Sandworm Team

Sandworm Team is a destructive Russian threat group that has been attributed to Russian GRU Unit 74455 by the U.S. Department of Justice and U.K. National Cyber Security Centre. Sandworm Team's most notable attacks include the 2015 and 2016 targeting of Ukrainian electrical companies and 2017's NotPetya attacks. Sandworm Team has been active since at least 2009.[1][2][3][4]

Associated Group Descriptions

Name Description
ELECTRUM

[5]

Telebots

[4]

IRON VIKING

[6]

BlackEnergy (Group)

[4]

Quedagh

Based on similarities between TTPs, malware, and targeting, Sandworm Team and Quedagh appear to refer to the same group. [1] [7]

VOODOO BEAR

[2]

Techniques Used

Domain ID Name Use
Enterprise VT0002 External Remote Services

Sandworm Team has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network. Sandworm Team has also used VPN tunnels established in legitimate software company infrastructure to gain access to internal networks of that software company's users.[8][9]

Enterprise VT0018 Input Capture

Sandworm Team has used a keylogger to capture keystrokes by using the SetWindowsHookEx function.[10]

Enterprise VT0019 Network Sniffing

Sandworm Team has used intercepter-NG to sniff passwords in network traffic.[10]

Enterprise VT0004 .002 Supply Chain Compromise: Compromise Software Supply Chain

Sandworm Team has distributed NotPetya by compromising the legitimate Ukrainian accounting software M.E.Doc and replacing a legitimate software update with a malicious one.[11][9]

Enterprise VT0005 Valid Accounts

Sandworm Team have used previously acquired legitimate credentials prior to attacks.[12]

References

Attachments

ID
VG0003
Associated Groups
ELECTRUM
Telebots
IRON VIKING
BlackEnergy (Group)
Quedagh
VOODOO BEAR
Version
1.0

Created: 06 January 2021

Last Modified: 06 January 2021