G0034 · 88 ATT&CK techniques · 10 correlated reports

Sandworm Team

Aliases: ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh, Voodoo Bear, IRIDIUM, Seashell Blizzard, FROZENBARENTS, APT44

Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455. This group has been active since at least 2009. In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019. Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.

Open interactive actor investigation

ATT&CK techniques

T1608.001
Upload Malware T1588.006
Vulnerabilities T1040
Network Sniffing T1027.010
Command Obfuscation T1595.002
Vulnerability Scanning T1585.001
Social Media Accounts T1586.001
Social Media Accounts T1132.001
Standard Encoding T1213
Data from Information Repositories T1539
Steal Web Session Cookie T1059.001
PowerShell T1090
Proxy T1203
Exploitation for Client Execution T1041
Exfiltration Over C2 Channel T1053.005
Scheduled Task T1190
Exploit Public-Facing Application T1078.002
Domain Accounts T1003.003
NTDS T1036
Masquerading T1598.003
Spearphishing Link T1133
External Remote Services T1587.001
Malware T1072
Software Deployment Tools T1584.005
Botnet T1566.002
Spearphishing Link T1018
Remote System Discovery T1589.003
Employee Names T1078
Valid Accounts T1566.001
Spearphishing Attachment T1204.002
Malicious File T1106
Native API T1588.002
Tool T1583.004
Server T1590.001
Domain Properties T1083
File and Directory Discovery T1049
System Network Connections Discovery T1555.003
Credentials from Web Browsers T1489
Service Stop T1571
Non-Standard Port T1070.004
File Deletion T1047
Windows Management Instrumentation T1087.003
Email Account T1021.002
SMB/Windows Admin Shares T1204.001
Malicious Link T1505.003
Web Shell T1218.011
Rundll32 T1499
Endpoint Denial of Service T1195.002
Compromise Software Supply Chain T1199
Trusted Relationship T1056.001
Keylogging T1561.002
Disk Structure Wipe T1486
Data Encrypted for Impact T1592.002
Software T1491.002
External Defacement T1583
Acquire Infrastructure T1219
Remote Access Software T1584.004
Server T1003.001
LSASS Memory T1594
Search Victim-Owned Websites T1570
Lateral Tool Transfer T1027
Obfuscated Files or Information T1591.002
Business Relationships T1585.002
Email Accounts T1102.002
Bidirectional Communication T1490
Inhibit System Recovery T1583.001
Domains T1140
Deobfuscate/Decode Files or Information T1485
Data Destruction T1059.005
Visual Basic T1105
Ingress Tool Transfer T1033
System Owner/User Discovery T1589.002
Email Addresses T1071.001
Web Protocols T1087.002
Domain Account T1082
System Information Discovery T1005
Data from Local System T1195
Supply Chain Compromise T1593
Search Open Websites/Domains T1036.005
Match Legitimate Name or Location T1136.002
Domain Account T1110.003
Password Spraying T1059.003
Windows Command Shell T1505.001
SQL Stored Procedures T1098
Account Manipulation T1016
System Network Configuration Discovery T1136
Create Account T1027.002
Software Packing T1562.002
Disable Windows Event Logging

Correlated CTI and IR reports

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research