citation: US District Court Indictment GRU Oct 2018)
ID: G0034
Associated Groups: Voodoo Bear, ELECTRUM, Quedagh, BlackEnergy (Group), Telebots, IRON VIKING
Version: 2.2
Created: 31 May 2017
Last Modified: 12 Oct 2022

Associated Group Descriptions
Name Description
Voodoo Bear (Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)
ELECTRUM (Citation: Dragos ELECTRUM)(Citation: UK NCSC Olympic Attacks October 2020)
Quedagh (Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020)
BlackEnergy (Group) (Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)
Telebots (Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)
IRON VIKING (Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)

Techniques Used
Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about usernames listed in AD.(Citation: ESET Telebots Dec 2016)

.003 Account Discovery: Email Account

Sandworm Team used malware to enumerate email settings, including usernames and passwords, from the M.E.Doc application.(Citation: ESET Telebots July 2017)

Enterprise T1583 .001 Acquire Infrastructure: Domains

Sandworm Team has registered domain names and created URLs that are often designed to mimic or spoof legitimate websites, such as email login pages, online file sharing and storage websites, and password reset pages.(Citation: US District Court Indictment GRU Unit 74455 October 2020)
.004 Acquire Infrastructure: Server

Sandworm Team has leased servers from resellers instead of leasing infrastructure directly from hosting companies to enable its operations.(Citation: US District Court Indictment GRU Unit 74455 October 2020)

Enterprise T1595 .002 Active Scanning: Vulnerability Scanning

Sandworm Team has scanned network infrastructure for vulnerabilities as part of its operational planning.(Citation: US District Court Indictment GRU Unit 74455 October 2020)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Sandworm Team's BCS-server tool connects to the designated C2 server via HTTP.(Citation: ESET Telebots Dec 2016)

Enterprise T1110 .003 Brute Force: Password Spraying

Sandworm Team has used a script to attempt RPC authentication against a number of hosts.(Citation: Dragos Crashoverride 2018)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Sandworm Team has used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Dragos Crashoverride 2018)

.003 Command and Scripting Interpreter: Windows Command Shell

Sandworm Team has run the xp_cmdshell command in MS-SQL.(Citation: Dragos Crashoverride 2018)

.005 Command and Scripting Interpreter: Visual Basic

Sandworm Team has created VBScripts to run an SSH server.(Citation: ESET BlackEnergy Jan 2016)(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots June 2017)(Citation: Dragos Crashoverride 2018)

Enterprise T1584 .005 Compromise Infrastructure: Botnet

Sandworm Team has used a large-scale botnet to target Small Office/Home Office (SOHO) network devices.(Citation: NCSC Cyclops Blink February 2022)
Enterprise T1136 .002 Create Account: Domain Account

Sandworm Team has created new domain accounts on an ICS access server.(Citation: Dragos Crashoverride 2018)
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Sandworm Team's CredRaptor tool can collect saved passwords from various internet browsers.(Citation: ESET Telebots Dec 2016)
Enterprise T1132 .001 Data Encoding: Standard Encoding

Sandworm Team's BCS-server tool uses base64 encoding and HTML tags for the communication traffic between the C2 server.(Citation: ESET Telebots Dec 2016)

Enterprise T1491 .002 Defacement: External Defacement

Sandworm Team defaced approximately 15,000 websites belonging to Georgian government, non-government, and private sector organizations in 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)
Enterprise T1587 .001 Develop Capabilities: Malware

Sandworm Team has developed malware for its operations, including malicious mobile applications and destructive malware such as NotPetya and Olympic Destroyer.(Citation: US District Court Indictment GRU Unit 74455 October 2020)
Enterprise T1561 .002 Disk Wipe: Disk Structure Wipe

Sandworm Team has used the BlackEnergy KillDisk component to corrupt the infected system's master boot record.(Citation: US-CERT Ukraine Feb 2016)(Citation: ESET Telebots June 2017)
Enterprise T1585 .001 Establish Accounts: Social Media Accounts

Sandworm Team has established social media accounts to disseminate victim internal-only documents and other sensitive data.(Citation: US District Court Indictment GRU Unit 74455 October 2020)
.002 Establish Accounts: Email Accounts

Sandworm Team has created email accounts that mimic legitimate organizations for its spearphishing operations.(Citation: US District Court Indictment GRU Unit 74455 October 2020)

Enterprise T1592 .002 Gather Victim Host Information: Software

Sandworm Team has researched software code to enable supply-chain operations, most notably for the 2017 NotPetya attack. Sandworm Team also collected a list of computers using specific software as part of its targeting efforts.(Citation: US District Court Indictment GRU Unit 74455 October 2020)
Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

Sandworm Team has obtained valid emails addresses while conducting research against target organizations that were subsequently used in spearphishing campaigns.(Citation: US District Court Indictment GRU Unit 74455 October 2020)
.003 Gather Victim Identity Information: Employee Names

Sandworm Team's research of potential victim organizations included the identification and collection of employee information.(Citation: US District Court Indictment GRU Unit 74455 October 2020)

Enterprise T1590 .001 Gather Victim Network Information: Domain Properties

Sandworm Team conducted technical reconnaissance of the Parliament of Georgia's official internet domain prior to its 2019 attack.(Citation: US District Court Indictment GRU Unit 74455 October 2020)
Enterprise T1591 .002 Gather Victim Org Information: Business Relationships

In preparation for its attack against the 2018 Winter Olympics, Sandworm Team conducted online research of partner organizations listed on an official PyeongChang Olympics partnership site.(Citation: US District Court Indictment GRU Unit 74455 October 2020)
Enterprise T1562 .002 Impair Defenses: Disable Windows Event Logging

Sandworm Team has disabled event logging on compromised systems.(Citation: Dragos Crashoverride 2018)
Enterprise T1070 .004 Indicator Removal: File Deletion

Sandworm Team has used backdoors that can delete files used in an attack from an infected system.(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots July 2017)
Enterprise T1056 .001 Input Capture: Keylogging

Sandworm Team has used a keylogger to capture keystrokes by using the SetWindowsHookEx function.(Citation: ESET Telebots Dec 2016)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Sandworm Team has avoided detection by naming a malicious binary explorer.exe.(Citation: ESET Telebots Dec 2016)(Citation: US District Court Indictment GRU Unit 74455 October 2020)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Sandworm Team's plainpwd tool is a modified version of Mimikatz and dumps Windows credentials from system memory.(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots June 2017)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Sandworm Team used UPX to pack a copy of Mimikatz.(Citation: Dragos Crashoverride 2018)

Enterprise T1588 .002 Obtain Capabilities: Tool

Sandworm Team has acquired open-source tools for some of it's operations; for example it acquired Invoke-PSImage to establish an encrypted channel from a compromised host to Sandworm Team's C2 server as part of its preparation for the 2018 Winter Olympics attack.(Citation: US District Court Indictment GRU Unit 74455 October 2020)
.006 Obtain Capabilities: Vulnerabilities

In 2017, Sandworm Team conducted technical research related to vulnerabilities associated with websites used by the Korean Sport and Olympic Committee, a Korean power company, and a Korean airport.(Citation: US District Court Indictment GRU Unit 74455 October 2020)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Sandworm Team has delivered malicious Microsoft Office attachments via spearphishing emails.(Citation: iSight Sandworm Oct 2014)(Citation: US-CERT Ukraine Feb 2016)(Citation: ESET Telebots Dec 2016)(Citation: US District Court Indictment GRU Unit 74455 October 2020)
.002 Phishing: Spearphishing Link

Sandworm Team has crafted phishing emails containing malicious hyperlinks.(Citation: US District Court Indictment GRU Unit 74455 October 2020)

Enterprise T1598 .003 Phishing for Information: Spearphishing Link

Sandworm Team has crafted spearphishing emails with hyperlinks designed to trick unwitting recipients into revealing their account credentials.(Citation: US District Court Indictment GRU Unit 74455 October 2020)
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Sandworm Team has run net use to connect to network shares.(Citation: Dragos Crashoverride 2018)

Enterprise T1505 .001 Server Software Component: SQL Stored Procedures

Sandworm Team has used various MS-SQL stored procedures.(Citation: Dragos Crashoverride 2018)

.003 Server Software Component: Web Shell

Sandworm Team has used webshells including P.A.S. Webshell to maintain access to victim networks.(Citation: ANSSI Sandworm January 2021)

Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

Sandworm Team has distributed NotPetya by compromising the legitimate Ukrainian accounting software M.E.Doc and replacing a legitimate software update with a malicious one.(Citation: Secureworks NotPetya June 2017)(Citation: ESET Telebots June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)
Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Sandworm Team used a backdoor which could execute a supplied DLL using rundll32.exe.(Citation: ESET Telebots July 2017)

Enterprise T1204 .001 User Execution: Malicious Link

Sandworm Team has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.(Citation: US District Court Indictment GRU Unit 74455 October 2020)
.002 User Execution: Malicious File

Sandworm Team has tricked unwitting recipients into clicking on spearphishing attachments and enabling malicious macros embedded within files.(Citation: ESET Telebots Dec 2016)(Citation: US District Court Indictment GRU Unit 74455 October 2020)

Enterprise T1078 .002 Valid Accounts: Domain Accounts

Sandworm Team has used stolen credentials to access administrative accounts within the domain.(Citation: US District Court Indictment GRU Unit 74455 October 2020)
Enterprise T1102 .002 Web Service: Bidirectional Communication

Sandworm Team has used the Telegram Bot API from Telegram Messenger to send and receive commands to its Python backdoor. Sandworm Team also used legitimate M.E.Doc software update check requests for sending and receiving commands and hosted malicious payloads on putdrive.com.(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots June 2017)

Software
ID Name References Techniques
S0039 Net (Citation: Dragos Crashoverride 2018) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Local Groups, SMB/Windows Admin Shares, Domain Account
S0343 Exaramel for Windows (Citation: ESET TeleBots Oct 2018) Archive Collected Data, Visual Basic, Windows Service, Modify Registry, Windows Command Shell, Masquerade Task or Service, Local Data Staging
S0401 Exaramel for Linux (Citation: ANSSI Sandworm January 2021) (Citation: ESET TeleBots Oct 2018) Ingress Tool Transfer, System Owner/User Discovery, Web Protocols, Create or Modify System Process, Deobfuscate/Decode Files or Information, Fallback Channels, Systemd Service, File Deletion, Setuid and Setgid, Obfuscated Files or Information, Unix Shell, Cron
S0606 Bad Rabbit (Citation: Dragos IT ICS Ransomware) (Citation: ESET Bad Rabbit) (Citation: Secure List Bad Rabbit) (Citation: Secureworks IRON VIKING ) Data Encrypted for Impact, Password Spraying, Firmware Corruption, Service Execution, Scheduled Task, Match Legitimate Name or Location, Drive-by Compromise, LSASS Memory, Bypass User Account Control, Process Discovery, Network Share Discovery, Exploitation of Remote Services, Rundll32, Malicious File, Native API
S0342 GreyEnergy (Citation: ESET GreyEnergy Oct 2018) (Citation: Secureworks IRON VIKING ) Multi-hop Proxy, Rundll32, File Deletion, Windows Service, Web Protocols, Code Signing, System Service Discovery, Asymmetric Cryptography, Windows Command Shell, Ingress Tool Transfer, Portable Executable Injection, Symmetric Cryptography, Modify Registry, Software Packing, Keylogging, Obfuscated Files or Information, LSASS Memory
S0365 Olympic Destroyer (Citation: CrowdStrike GTR 2019) (Citation: Secureworks IRON VIKING ) (Citation: Talos Olympic Destroyer 2018) (Citation: Trend Micro Cyclops Blink March 2022) (Citation: UK NCSC Olympic Attacks October 2020) (Citation: US District Court Indictment GRU Unit 74455 October 2020) System Network Configuration Discovery, Credentials from Web Browsers, Service Stop, System Shutdown/Reboot, Clear Windows Event Logs, Data Destruction, Lateral Tool Transfer, Windows Management Instrumentation, Remote System Discovery, Network Share Discovery, Service Execution, SMB/Windows Admin Shares, Inhibit System Recovery, LSASS Memory
S0598 P.A.S. Webshell (Citation: ANSSI Sandworm January 2021) (Citation: Fobushell) (Citation: NCCIC AR-17-20045 February 2017) Deobfuscate/Decode Files or Information, File and Directory Discovery, Web Shell, Data from Local System, Linux and Mac File and Directory Permissions Modification, Web Protocols, Command and Scripting Interpreter, Software Discovery, Obfuscated Files or Information, File Deletion, Network Service Discovery, Data from Information Repositories, Password Guessing, Ingress Tool Transfer, Local Account
S0089 BlackEnergy (Citation: F-Secure BlackEnergy 2014) (Citation: iSIGHT Sandworm 2014) (Citation: Secureworks IRON VIKING ) (Citation: UK NCSC Olympic Attacks October 2020) (Citation: US District Court Indictment GRU Unit 74455 October 2020) Bypass User Account Control, Windows Management Instrumentation, Credentials from Web Browsers, Indicator Removal, Screen Capture, Dynamic-link Library Injection, Code Signing Policy Modification, Process Discovery, File and Directory Discovery, Network Service Discovery, SMB/Windows Admin Shares, System Network Connections Discovery, Peripheral Device Discovery, Shortcut Modification, Credentials In Files, Keylogging, Windows Service, Clear Windows Event Logs, Registry Run Keys / Startup Folder, Data Destruction, Services File Permissions Weakness, System Network Configuration Discovery, System Information Discovery, Fallback Channels, Web Protocols
S0368 NotPetya (Citation: Diskcoder.C) (Citation: ESET Telebots June 2017) (Citation: ExPetr) (Citation: GoldenEye) (Citation: NCSC Sandworm Feb 2020) (Citation: Nyetya) (Citation: Petrwrap) (Citation: Secureworks IRON VIKING ) (Citation: Talos Nyetya June 2017) (Citation: Trend Micro Cyclops Blink March 2022) (Citation: UK NCSC Olympic Attacks October 2020) (Citation: US District Court Indictment GRU Unit 74455 October 2020) (Citation: US-CERT NotPetya 2017) Clear Windows Event Logs, Service Execution, Scheduled Task, SMB/Windows Admin Shares, Security Software Discovery, Windows Management Instrumentation, Exploitation of Remote Services, File and Directory Discovery, LSASS Memory, System Shutdown/Reboot, Data Encrypted for Impact, Masquerading, Rundll32, Local Accounts
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Dragos Crashoverride 2018) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0687 Cyclops Blink (Citation: NCSC CISA Cyclops Blink Advisory February 2022) (Citation: NCSC Cyclops Blink February 2022) (Citation: Trend Micro Cyclops Blink March 2022) Native API, Asymmetric Cryptography, Timestomp, Match Legitimate Name or Location, System Information Discovery, Component Firmware, Data from Local System, File and Directory Discovery, Disable or Modify System Firewall, Exfiltration Over C2 Channel, Process Discovery, System Network Configuration Discovery, Non-Standard Encoding, Multi-hop Proxy, Inter-Process Communication, Ingress Tool Transfer, Web Protocols, RC Scripts, Deobfuscate/Decode Files or Information, Protocol Tunneling, Non-Standard Port
S0231 Invoke-PSImage (Citation: GitHub Invoke-PSImage) (Citation: US District Court Indictment GRU Unit 74455 October 2020) Steganography, Embedded Payloads
S0607 KillDisk (Citation: ESEST Black Energy Jan 2016) (Citation: KillDisk Ransomware) (Citation: Secureworks IRON VIKING ) (Citation: Trend Micro KillDisk 1) (Citation: Trend Micro KillDisk 2) (Citation: US District Court Indictment GRU Unit 74455 October 2020) File and Directory Discovery, Native API, System Information Discovery, Shared Modules, Process Discovery, Obfuscated Files or Information, Service Stop, Clear Windows Event Logs, System Shutdown/Reboot, Disk Structure Wipe, Data Encrypted for Impact, File Deletion, Masquerade Task or Service, Access Token Manipulation, Data Destruction
S0604 Industroyer (Citation: CRASHOVERRIDE) (Citation: Dragos Crashoverride 2017) (Citation: Dragos Crashoverride 2018) (Citation: ESET Industroyer) (Citation: Secureworks IRON VIKING) (Citation: Win32/Industroyer) Windows Service, Data Destruction, Network Service Discovery, Valid Accounts, Compromise Client Software Binary, Ingress Tool Transfer, Remote System Discovery, File and Directory Discovery, Protocol Tunneling, System Network Configuration Discovery, Service Stop, Exfiltration Over C2 Channel, Web Protocols, Multi-hop Proxy, System Information Discovery, Application or System Exploitation, Deobfuscate/Decode Files or Information, Query Registry, Obfuscated Files or Information
S0029 PsExec (Citation: Dragos Crashoverride 2018) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

  1. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  2. Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.
  3. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  4. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  5. NCSC, CISA, FBI, NSA. (2022, February 23). New Sandworm malware Cyclops Blink replaces VPNFilter. Retrieved March 3, 2022.
  6. Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022.
  7. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  8. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  9. Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020.
  10. Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020.
  11. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
  12. Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.
  13. NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.
  14. UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.
  15. Ward, S.. (2014, October 14). iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign. Retrieved June 10, 2020.
  16. Wu, W. (2014, October 14). An Analysis of Windows Zero-day Vulnerability ‘CVE-2014-4114’ aka “Sandworm”. Retrieved June 18, 2020.
  17. Li, H. (2013, November 5). McAfee Labs Detects Zero-Day Exploit Targeting Microsoft Office. Retrieved June 18, 2020.
  18. CrowdStrike. (2019, January). 2019 Global Threat Report. Retrieved June 10, 2020.
  19. US-CERT. (2016, February 25). ICS Alert (IR-ALERT-H-16-056-01) Cyber-Attack Against Ukrainian Critical Infrastructure. Retrieved June 10, 2020.
  20. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
  21. Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.
  22. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  23. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
  24. Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.
  25. Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.
  26. Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017.
  27. Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.