Sandworm
| Actor Type | Nation State |
|---|---|
| Attributed to Nation | Russia |
| Directly Linked Intrusion Sets | UAC-0002 , APT44 , FROZENBARENTS , ELECTRUM , UAC-0133 |
| Associated Threat Actor | GRU Unit 74455 |
Sandworm is a cyber threat actor reportedly linked to the Russian government and responsible for conducting numerous cyber attack campaigns. The group have been identified as being responsible for disruptive and destructive attacks against multiple targets.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
Sandworm Threat Reports
Report
KAPEKA A novel backdoor spotted in Eastern Europe
This report from researchers at WithSecure unveils a novel backdoor: 'Kapeka'. Kapeka has been used against victims in Eastern Europe ...
Report
AcidPour - New Embedded Wiper Variant of AcidRain Appears in Ukraine
This blog post by researchers at SentinelLabs describes a new variant of the AcidRain malware which they call AcidPour. The report includes ...
References
cert.gov.ua
https://cert.gov.ua/article/6278706www.justice.gov
https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-andwww.mandiant.com
https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technologywww.mandiant.com
https://www.mandiant.com/resources/blog/ukraine-and-sandworm-teamwww.cisa.gov
https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-110awww.dragos.com
https://www.dragos.com/threat/electrum/www.welivesecurity.com
https://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-anew/services.google.com
https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdflabs.withsecure.com
https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Research-Kapeka.pdfservices.google.com
https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdfwww.sentinelone.com
https://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/MITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1497.003 | Time Based Evasion | Defense Evasion, Discovery |
| T1012 | Query Registry | Discovery |
| T1001.001 | Junk Data | Command and Control |
| T1059.003 | Windows Command Shell | Execution |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1124 | System Time Discovery | Discovery |
| T1090.001 | Internal Proxy | Command and Control |
| T1112 | Modify Registry | Defense Evasion |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1559.001 | Component Object Model | Execution |
| T1070.009 | Clear Persistence | Defense Evasion |
| T1547.001 | Registry Run Keys / Startup Folder | Persistence, Privilege Escalation |
| T1614.001 | System Language Discovery | Discovery |
| T1082 | System Information Discovery | Discovery |
| T1070.004 | File Deletion | Defense Evasion |
| T1027.009 | Embedded Payloads | Defense Evasion |
| T1573.002 | Asymmetric Cryptography | Command and Control |
| T1218.011 | Rundll32 | Defense Evasion |
| T1573.001 | Symmetric Cryptography | Command and Control |
| T1036.008 | Masquerade File Type | Defense Evasion |
| T1564.001 | Hidden Files and Directories | Defense Evasion |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1033 | System Owner/User Discovery | Discovery |