Sandworm Team | APT Profile

Description

[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020) In October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)

Techniques Used (TTPs)

T1608.001 — Upload Malware (resource-development)
T1588.006 — Vulnerabilities (resource-development)
T1040 — Network Sniffing (credential-access, discovery)
T1027.010 — Command Obfuscation (defense-evasion)
T1595.002 — Vulnerability Scanning (reconnaissance)
T1585.001 — Social Media Accounts (resource-development)
T1586.001 — Social Media Accounts (resource-development)
T1132.001 — Standard Encoding (command-and-control)
T1213 — Data from Information Repositories (collection)
T1539 — Steal Web Session Cookie (credential-access)
T1059.001 — PowerShell (execution)
T1090 — Proxy (command-and-control)
T1203 — Exploitation for Client Execution (execution)
T1041 — Exfiltration Over C2 Channel (exfiltration)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1190 — Exploit Public-Facing Application (initial-access)
T1078.002 — Domain Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1003.003 — NTDS (credential-access)
T1036 — Masquerading (defense-evasion)
T1598.003 — Spearphishing Link (reconnaissance)
T1133 — External Remote Services (persistence, initial-access)
T1587.001 — Malware (resource-development)
T1072 — Software Deployment Tools (execution, lateral-movement)
T1584.005 — Botnet (resource-development)
T1566.002 — Spearphishing Link (initial-access)
T1018 — Remote System Discovery (discovery)
T1589.003 — Employee Names (reconnaissance)
T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1566.001 — Spearphishing Attachment (initial-access)
T1204.002 — Malicious File (execution)
T1106 — Native API (execution)
T1588.002 — Tool (resource-development)
T1583.004 — Server (resource-development)
T1590.001 — Domain Properties (reconnaissance)
T1083 — File and Directory Discovery (discovery)
T1049 — System Network Connections Discovery (discovery)
T1555.003 — Credentials from Web Browsers (credential-access)
T1489 — Service Stop (impact)
T1571 — Non-Standard Port (command-and-control)
T1070.004 — File Deletion (defense-evasion)
T1047 — Windows Management Instrumentation (execution)
T1087.003 — Email Account (discovery)
T1021.002 — SMB/Windows Admin Shares (lateral-movement)
T1204.001 — Malicious Link (execution)
T1505.003 — Web Shell (persistence)
T1218.011 — Rundll32 (defense-evasion)
T1499 — Endpoint Denial of Service (impact)
T1195.002 — Compromise Software Supply Chain (initial-access)
T1199 — Trusted Relationship (initial-access)
T1056.001 — Keylogging (collection, credential-access)
T1561.002 — Disk Structure Wipe (impact)
T1486 — Data Encrypted for Impact (impact)
T1592.002 — Software (reconnaissance)
T1491.002 — External Defacement (impact)
T1583 — Acquire Infrastructure (resource-development)
T1219 — Remote Access Tools (command-and-control)
T1584.004 — Server (resource-development)
T1003.001 — LSASS Memory (credential-access)
T1594 — Search Victim-Owned Websites (reconnaissance)
T1570 — Lateral Tool Transfer (lateral-movement)
T1027 — Obfuscated Files or Information (defense-evasion)
T1591.002 — Business Relationships (reconnaissance)
T1585.002 — Email Accounts (resource-development)
T1102.002 — Bidirectional Communication (command-and-control)
T1490 — Inhibit System Recovery (impact)
T1583.001 — Domains (resource-development)
T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
T1485 — Data Destruction (impact)
T1059.005 — Visual Basic (execution)
T1105 — Ingress Tool Transfer (command-and-control)
T1033 — System Owner/User Discovery (discovery)
T1589.002 — Email Addresses (reconnaissance)
T1071.001 — Web Protocols (command-and-control)
T1087.002 — Domain Account (discovery)
T1082 — System Information Discovery (discovery)
T1005 — Data from Local System (collection)
T1195 — Supply Chain Compromise (initial-access)
T1593 — Search Open Websites/Domains (reconnaissance)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)

Total TTPs: 79

Malware & Tools

Malware: AcidPour, AcidRain, Bad Rabbit, BlackEnergy, Cobalt Strike, Cyclops Blink, Exaramel for Linux, Exaramel for Windows, GreyEnergy, Industroyer, Industroyer2, Kapeka, KillDisk, Neo-reGeorg, NotPetya, Olympic Destroyer, P.A.S. Webshell, Prestige, VPNFilter

Tools: Empire, Impacket, Invoke-PSImage, Mimikatz, Net, PoshC2, PsExec, SDelete

← Return to Home ← Back to APT Search