Sandworm Team
Sandworm Team is a destructive Russian threat group that has been attributed to Russian GRU Unit 74455 by the U.S. Department of Justice and U.K. National Cyber Security Centre. Sandworm Team's most notable attacks include the 2015 and 2016 targeting of Ukrainian electrical companies and 2017's NotPetya attacks. Sandworm Team has been active since at least 2009.[1][2][3][4]
Associated Group Descriptions
Name | Description |
---|---|
ELECTRUM | |
Telebots | |
IRON VIKING | |
BlackEnergy (Group) | |
Quedagh |
Based on similarities between TTPs, malware, and targeting, Sandworm Team and Quedagh appear to refer to the same group. [1] [7] |
VOODOO BEAR |
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .002 | Account Discovery: Domain Account |
Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about usernames listed in AD.[8] |
.003 | Account Discovery: Email Account |
Sandworm Team used malware to enumerate email settings, including usernames and passwords, from the M.E.Doc application.[9] |
||
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Sandworm Team's BCS-server tool connects to the designated C2 server via HTTP.[8] |
Enterprise | T1059 | .005 | Command and Scripting Interpreter: Visual Basic |
Sandworm Team has created VBScripts to run an SSH server.[10][8][11] |
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Sandworm Team's CredRaptor tool can collect saved passwords from various internet browsers.[8] |
Enterprise | T1485 | Data Destruction |
Sandworm Team has used the BlackEnergy KillDisk component to overwrite files on Windows-based Human-Machine Interfaces. [12][11] |
|
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Sandworm Team's BCS-server tool uses base64 encoding and HTML tags for the communication traffic between the C2 server.[8] |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Sandworm Team's VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and decompresses it using GZip.[8][9] |
|
Enterprise | T1561 | .002 | Disk Wipe: Disk Structure Wipe |
Sandworm Team has used the BlackEnergy KillDisk component to corrupt the infected system's master boot record.[12][11] |
Enterprise | T1041 | Exfiltration Over C2 Channel |
Sandworm Team has sent system information to its C2 server using HTTP.[8] |
|
Enterprise | T1203 | Exploitation for Client Execution |
Sandworm Team has exploited vulnerabilities in Microsoft PowerPoint via OLE objects (CVE-2014-4114) and Microsoft Word via crafted TIFF images (CVE-2013-3906).[13][14][15] |
|
Enterprise | T1133 | External Remote Services |
Sandworm Team has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network. Sandworm Team has also used VPN tunnels established in legitimate software company infrastructure to gain access to internal networks of that software company's users.[10][11] |
|
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
Sandworm Team has used backdoors that can delete files used in an attack from an infected system.[8][9] |
Enterprise | T1105 | Ingress Tool Transfer |
Sandworm Team's Python backdoor can push additional malicious tools to an infected system.[8] |
|
Enterprise | T1056 | .001 | Input Capture: Keylogging |
Sandworm Team has used a keylogger to capture keystrokes by using the SetWindowsHookEx function.[8] |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Sandworm Team has avoided detection by naming a malicious binary explorer.exe.[8] |
Enterprise | T1040 | Network Sniffing |
Sandworm Team has used intercepter-NG to sniff passwords in network traffic.[8] |
|
Enterprise | T1571 | Non-Standard Port |
Sandworm Team has used port 6789 to accept connections on the group's SSH server.[10] |
|
Enterprise | T1027 | Obfuscated Files or Information |
Sandworm Team has used Base64 encoding within malware variants. Sandworm Team has also used ROT13 encoding, AES encryption and compression with the zlib library for their Python-based backdoor.[13][8] |
|
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Sandworm Team's plainpwd tool is a modified version of Mimikatz and dumps Windows credentials from system memory.[8][11] |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Sandworm Team has delivered malicious Microsoft Office attachments via spearphishing emails.[13][12][8] |
Enterprise | T1090 | Proxy |
Sandworm Team's BCS-server tool can create an internal proxy server to redirect traffic from the adversary-controlled C2 to internal servers which may not be connected to the internet, but are interconnected locally.[8] |
|
Enterprise | T1219 | Remote Access Software |
Sandworm Team has used remote administration tools or remote industrial control system client software to maliciously release electricity breakers.[12] |
|
Enterprise | T1018 | Remote System Discovery |
Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about computers listed in AD.[8] |
|
Enterprise | T1218 | .011 | Signed Binary Proxy Execution: Rundll32 |
Sandworm Team used a backdoor which could execute a supplied DLL using rundll32.exe.[9] |
Enterprise | T1195 | .002 | Supply Chain Compromise: Compromise Software Supply Chain |
Sandworm Team has distributed NotPetya by compromising the legitimate Ukrainian accounting software M.E.Doc and replacing a legitimate software update with a malicious one.[16][11] |
Enterprise | T1082 | System Information Discovery |
Sandworm Team used a backdoor to enumerate information about the infected system's operating system.[9] |
|
Enterprise | T1016 | System Network Configuration Discovery |
Sandworm Team used malware to enumerate proxy settings from the M.E.Doc application.[9] |
|
Enterprise | T1204 | .002 | User Execution: Malicious File |
Sandworm Team has delivered spearphishing attachments with malicious macros embedded within files.[8] |
Enterprise | T1078 | Valid Accounts |
Sandworm Team have used previously acquired legitimate credentials prior to attacks.[12] |
|
Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
Sandworm Team has used the Telegram Bot API from Telegram Messenger to send and receive commands to its Python backdoor. Sandworm Team also used legitimate M.E.Doc software update check requests for sending and receiving commands and hosted malicious payloads on putdrive.com.[8][11] |
Software
References
- Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.
- Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.
- Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved June 18, 2020.
- NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.
- Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.
- Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.
- F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
- Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
- Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020.
- Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020.
- Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020.
- US-CERT. (2016, February 25). ICS Alert (IR-ALERT-H-16-056-01) Cyber-Attack Against Ukrainian Critical Infrastructure. Retrieved June 10, 2020.
- Ward, S.. (2014, October 14). iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign. Retrieved June 10, 2020.
- Wu, W. (2014, October 14). An Analysis of Windows Zero-day Vulnerability ‘CVE-2014-4114’ aka “Sandworm”. Retrieved June 18, 2020.
- Li, H. (2013, November 5). McAfee Labs Detects Zero-Day Exploit Targeting Microsoft Office. Retrieved June 18, 2020.
- Counter Threat Research Team. (2017, June 28). NotPetya Campaign: What We Know About the Latest Global Ransomware Attack. Retrieved June 11, 2020.
- Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
- CrowdStrike. (2019, January). 2019 Global Threat Report. Retrieved June 10, 2020.