1. Home
  2. Groups
  3. Sandworm Team

Sandworm Team

Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]

In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]

ID: G0034
Associated Groups: ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh, Voodoo Bear, IRIDIUM, Seashell Blizzard, FROZENBARENTS, APT44
Contributors: Dragos Threat Intelligence; Hakan KARABACAK
Version: 4.2
Created: 31 May 2017
Last Modified: 04 December 2024

Associated Group Descriptions

Name Description
ELECTRUM

[8][2]
Telebots

[6][1][2]
IRON VIKING

[9][1][2]
BlackEnergy (Group)

[6][2]
Quedagh

[3] [10][2]
Voodoo Bear

[4][1][2]
IRIDIUM

[11]
Seashell Blizzard

[12]
FROZENBARENTS

[13]
APT44

[14]

Campaigns

ID Name First Seen Last Seen References Techniques
C0028 2015 Ukraine Electric Power Attack December 2015 [15] January 2016 [15]

[16] [1]

 Block Command Message, Block Reporting Message, Block Serial COM, Commonly Used Port, Connection Proxy, Denial of Control, Denial of Service, Device Restart/Shutdown, External Remote Services, Graphical User Interface, Lateral Tool Transfer, Loss of Availability, Loss of Control, Loss of Productivity and Revenue, Manipulation of Control, Remote Services, Remote System Discovery, System Firmware, Unauthorized Command Message, Valid Accounts, 修改注册表, 创建账户: Domain Account, 命令与脚本解释器: Visual Basic, 外部远程服务, 妨碍防御: Disable or Modify Tools, 应用层协议: Web Protocols, 有效账户, 横向工具传输, 用户执行: Malicious File, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 网络嗅探, 输入工具传输, 输入捕获: Keylogging, 进程注入, 远程系统发现, 钓鱼: Spearphishing Attachment
C0025 2016 Ukraine Electric Power Attack December 2016 [17][18] December 2016 [17][18]

[1][19]

 Command-Line Interface, Lateral Tool Transfer, Masquerading, Remote Services, Scripting, Valid Accounts, Windows管理规范, 主机软件二进制文件妥协, 伪装: Masquerade File Type, 伪装: Match Legitimate Name or Location, 伪装: Masquerade Account Name, 创建或修改系统进程: Windows Service, 创建账户, 创建账户: Domain Account, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable Windows Event Logging, 操作系统凭证转储: LSASS Memory, 暴力破解, 服务器软件组件: SQL Stored Procedures, 横向工具传输, 混淆文件或信息, 混淆文件或信息: Software Packing, 账号操控, 远程服务: SMB/Windows Admin Shares, 远程系统发现
C0034 2022 Ukraine Electric Power Attack June 2022 [20] October 2022 [20]

[20][21]

Autorun Image, Command-Line Interface, Scripting, System Binary Proxy Execution, Unauthorized Command Message, 伪装: Masquerade Task or Service, 创建或修改系统进程: Systemd Service, 协议隧道, 命令与脚本解释器: PowerShell, 域或租户策略修改: Group Policy Modification, 数据销毁, 服务器软件组件: Web Shell, 横向工具传输, 非应用层协议, 预定任务/作业: Scheduled Task
Enterprise Layer
download view
Mobile Layer
download view
ICS Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

Sandworm Team has used Impacket’s WMIexec module for remote code execution and VBScript to run WMI queries.[18][11]

During the 2016 Ukraine Electric Power Attack, WMI in scripts were used for remote execution and system surveys. [18]
Enterprise T1595 .002 主动扫描: Vulnerability Scanning

Sandworm Team has scanned network infrastructure for vulnerabilities as part of its operational planning.[1]
Enterprise T1554 主机软件二进制文件妥协

During the 2016 Ukraine Electric Power Attack, Sandworm Team used a trojanized version of Windows Notepad to add a layer of persistence for Industroyer.[17]
Enterprise T1213 从信息存储库获取数据

Sandworm Team exfiltrates data of interest from enterprise databases using Adminer.[13]
Enterprise T1555 .003 从密码存储中获取凭证: Credentials from Web Browsers

Sandworm Team's CredRaptor tool can collect saved passwords from various internet browsers.[22]
Enterprise T1005 从本地系统获取数据

Sandworm Team has exfiltrated internal documents, files, and other data from compromised hosts.[1]
Enterprise T1090 代理

Sandworm Team's BCS-server tool can create an internal proxy server to redirect traffic from the adversary-controlled C2 to internal servers which may not be connected to the internet, but are interconnected locally.[22]

Enterprise T1036 伪装

Sandworm Team masqueraded malicious installers as Windows update packages to evade defense and entice users to execute binaries.[13]
.004 Masquerade Task or Service

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Systemd service units to masquerade GOGETTER malware as legitimate or seemingly legitimate services.[20]
.005 Match Legitimate Name or Location

Sandworm Team has avoided detection by naming a malicious binary explorer.exe.[22][1]

During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.[23]
.008 Masquerade File Type

During the 2016 Ukraine Electric Power Attack, Sandworm Team masqueraded executables as .txt files.[18]
.010 Masquerade Account Name

During the 2016 Ukraine Electric Power Attack, Sandworm Team created two new accounts, "admin" and "система" (System).[18]
Enterprise T1195 供应链破坏

Sandworm Team staged compromised versions of legitimate software installers on forums to achieve initial, untargetetd access in victim environments.[14]

.002 Compromise Software Supply Chain

Sandworm Team has distributed NotPetya by compromising the legitimate Ukrainian accounting software M.E.Doc and replacing a legitimate software update with a malicious one.[24][25][1]
Enterprise T1199 信任关系

Sandworm Team has used dedicated network connections from one victim organization to gain unauthorized access to a separate organization.[1] Additionally, Sandworm Team has accessed Internet service providers and telecommunication entities that provide mobile connectivity.[14]

Enterprise T1598 .003 信息钓鱼: Spearphishing Link

Sandworm Team has crafted spearphishing emails with hyperlinks designed to trick unwitting recipients into revealing their account credentials.[1]
Enterprise T1112 修改注册表

During the 2015 Ukraine Electric Power Attack, Sandworm Team modified in-registry Internet settings to lower internet security before launching rundll32.exe, which in-turn launches the malware and communicates with C2 servers over the Internet. [15].
Enterprise T1543 .002 创建或修改系统进程: Systemd Service

During the 2022 Ukraine Electric Power Attack, Sandworm Team configured Systemd to maintain persistence of GOGETTER, specifying the WantedBy=multi-user.target configuration to run GOGETTER when the system begins accepting user logins.[20]
.003 创建或修改系统进程: Windows Service

During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary. [23]
Enterprise T1136 .002 创建账户: Domain Account

During the 2015 Ukraine Electric Power Attack, Sandworm Team created privileged domain accounts to be used for further exploitation and lateral movement. [15]

During the 2016 Ukraine Electric Power Attack, Sandworm Team created two new accounts, "admin" and "система" (System). The accounts were then assigned to a domain matching local operation and were delegated new privileges.[18]
Enterprise T1190 利用公开应用程序漏洞

Sandworm Team exploits public-facing applications for initial access and to acquire infrastructure, such as exploitation of the EXIM mail transfer agent in Linux systems.[26][13]
Enterprise T1572 协议隧道

During the 2022 Ukraine Electric Power Attack, Sandworm Team deployed the GOGETTER tunneler software to establish a "Yamux" TLS-based C2 channel with an external server(s).[20]
Enterprise T1140 反混淆/解码文件或信息

Sandworm Team's VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and decompresses it using GZip.[22][27]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Sandworm Team has used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.[1][18]

During the 2016 Ukraine Electric Power Attack, Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.[18]

During the 2022 Ukraine Electric Power Attack, Sandworm Team utilized a PowerShell utility called TANKTRAP to spread and launch a wiper using Windows Group Policy.[20]
.003 命令与脚本解释器: Windows Command Shell

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL.[18]
.005 命令与脚本解释器: Visual Basic

Sandworm Team has created VBScripts to run an SSH server.[28][22][25][18]

During the 2015 Ukraine Electric Power Attack, Sandworm Team installed a VBA script called vba_macro.exe. This macro dropped FONTCACHE.DAT, the primary BlackEnergy implant; rundll32.exe, for executing the malware; NTUSER.log, an empty file; and desktop.ini, the default file used to determine folder displays on Windows machines. [15]

During the 2016 Ukraine Electric Power Attack, Sandworm Team created VBScripts to run on an SSH server.[18]
Enterprise T1484 .001 域或租户策略修改: Group Policy Modification

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Group Policy Objects (GPOs) to deploy and execute malware.[20]
Enterprise T1584 .004 基础设施妥协: Server

Sandworm Team compromised legitimate Linux servers running the EXIM mail transfer agent for use in subsequent campaigns.[26][13]
.005 基础设施妥协: Botnet

Sandworm Team has used a large-scale botnet to target Small Office/Home Office (SOHO) network devices.[29]
Enterprise T1133 外部远程服务

Sandworm Team has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network. Sandworm Team has also used VPN tunnels established in legitimate software company infrastructure to gain access to internal networks of that software company's users.[28][25][30][14]

During the 2015 Ukraine Electric Power Attack, Sandworm Team installed a modified Dropbear SSH client as the backdoor to target systems. [15]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

During the 2015 Ukraine Electric Power Attack, Sandworm Team modified in-registry internet settings to lower internet security. [15]
.002 妨碍防御: Disable Windows Event Logging

During the 2016 Ukraine Electric Power Attack, Sandworm Team disabled event logging on compromised systems.[18]
Enterprise T1203 客户端执行漏洞利用

Sandworm Team has exploited vulnerabilities in Microsoft PowerPoint via OLE objects (CVE-2014-4114) and Microsoft Word via crafted TIFF images (CVE-2013-3906).[31][32][33]
Enterprise T1071 .001 应用层协议: Web Protocols

Sandworm Team's BCS-server tool connects to the designated C2 server via HTTP.[22]

During the 2015 Ukraine Electric Power Attack, Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests. [15]
Enterprise T1585 .001 建立账户: Social Media Accounts

Sandworm Team has established social media accounts to disseminate victim internal-only documents and other sensitive data.[1]
.002 建立账户: Email Accounts

Sandworm Team has created email accounts that mimic legitimate organizations for its spearphishing operations.[1]
Enterprise T1587 .001 开发能力: Malware

Sandworm Team has developed malware for its operations, including malicious mobile applications and destructive malware such as NotPetya and Olympic Destroyer.[1]
Enterprise T1594 搜索受害者拥有的网站

Sandworm Team has conducted research against potential victim websites as part of its operational planning.[1]
Enterprise T1593 搜索开放网站/域

Sandworm Team researched Ukraine's unique legal entity identifier (called an "EDRPOU" number), including running queries on the EDRPOU website, in preparation for the NotPetya attack. Sandworm Team has also researched third-party websites to help it craft credible spearphishing emails.[1]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

Sandworm Team has used its plainpwd tool, a modified version of Mimikatz, and comsvcs.dll to dump Windows credentials from system memory.[22][25][11]

During the 2016 Ukraine Electric Power Attack, Sandworm Team used Mimikatz to capture and use legitimate credentials.[18]
.003 操作系统凭证转储: NTDS

Sandworm Team has used ntdsutil.exe to back up the Active Directory database, likely for credential access.[11]
Enterprise T1592 .002 收集受害者主机信息: Software

Sandworm Team has researched software code to enable supply-chain operations, most notably for the 2017 NotPetya attack. Sandworm Team also collected a list of computers using specific software as part of its targeting efforts.[1]
Enterprise T1591 .002 收集受害者组织信息: Business Relationships

In preparation for its attack against the 2018 Winter Olympics, Sandworm Team conducted online research of partner organizations listed on an official PyeongChang Olympics partnership site.[1]
Enterprise T1590 .001 收集受害者网络信息: Domain Properties

Sandworm Team conducted technical reconnaissance of the Parliament of Georgia's official internet domain prior to its 2019 attack.[1]
Enterprise T1589 .002 收集受害者身份信息: Email Addresses

Sandworm Team has obtained valid emails addresses while conducting research against target organizations that were subsequently used in spearphishing campaigns.[1]
.003 收集受害者身份信息: Employee Names

Sandworm Team's research of potential victim organizations included the identification and collection of employee information.[1]
Enterprise T1486 数据加密以实现影响

Sandworm Team has used Prestige ransomware to encrypt data at targeted organizations in transportation and related logistics industries in Ukraine and Poland.[11]
Enterprise T1132 .001 数据编码: Standard Encoding

Sandworm Team's BCS-server tool uses base64 encoding and HTML tags for the communication traffic between the C2 server.[22]

Enterprise T1485 数据销毁

Sandworm Team has used CaddyWiper, SDelete, and the BlackEnergy KillDisk component to overwrite files on victim systems. [34][25][20] Additionally, Sandworm Team has used the JUNKMAIL tool to overwrite files with null bytes.[14]

During the 2022 Ukraine Electric Power Attack, Sandworm Team deployed CaddyWiper on the victim’s IT environment systems to wipe files related to the OT capabilities, along with mapped drives, and physical drive partitions.[20]
Enterprise T1083 文件和目录发现

Sandworm Team has enumerated files on a compromised host.[1][18]
Enterprise T1608 .001 暂存能力: Upload Malware

Sandworm Team staged compromised versions of legitimate software installers in forums to enable initial access to executing user.[14]
Enterprise T1110 暴力破解

During the 2016 Ukraine Electric Power Attack, Sandworm Team used a script to attempt RPC authentication against a number of hosts.[18]
Enterprise T1078 有效账户

Sandworm Team have used previously acquired legitimate credentials prior to attacks.[34]

During the 2015 Ukraine Electric Power Attack, Sandworm Team used valid accounts on the corporate network to escalate privileges, move laterally, and establish persistence within the corporate network. [35]
.002 Domain Accounts

Sandworm Team has used stolen credentials to access administrative accounts within the domain.[1][11]
Enterprise T1489 服务停止

Sandworm Team attempts to stop the MSSQL Windows service to ensure successful encryption of locked files.[11]

Enterprise T1505 .001 服务器软件组件: SQL Stored Procedures

During the 2016 Ukraine Electric Power Attack, Sandworm Team used various MS-SQL stored procedures.[18]
.003 服务器软件组件: Web Shell

Sandworm Team has used webshells including P.A.S. Webshell to maintain access to victim networks.[30]

During the 2022 Ukraine Electric Power Attack, Sandworm Team deployed the Neo-REGEORG webshell on an internet-facing server.[20]
Enterprise T1106 本机API

Sandworm Team uses Prestige to disable and restore file system redirection by using the following functions: Wow64DisableWow64FsRedirection() and Wow64RevertWow64FsRedirection().[11]
Enterprise T1570 横向工具传输

Sandworm Team has used move to transfer files to a network share and has copied payloads--such as Prestige ransomware--to an Active Directory Domain Controller and distributed via the Default Domain Group Policy Object.[18][11] Additionally, Sandworm Team has transferred an ISO file into the OT network to gain initial access.[20]

During the 2015 Ukraine Electric Power Attack, Sandworm Team moved their tools laterally within the corporate network and between the ICS and corporate network. [15]

During the 2016 Ukraine Electric Power Attack, Sandworm Team used move to transfer files to a network share.[18]

During the 2022 Ukraine Electric Power Attack, Sandworm Team used a Group Policy Object (GPO) to copy CaddyWiper's executable msserver.exe from a staging server to a local hard drive before deployment.[20]
Enterprise T1027 混淆文件或信息

Sandworm Team has used Base64 encoding within malware variants.[31]

During the 2016 Ukraine Electric Power Attack, Sandworm Team used heavily obfuscated code with Industroyer in its Windows Notepad backdoor.[17]
.002 Software Packing

During the 2016 Ukraine Electric Power Attack, Sandworm Team used UPX to pack a copy of Mimikatz.[18]
.010 Command Obfuscation

Sandworm Team has used ROT13 encoding, AES encryption and compression with the zlib library for their Python-based backdoor.[22]
Enterprise T1204 .001 用户执行: Malicious Link

Sandworm Team has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.[1]
.002 用户执行: Malicious File

Sandworm Team has tricked unwitting recipients into clicking on spearphishing attachments and enabling malicious macros embedded within files.[22][1]

During the 2015 Ukraine Electric Power Attack, Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them. [35]
Enterprise T1561 .002 磁盘擦除: Disk Structure Wipe

Sandworm Team has used the BlackEnergy KillDisk component to corrupt the infected system's master boot record.[34][25]
Enterprise T1070 .004 移除指标: File Deletion

Sandworm Team has used backdoors that can delete files used in an attack from an infected system.[22][27][20]

During the 2015 Ukraine Electric Power Attack, vba_macro.exe deletes itself after FONTCACHE.DAT, rundll32.exe, and the associated .lnk file is delivered. [15]
Enterprise T1539 窃取Web会话Cookie

Sandworm Team used information stealer malware to collect browser session cookies.[13]
Enterprise T1491 .002 篡改: External Defacement

Sandworm Team defaced approximately 15,000 websites belonging to Georgian government, non-government, and private sector organizations in 2019.[1][2]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

Sandworm Team used a backdoor which could execute a supplied DLL using rundll32.exe.[27]

During the 2015 Ukraine Electric Power Attack, Sandworm Team used a backdoor which could execute a supplied DLL using rundll32.exe. [15]
Enterprise T1082 系统信息发现

Sandworm Team used a backdoor to enumerate information about the infected system's operating system.[27][1]

Enterprise T1490 系统恢复抑制

Sandworm Team uses Prestige to delete the backup catalog from the target system using: C:\Windows\System32\wbadmin.exe delete catalog -quiet and to delete volume shadow copies using: C:\Windows\System32\vssadmin.exe delete shadows /all /quiet. [11]

Enterprise T1033 系统所有者/用户发现

Sandworm Team has collected the username from a compromised host.[1]
Enterprise T1049 系统网络连接发现

Sandworm Team had gathered user, IP address, and server data related to RDP sessions on a compromised host. It has also accessed network diagram files useful for understanding how a host's network was configured.[1][18]

Enterprise T1499 终端拒绝服务

Sandworm Team temporarily disrupted service to Georgian government, non-government, and private sector websites after compromising a Georgian web hosting provider in 2019.[1]
Enterprise T1040 网络嗅探

Sandworm Team has used intercepter-NG to sniff passwords in network traffic.[22]

During the 2015 Ukraine Electric Power Attack, Sandworm Team used BlackEnergy’s network sniffer module to discover user credentials being sent over the network between the local LAN and the power grid’s industrial control systems. [36]
Enterprise T1102 .002 网络服务: Bidirectional Communication

Sandworm Team has used the Telegram Bot API from Telegram Messenger to send and receive commands to its Python backdoor. Sandworm Team also used legitimate M.E.Doc software update check requests for sending and receiving commands and hosted malicious payloads on putdrive.com.[22][25]
Enterprise T1583 获取基础设施

Sandworm Team used various third-party email campaign management services to deliver phishing emails.[13]
.001 Domains

Sandworm Team has registered domain names and created URLs that are often designed to mimic or spoof legitimate websites, such as email login pages, online file sharing and storage websites, and password reset pages, while also hosting these items on legitimate, compromised network infrastructure.[1][37]
.004 Server

Sandworm Team has leased servers from resellers instead of leasing infrastructure directly from hosting companies to enable its operations.[1]
Enterprise T1588 .002 获取能力: Tool

Sandworm Team has acquired open-source tools for their operations, including Invoke-PSImage, which was used to establish an encrypted channel from a compromised host to Sandworm Team's C2 server in preparation for the 2018 Winter Olympics attack, as well as Impacket and RemoteExec, which were used in their 2022 Prestige operations.[1][11] Additionally, Sandworm Team has used Empire, Cobalt Strike and PoshC2.[14]
.006 获取能力: Vulnerabilities

In 2017, Sandworm Team conducted technical research related to vulnerabilities associated with websites used by the Korean Sport and Olympic Committee, a Korean power company, and a Korean airport.[1]
Enterprise T1087 .002 账号发现: Domain Account

Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about usernames listed in AD.[22]

.003 账号发现: Email Account

Sandworm Team used malware to enumerate email settings, including usernames and passwords, from the M.E.Doc application.[27]

Enterprise T1586 .001 账号妥协: Social Media Accounts

Sandworm Team creates credential capture webpages to compromise existing, legitimate social media accounts.[37]
Enterprise T1098 账号操控

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the sp_addlinkedsrvlogin command in MS-SQL to create a link between a created account and other servers in the network.[18]
Enterprise T1072 软件部署工具

Sandworm Team has used the commercially available tool RemoteExec for agentless remote code execution.[11]
Enterprise T1105 输入工具传输

Sandworm Team has pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data.[22][1]

During the 2015 Ukraine Electric Power Attack, Sandworm Team pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data. [15]
Enterprise T1056 .001 输入捕获: Keylogging

Sandworm Team has used a keylogger to capture keystrokes by using the SetWindowsHookEx function.[22]

During the 2015 Ukraine Electric Power Attack, Sandworm Team gathered account credentials via a BlackEnergy keylogger plugin. [15][35]
Enterprise T1055 进程注入

During the 2015 Ukraine Electric Power Attack, Sandworm Team loaded BlackEnergy into svchost.exe, which then launched iexplore.exe for their C2. [15]
Enterprise T1021 .002 远程服务: SMB/Windows Admin Shares

Sandworm Team has copied payloads to the ADMIN$ share of remote systems and run net use to connect to network shares.[18][11]

During the 2016 Ukraine Electric Power Attack, Sandworm Team utilized net use to connect to network shares.[18]
Enterprise T1018 远程系统发现

Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about computers listed in AD.[22][18]

During the 2015 Ukraine Electric Power Attack, Sandworm Team remotely discovered systems over LAN connections. OT systems were visible from the IT network as well, giving adversaries the ability to discover operational assets. [36]

During the 2016 Ukraine Electric Power Attack, Sandworm Team checked for connectivity to resources within the network and used LDAP to query Active Directory, discovering information about computers listed in AD.[18]
Enterprise T1219 远程访问软件

Sandworm Team has used remote administration tools or remote industrial control system client software for execution and to maliciously release electricity breakers.[34][11]
Enterprise T1041 通过C2信道渗出

Sandworm Team has sent system information to its C2 server using HTTP.[22]

Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Sandworm Team has delivered malicious Microsoft Office and ZIP file attachments via spearphishing emails.[31][34][22][1][38][14]

During the 2015 Ukraine Electric Power Attack, Sandworm Team obtained their initial foothold into many IT systems using Microsoft Office attachments delivered through phishing emails. [35]
.002 钓鱼: Spearphishing Link

Sandworm Team has crafted phishing emails containing malicious hyperlinks.[1]
Enterprise T1095 非应用层协议

During the 2022 Ukraine Electric Power Attack, Sandworm Team proxied C2 communications within a TLS-based tunnel.[20]
Enterprise T1571 非标准端口

Sandworm Team has used port 6789 to accept connections on the group's SSH server.[28]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Sandworm Team leveraged SHARPIVORY, a .NET dropper that writes embedded payload to disk and uses scheduled tasks to persist on victim machines.[14]

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.[20]
Mobile T1660 Phishing

Sandworm Team used SMS-based phishing to target victims with malicious links.[13]
Mobile T1409 Stored Application Data

Sandworm Team can collect encrypted Telegram and Signal communications.[14]
ICS T0895 Autorun Image

During the 2022 Ukraine Electric Power Attack, Sandworm Team used existing hypervisor access to map an ISO image named a.iso to a virtual machine running a SCADA server. The SCADA server’s operating system was configured to autorun CD-ROM images, and as a result, a malicious VBS script on the ISO image was automatically executed.[20]
ICS T0803 Block Command Message

During the 2015 Ukraine Electric Power Attack, Sandworm Team blocked command messages by using malicious firmware to render serial-to-ethernet converters inoperable. [35]
ICS T0804 Block Reporting Message

During the 2015 Ukraine Electric Power Attack, Sandworm Team blocked reporting messages by using malicious firmware to render serial-to-ethernet converters inoperable. [35]
ICS T0805 Block Serial COM

During the 2015 Ukraine Electric Power Attack, Sandworm Team overwrote the serial-to-ethernet converter firmware, rendering the devices not operational. This meant that communication to the downstream serial devices was either not possible or more difficult. [15]
ICS T0807 Command-Line Interface

Sandworm Team uses the MS-SQL server xp_cmdshell command, and PowerShell to execute commands. [39]

During the 2016 Ukraine Electric Power Attack, Sandworm Team supplied the name of the payload DLL to Industroyer via a command line parameter.[17]

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged the SCIL-API on the MicroSCADA platform to execute commands through the scilc.exe binary.[20]
ICS T0885 Commonly Used Port

During the 2015 Ukraine Electric Power Attack, Sandworm Team used port 443 to communicate with their C2 servers. [15]
ICS T0884 Connection Proxy

Sandworm Team establishes an internal proxy prior to the installation of backdoors within the network. [40]

During the 2015 Ukraine Electric Power Attack, Sandworm Team established an internal proxy prior to the installation of backdoors within the network. [15]
ICS T0813 Denial of Control

During the 2015 Ukraine Electric Power Attack, KillDisk rendered devices that were necessary for remote recovery unusable, including at least one RTU. Additionally, Sandworm Team overwrote the firmware for serial-to-ethernet converters, denying operators control of the downstream devices. [15][35]
ICS T0814 Denial of Service

During the 2015 Ukraine Electric Power Attack, power company phone line operators were hit with a denial of service attack so that they couldn’t field customers’ calls about outages. Operators were also denied service to their downstream devices when their serial-to-ethernet converters had their firmware overwritten, which bricked the devices. [35]
ICS T0816 Device Restart/Shutdown

During the 2015 Ukraine Electric Power Attack, Sandworm Team scheduled the uninterruptable power supplies (UPS) to shutdown data and telephone servers via the UPS management interface. [35][15]
ICS T0819 Exploit Public-Facing Application

Sandworm Team actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet. [41] [42]
ICS T0822 External Remote Services

During the 2015 Ukraine Electric Power Attack, Sandworm Team used Valid Accounts taken from the Windows Domain Controller to access the control system Virtual Private Network (VPN) used by grid operators. [15]
ICS T0823 Graphical User Interface

During the 2015 Ukraine Electric Power Attack, Sandworm Team utilized HMI GUIs in the SCADA environment to open breakers. [35]
ICS T0867 Lateral Tool Transfer

During the 2015 Ukraine Electric Power Attack, Sandworm Team moved their tools laterally within the ICS network. [15]

During the 2016 Ukraine Electric Power Attack, Sandworm Team used a VBS script to facilitate lateral tool transfer. The VBS script was used to copy ICS-specific payloads with the following command: cscript C:\Backinfo\ufn.vbs C:\Backinfo\101.dll C:\Delta\101.dll[18]
ICS T0826 Loss of Availability

During the 2015 Ukraine Electric Power Attack, Sandworm Team opened the breakers at the infected sites, shutting the power off for thousands of businesses and households for around 6 hours. [35][15]
ICS T0827 Loss of Control

During the 2015 Ukraine Electric Power Attack, operators were shut out of their equipment either through the denial of peripheral use or the degradation of equipment. Operators were therefore unable to recover from the incident through their traditional means. Much of the power was restored manually. [35]
ICS T0828 Loss of Productivity and Revenue

During the 2015 Ukraine Electric Power Attack, power breakers were opened which caused the operating companies to be unable to deliver power, and left thousands of businesses and households without power for around 6 hours. [35][15]
ICS T0831 Manipulation of Control

During the 2015 Ukraine Electric Power Attack, Sandworm Team opened live breakers via remote commands to the HMI, causing blackouts. [35]
ICS T0849 Masquerading

During the 2016 Ukraine Electric Power Attack, Sandworm Team transferred executable files as .txt and then renamed them to .exe, likely to avoid detection through extension tracking.[18]
ICS T0886 Remote Services

During the 2015 Ukraine Electric Power Attack, Sandworm Team used an IT helpdesk software to move the mouse on ICS control devices to maliciously release electricity breakers. [16]

During the 2016 Ukraine Electric Power Attack, Sandworm Team used MS-SQL access to a pivot machine, allowing code execution throughout the ICS network.[18]
ICS T0846 Remote System Discovery

During the 2015 Ukraine Electric Power Attack, Sandworm Team remotely discovered operational assets once on the OT network. [36] [15]
ICS T0853 Scripting

During the 2016 Ukraine Electric Power Attack, Sandworm Team utilized VBS and batch scripts for file movement and as wrappers for PowerShell execution.[18]

During the 2022 Ukraine Electric Power Attack, Sandworm Team utilizes a Visual Basic script lun.vbs to execute n.bat which then executed the MicroSCADA scilc.exe command.[20]
ICS T0894 System Binary Proxy Execution

During the 2022 Ukraine Electric Power Attack, Sandworm Team executed a MicroSCADA application binary scilc.exe to send a predefined list of SCADA instructions specified in a file defined by the adversary, s1.txt. The executed command C:\sc\prog\exec\scilc.exe -do pack\scil\s1.txt leverages the SCADA software to send unauthorized command messages to remote substations.[20]
ICS T0857 System Firmware

During the 2015 Ukraine Electric Power Attack, Sandworm Team overwrote the serial-to-ethernet gateways with custom firmware to make systems either disabled, shutdown, and/or unrecoverable. [35]
ICS T0855 Unauthorized Command Message

During the 2015 Ukraine Electric Power Attack, Sandworm Team issued unauthorized commands to substation breaks after gaining control of operator workstations and accessing a distribution management system (DMS) application. [35]

During the 2022 Ukraine Electric Power Attack, Sandworm Team used the MicroSCADA SCIL-API to specify a set of SCADA instructions, including the sending of unauthorized commands to substation devices.[20]
ICS T0859 Valid Accounts

During the 2015 Ukraine Electric Power Attack, Sandworm Team used valid accounts to laterally move through VPN connections and dual-homed systems. Sandworm Team used the credentials of valid accounts to interact with client applications and access employee workstations hosting HMI applications. [35][15]

During the 2016 Ukraine Electric Power Attack, Sandworm Team used valid accounts to laterally move through VPN connections and dual-homed systems.[18]

Software

ID Name References Techniques
S1125 AcidRain Sandworm Team is linked to AcidRain deployment during the ViaSat KA-SAT incident in 2022.[43][44] 数据销毁, 文件和目录发现, 磁盘擦除: Disk Content Wipe, 系统关机/重启
S0606 Bad Rabbit [9] Drive-by Compromise, Exploitation of Remote Services, Lateral Tool Transfer, Loss of Productivity and Revenue, User Execution, 伪装: Match Legitimate Name or Location, 固件篡改, 操作系统凭证转储: LSASS Memory, 数据加密以实现影响, 暴力破解: Password Spraying, 本机API, 浏览器攻击, 滥用权限提升控制机制: Bypass User Account Control, 用户执行: Malicious File, 系统二进制代理执行: Rundll32, 系统服务: Service Execution, 网络共享发现, 进程发现, 远程服务漏洞利用, 预定任务/作业: Scheduled Task
S0089 BlackEnergy [3][10][1][2][9] Spearphishing Attachment, Standard Application Layer Protocol, Valid Accounts, Windows管理规范, 从密码存储中获取凭证: Credentials from Web Browsers, 创建或修改系统进程: Windows Service, 劫持执行流: Services File Permissions Weakness, 启动或登录自动启动执行: Shortcut Modification, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 回退信道, 外围设备发现, 屏幕捕获, 应用层协议: Web Protocols, 数据销毁, 文件和目录发现, 未加密凭证: Credentials In Files, 滥用权限提升控制机制: Bypass User Account Control, 移除指标, 移除指标: Clear Windows Event Logs, 系统信息发现, 系统网络连接发现, 系统网络配置发现, 网络服务发现, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 远程服务: SMB/Windows Admin Shares, 颠覆信任控制: Code Signing Policy Modification
S0693 CaddyWiper [20] 数据销毁, 文件和目录发现, 文件和目录权限修改: Windows File and Directory Permissions Modification, 本机API, 磁盘擦除: Disk Structure Wipe, 系统信息发现, 进程发现
S0555 CHEMISTGAMES [45] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Unix Shell, Data from Local System, Download New Code at Runtime, Encrypted Channel: Asymmetric Cryptography, Location Tracking, Masquerading: Match Legitimate Name or Location, Native API, Obfuscated Files or Information, Supply Chain Compromise: Compromise Software Supply Chain, System Information Discovery
S0154 Cobalt Strike Sandworm Team has used multiple publicly available tools during operations, such as Cobalt Strike.[14] BITS任务, Windows管理规范, 从本地系统获取数据, 代理: Domain Fronting, 代理: Internal Proxy, 使用备用认证材料: Pass the Hash, 修改注册表, 创建或修改系统进程: Windows Service, 办公应用启动: Office Template Macros, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 数据传输大小限制, 数据混淆: Protocol or Service Impersonation, 数据编码: Standard Encoding, 文件和目录发现, 有效账户: Domain Accounts, 有效账户: Local Accounts, 本机API, 权限提升漏洞利用, 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 浏览器会话劫持, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息, 滥用权限提升控制机制: Sudo and Sudo Caching, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 访问令牌操控: Parent PID Spoofing, 访问令牌操控: Token Impersonation/Theft, 访问令牌操控: Make and Impersonate Token, 账号发现: Domain Account, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Process Hollowing, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: SSH, 远程服务: Windows Remote Management, 远程服务: SMB/Windows Admin Shares, 远程服务: Distributed Component Object Model, 远程系统发现, 隐藏伪装: Process Argument Spoofing, 非应用层协议, 预定传输, 颠覆信任控制: Code Signing
S0687 Cyclops Blink [46][47] 从本地系统获取数据, 代理: Multi-hop Proxy, 伪装: Match Legitimate Name or Location, 加密通道: Asymmetric Cryptography, 协议隧道, 反混淆/解码文件或信息, 启动或登录初始化脚本: RC Scripts, 妨碍防御: Disable or Modify System Firewall, 应用层协议: Web Protocols, 数据编码: Non-Standard Encoding, 文件和目录发现, 本机API, 移除指标: Timestomp, 系统信息发现, 系统网络配置发现, 输入工具传输, 进程发现, 进程间通信, 通过C2信道渗出, 非标准端口, 预操作系统引导: Component Firmware
S0363 Empire Sandworm Team has used multiple publicly available tools during operations, such as Empire.[14] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 事件触发执行: Accessibility Features, 从密码存储中获取凭证: Credentials from Web Browsers, 使用备用认证材料: Pass the Hash, 创建或修改系统进程: Windows Service, 创建账户: Local Account, 创建账户: Domain Account, 剪贴板数据, 加密通道: Asymmetric Cryptography, 劫持执行流: Path Interception by Unquoted Path, 劫持执行流: Path Interception by Search Order Hijacking, 劫持执行流: Path Interception by PATH Environment Variable, 劫持执行流: Dylib Hijacking, 劫持执行流: DLL Search Order Hijacking, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Security Support Provider, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Shortcut Modification, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器, 域信任发现, 域或租户策略修改: Group Policy Modification, 屏幕捕获, 应用层协议: Web Protocols, 归档收集数据, 操作系统凭证转储: LSASS Memory, 文件和目录发现, 未加密凭证: Credentials In Files, 未加密凭证: Private Keys, 本机API, 权限提升漏洞利用, 浏览器信息发现, 混淆文件或信息: Command Obfuscation, 滥用权限提升控制机制: Bypass User Account Control, 电子邮件收集: Local Email Collection, 移除指标: Timestomp, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统网络连接发现, 系统网络配置发现, 组策略发现, 网络共享发现, 网络嗅探, 网络服务: Bidirectional Communication, 网络服务发现, 自动化收集, 自动化渗出, 视频捕获, 访问令牌操控: SID-History Injection, 访问令牌操控, 访问令牌操控: Create Process with Token, 账号发现: Domain Account, 账号发现: Local Account, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获: Keylogging, 输入捕获: Credential API Hooking, 进程发现, 进程注入, 远程服务: Distributed Component Object Model, 远程服务: SSH, 远程服务漏洞利用, 通过C2信道渗出, 通过网络服务渗出: Exfiltration to Code Repository, 通过网络服务渗出: Exfiltration to Cloud Storage, 预定任务/作业: Scheduled Task
S0401 Exaramel for Linux [48][30] 创建或修改系统进程, 创建或修改系统进程: Systemd Service, 反混淆/解码文件或信息, 命令与脚本解释器: Unix Shell, 回退信道, 应用层协议: Web Protocols, 混淆文件或信息: Encrypted/Encoded File, 滥用权限提升控制机制: Setuid and Setgid, 移除指标: File Deletion, 系统所有者/用户发现, 输入工具传输, 预定任务/作业: Cron
S0343 Exaramel for Windows [48] 伪装: Masquerade Task or Service, 修改注册表, 创建或修改系统进程: Windows Service, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: Windows Command Shell, 归档收集数据, 数据分段: Local Data Staging, 混淆文件或信息: Fileless Storage
S0342 GreyEnergy [9] 代理: Multi-hop Proxy, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 操作系统凭证转储: LSASS Memory, 混淆文件或信息: Software Packing, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统服务发现, 输入工具传输, 输入捕获: Keylogging, 进程注入: Portable Executable Injection, 颠覆信任控制: Code Signing
S0357 Impacket [11] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 操作系统凭证转储: NTDS, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSA Secrets, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Ccache Files, 系统服务: Service Execution, 网络嗅探
S0604 Industroyer [18][23][17][49][14] Activate Firmware Update Mode, Automated Collection, Block Command Message, Block Reporting Message, Block Serial COM, Brute Force I/O, Command-Line Interface, Connection Proxy, Data Destruction, Denial of Control, Denial of Service, Denial of View, Device Restart/Shutdown, Loss of Control, Loss of Protection, Loss of View, Manipulation of Control, Manipulation of View, Monitor Process State, Network Connection Enumeration, Remote System Discovery, Remote System Information Discovery, Service Stop, Unauthorized Command Message, 主机软件二进制文件妥协, 代理: Multi-hop Proxy, 创建或修改系统进程: Windows Service, 协议隧道, 反混淆/解码文件或信息, 应用层协议: Web Protocols, 数据销毁, 文件和目录发现, 有效账户, 服务停止, 查询注册表, 混淆文件或信息, 系统信息发现, 系统网络配置发现, 终端拒绝服务: Application or System Exploitation, 网络服务发现, 输入工具传输, 远程系统发现, 通过C2信道渗出
S1072 Industroyer2 [50][14] Automated Collection, Brute Force I/O, Modify Parameter, Monitor Process State, Remote System Information Discovery, Service Stop, Unauthorized Command Message, 进程发现
S0231 Invoke-PSImage [1] 混淆文件或信息: Steganography, 混淆文件或信息: Embedded Payloads
S0607 KillDisk [1][9] Data Destruction, Indicator Removal on Host, Loss of View, Service Stop, 伪装: Masquerade Task or Service, 共享模块, 数据加密以实现影响, 数据销毁, 文件和目录发现, 服务停止, 本机API, 混淆文件或信息, 磁盘擦除: Disk Structure Wipe, 移除指标: Clear Windows Event Logs, 移除指标: File Deletion, 系统信息发现, 系统关机/重启, 访问令牌操控, 进程发现
S0002 Mimikatz [18] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0039 Net [18] 创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0368 NotPetya [6][1][2][9][47][14] Exploitation of Remote Services, Lateral Tool Transfer, Loss of Productivity and Revenue, Windows管理规范, 伪装, 操作系统凭证转储: LSASS Memory, 数据加密以实现影响, 文件和目录发现, 有效账户: Local Accounts, 移除指标: Clear Windows Event Logs, 系统二进制代理执行: Rundll32, 系统关机/重启, 系统服务: Service Execution, 软件发现: Security Software Discovery, 远程服务: SMB/Windows Admin Shares, 远程服务漏洞利用, 预定任务/作业: Scheduled Task
S0365 Olympic Destroyer [51][9][1][2][47][14] Windows管理规范, 从密码存储中获取凭证: Credentials from Web Browsers, 操作系统凭证转储: LSASS Memory, 数据销毁, 服务停止, 横向工具传输, 移除指标: Clear Windows Event Logs, 系统关机/重启, 系统恢复抑制, 系统服务: Service Execution, 系统网络配置发现, 网络共享发现, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0598 P.A.S. Webshell [30] 从信息存储库获取数据, 从本地系统获取数据, 反混淆/解码文件或信息, 命令与脚本解释器, 应用层协议: Web Protocols, 文件和目录发现, 文件和目录权限修改: Linux and Mac File and Directory Permissions Modification, 暴力破解: Password Guessing, 服务器软件组件: Web Shell, 混淆文件或信息, 移除指标: File Deletion, 网络服务发现, 账号发现: Local Account, 软件发现, 输入工具传输
S0378 PoshC2 Sandworm Team has used multiple publicly available tools during operations, such as PoshC2.[14] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 事件触发执行: Windows Management Instrumentation Event Subscription, 从密码存储中获取凭证, 代理, 使用备用认证材料: Pass the Hash, 域信任发现, 密码策略发现, 应用层协议: Web Protocols, 归档收集数据: Archive via Utility, 操作系统凭证转储: LSASS Memory, 文件和目录发现, 暴力破解, 未加密凭证: Credentials In Files, 权限提升漏洞利用, 权限组发现: Local Groups, 滥用权限提升控制机制: Bypass User Account Control, 系统信息发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络嗅探, 网络服务发现, 自动化收集, 访问令牌操控: Create Process with Token, 访问令牌操控, 账号发现: Local Account, 账号发现: Domain Account, 输入捕获: Keylogging, 进程注入, 远程服务漏洞利用
S1058 Prestige [11][14] 修改注册表, 命令与脚本解释器: PowerShell, 域或租户策略修改: Group Policy Modification, 数据加密以实现影响, 文件和目录发现, 服务停止, 本机API, 系统恢复抑制, 预定任务/作业: Scheduled Task
S0029 PsExec [18] 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares
S0195 SDelete Sandworm Team has used SDelete for wartime operations in 2022-2023.[14] 数据销毁, 移除指标: File Deletion
S1010 VPNFilter VPNFilter is associated with Sandworm Team operations based on reporting on VPNFilter replacement software, Cyclops Blink.[46] Adversary-in-the-Middle, Network Sniffing, 磁盘擦除: Disk Content Wipe

References

  1. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  2. UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.
  3. Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.
  4. Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.
  5. Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved September 12, 2024.
  6. NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.
  7. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
  8. Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.
  9. Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.
  10. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  11. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
  12. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  13. Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.
  14. Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.
  15. Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22
  16. Andy Greenberg. (2017, June 28). How an Entire Nation Became Russia's Test Lab for Cyberwar. Retrieved September 27, 2023.
  17. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
  18. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  19. Joe Slowik 2019, August 15 CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack Retrieved. 2019/10/22
  20. Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.
  21. Dragos, Inc.. (2023, December 11). ELECTRUM Targeted Ukrainian Electric Entity Using Custom Tools and CaddyWiper Malware, October 2022. Retrieved March 28, 2024.
  22. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  23. Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.
  24. Counter Threat Research Team. (2017, June 28). NotPetya Campaign: What We Know About the Latest Global Ransomware Attack. Retrieved June 11, 2020.
  25. Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020.
  26. National Security Agency. (2020, March 28). Sandworm Actors Exploiting Vulnerability In EXIM Mail Transfer Agent. Retrieved March 1, 2024.
  1. Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020.
  2. Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020.
  3. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
  4. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  5. Ward, S.. (2014, October 14). iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign. Retrieved June 10, 2020.
  6. Wu, W. (2014, October 14). An Analysis of Windows Zero-day Vulnerability ‘CVE-2014-4114’ aka “Sandworm”. Retrieved June 18, 2020.
  7. Li, H. (2013, November 5). McAfee Labs Detects Zero-Day Exploit Targeting Microsoft Office. Retrieved June 18, 2020.
  8. US-CERT. (2016, February 25). ICS Alert (IR-ALERT-H-16-056-01) Cyber-Attack Against Ukrainian Critical Infrastructure. Retrieved June 10, 2020.
  9. Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.
  10. Charles McLellan. (2016, March 4). How hackers attacked Ukraine's power grid: Implications for Industrial IoT security. Retrieved September 27, 2023.
  11. Joseph Slowik, DomainTools. (2021, March 3). Centreon to Exim and Back: On the Trail of Sandworm. Retrieved April 6, 2024.
  12. Morgan, K. (2023, October 18). Government-backed actors exploiting WinRAR vulnerability. Retrieved July 19, 2024.
  13. Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14
  14. Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18
  15. ICS-CERT 2014, December 10 ICS Alert (ICS-ALERT-14-281-01E) Ongoing Sophisticated Malware Campaign Compromising ICS (Update E) Retrieved. 2019/10/11
  16. ICS CERT 2018, September 06 Advantech/Broadwin WebAccess RPC Vulnerability (Update B) Retrieved. 2019/12/05
  17. A.J. Vincens, CyberScoop. (2024, March 18). Researchers spot updated version of malware that hit Viasat. Retrieved March 25, 2024.
  18. Juan Andres Guerrero-Saade and Max van Amerongen, SentinelOne. (2022, March 31). AcidRain | A Modem Wiper Rains Down on Europe. Retrieved March 25, 2024.
  19. B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.
  20. NCSC, CISA, FBI, NSA. (2022, February 23). New Sandworm malware Cyclops Blink replaces VPNFilter. Retrieved March 3, 2022.
  21. Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022.
  22. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  23. Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.
  24. ESET. (2022, April 12). Industroyer2: Industroyer reloaded. Retrieved March 30, 2023.
  25. CrowdStrike. (2019, January). 2019 Global Threat Report. Retrieved June 10, 2020.