Sandworm

Threat Actor updated 2 days ago (2024-11-21T11:31:12.791Z)
Download STIX
Preview STIX
Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which caused significant disruption. Sandworm's activities extend beyond Ukraine, with evidence of operations in Poland and the United States. The group utilizes advanced malware such as WrongSens, LOADGRIP, and BIASBOAT, exploiting Windows and Linux systems. Furthermore, they have been associated with the use of proxy botnets like VPNFilter and Cyclops Blink to hide their origin and evade detection. In addition to compromising telecommunications infrastructure, Sandworm has been implicated in more targeted and damaging attacks. Notably, the group leveraged a compromised MicroSCADA server to trigger a power outage in Ukraine, coinciding with a Russian missile barrage. In another incident, the group is believed to be behind an attack on a wastewater treatment plant in the US in April 2024, demonstrating their broad capabilities and global reach. These incidents highlight Sandworm's capacity to target critical infrastructure, causing tangible, real-world damage beyond cyberspace. Despite efforts to disrupt Sandworm's operations, the group remains active and continues to pose a significant threat. Their activities form part of a larger landscape of cyber warfare between Russia and Ukraine, with other threat groups also contributing to the Kremlin's cyber operations. As one of many hacker groups doing the Kremlin's dirty work, Sandworm (also known as APT44) exemplifies the growing trend of state-sponsored cyber threats. Their actions underscore the urgent need for robust cybersecurity defenses and international cooperation to counter these evolving threats.
Description last updated: 2024-11-21T10:30:45.017Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT28 is a possible alias for Sandworm. APT28, also known as Fancy Bear and Unit 26165 of the Russian Main Intelligence Directorate, is a threat actor linked to Russia with a history of cyber-espionage activities. The group has been involved in several high-profile attacks, including the hacking of the Democratic National Committee (DNC)
7
Industroyer is a possible alias for Sandworm. Industroyer, also known as CrashOverride, is a potent malware specifically designed to target Industrial Control Systems (ICS) used in electrical substations. It first gained notoriety for its role in the 2016 cyberattack on Ukraine's power grid, which resulted in a six-hour blackout in Kyiv. The ma
6
BlackEnergy is a possible alias for Sandworm. BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks a
5
Telebots is a possible alias for Sandworm. TeleBots, a notorious threat actor group also known as Sandworm, BlackEnergy, Iron Viking, Voodoo Bear, and Seashell Blizzard, has been identified as operating under the control of Unit 74455 of the Russian GRU's Main Center for Special Technologies (GTsST). Active since 2000, the group is recognize
5
GreyEnergy is a possible alias for Sandworm. GreyEnergy is a type of malware, or malicious software, designed to exploit and damage computer systems. It is believed to have been used in attacks on Ukraine's power grid in 2018 by the Russia-linked Advanced Persistent Threat (APT) group, Sandworm. Security firm WithSecure has identified overlaps
5
Prestige is a possible alias for Sandworm. Prestige is a malicious software (malware) that has been linked to several disruptive cyberattacks. In October 2022, the malware was used in ransomware attacks against Ukrainian and Polish logistics companies. These attacks were attributed to Sandworm, an advanced persistent threat (APT) group belie
4
Frozenbarents is a possible alias for Sandworm. Frozenbarents, also known as Sandworm or Voodoo Bear, is a threat actor linked to Russia's GRU military intelligence agency. Noted for its versatility, the group has executed a variety of cyber-attacks against Ukraine and NATO countries, with a particular emphasis on critical infrastructure, utiliti
4
Apt44 is a possible alias for Sandworm. APT44, also known as Sandworm, is a threat actor newly designated by Mandiant and associated with the Russian military intelligence hacking team. This group has been active since the start of 2023, conducting campaigns leveraging Sandworm malware, primarily targeting Ukraine, Eastern Europe, and inv
4
NotPetya is a possible alias for Sandworm. NotPetya, a destructive malware posing as ransomware, was unleashed in 2017, causing widespread global damage while primarily targeting Ukraine's infrastructure. The cyberattack, commonly attributed to Russia, was so devastating that it led many to consider it an act of cyberwar, despite no official
4
Voodoo Bear is a possible alias for Sandworm. VOODOO BEAR, also known as Sandworm, Seashell Blizzard, and other names such as Iridium, Iron Viking, Telebots, and APT44, is a highly advanced threat actor with a suspected nexus to the Russian Federation. First identified in January 2018, this group has been active since 2000 and operates under th
4
Turla is a possible alias for Sandworm. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (
4
IRON VIKING is a possible alias for Sandworm. Iron Viking, a threat actor group also known as Sandworm, Telebots, Voodoo Bear, and other names, has been active since 2000. This group operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). Iron Viking is notorious for its destructive cyber-espi
3
Seashell Blizzard is a possible alias for Sandworm. Seashell Blizzard, also known as Iridium, Sandworm, Voodoo Bear, and APT44, is a state-sponsored threat actor group affiliated with the Russian military intelligence service (GRU). Microsoft has identified this group as distinct from other Advanced Persistent Threat (APT) groups operating under the
3
Infamous Chisel is a possible alias for Sandworm. Infamous Chisel is a malicious software (malware) that has been specifically designed to exploit and damage computer systems and devices. This malware operates covertly, infiltrating systems through suspicious downloads, emails, or websites without the user's knowledge. Once inside a system, Infamou
3
Cyberarmyofrussia_reborn is a possible alias for Sandworm. CyberArmyofRussia_Reborn is a threat actor with suspected links to the GRU, Russia's main intelligence agency. This group has been associated with several high-profile cyberattacks, including those on US and Polish water utilities and a French dam. The group uses its Telegram channel to leak stolen
3
Solntsepek is a possible alias for Sandworm. Solntsepek is a notorious malware associated with the Russian state-sponsored threat actor, Seashell Blizzard, which is affiliated with the GRU. The group has been identified by Microsoft as one of the three hacktivist groups that regularly interact with Seashell Blizzard, alongside InfoCentr and th
3
Hades is a possible alias for Sandworm. Hades is a significant threat actor that has been active in the cybersecurity landscape, particularly associated with ransomware attacks. The group uses distinctive tactics and infrastructure, as noted by CTU researchers in June 2021. Hades ransomware operators have been observed using Advanced Port
2
Uac-0165 is a possible alias for Sandworm. UAC-0165 is a malware reportedly linked to the Russia-affiliated Advanced Persistent Threat (APT) group known as Sandworm. This malicious software, designed to infiltrate and damage computer systems, has been identified as the tool used in a series of cyberattacks on Ukrainian telecommunications ser
2
Unc3810 is a possible alias for Sandworm. UNC3810 is a malware identified and tracked by cybersecurity firm Mandiant, notorious for its deployment of CaddyWiper in October 2022. This malicious software is designed to exploit and damage computer systems, often infiltrating via suspicious downloads, emails, or websites. The threat actor, init
2
Seashell Blizzard Iridium is a possible alias for Sandworm. Seashell Blizzard Iridium, also known as Sandworm, is a threat actor reportedly comprised of Russian military intelligence officers. This group has been identified as distinct from other Advanced Persistent Threat (APT) groups associated with the Russian military intelligence GRU, such as Forest Bli
2
Volt Typhoon is a possible alias for Sandworm. Volt Typhoon, a cyberespionage cluster sponsored by China, has emerged as a significant threat actor in the cybersecurity landscape. Known for its strong operational security and obfuscation of malware, Volt Typhoon is both a resilient botnet and a warning signal of potential critical infrastructure
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
Wiper
Ukraine
State Sponso...
Ransomware
Vulnerability
Windows
Exploit
Ics
Russia
Espionage
russian
Kyivstar
Microsoft
Ukrainian
Google
Android
Linux
Backdoor
roundcube
Eset
Botnet
Phishing
Mandiant
Spearphishing
Telegram
WinRAR
Decoy
LOTL
Infostealer
Blizzard
Zimbra
Implant
Encryption
Proxy
Cybercrime
Exim
Payload
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The CaddyWiper Malware is associated with Sandworm. CaddyWiper is a destructive malware, a type of malicious software designed to exploit and damage computer systems. It was one of several malwares deployed against Ukraine starting in January 2022 by the Russian Advanced Persistent Threat (APT) group, alongside others such as WhisperGate, HermeticWiphas used
8
The Industroyer2 Malware is associated with Sandworm. Industroyer2 is a sophisticated piece of malware designed to target Industrial Control Systems (ICS), developed and deployed by the Russian state-sponsored advanced persistent threat group, Sandworm. The group has been active since 2007 and used Industroyer2 in a significant attack against Ukraine'sUnspecified
4
The Kapeka Malware is associated with Sandworm. Kapeka is a previously unknown malware that operates as a backdoor into systems, linked to the Russian Sandworm Advanced Persistent Threat (APT) group. The malicious software can infiltrate a system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, iis related to
4
The Nikowiper Malware is associated with Sandworm. NikoWiper is a malicious software (malware) identified as a new data wiper attributed to Sandworm, a state-backed hacker group linked with Russia's Main Directorate of the General Staff of the Armed Forces (GRU). This malware, unique in its design compared to other strains, was used in an attack on Unspecified
3
The Cyclops Blink Malware is associated with Sandworm. Cyclops Blink, a modular malware first identified in 2019, was designed to target network infrastructure. It was often referred to as the "Son of VPNFilter" due to its similarities with that campaign. The malware was specifically engineered to run on Linux systems, particularly those using the 32-biUnspecified
3
The KONNI Malware is associated with Sandworm. Konni is a malicious software (malware) linked to North Korea, specifically associated with the state-sponsored Kimsuky group. This advanced persistent threat (APT) has been active since at least 2021, focusing on high-profile targets such as the Russian Ministry of Foreign Affairs, the Russian EmbaUnspecified
3
The Swiftslicer Malware is associated with Sandworm. SwiftSlicer is a new wiper malware, written in Go, that was detected by security researchers on January 25th, 2023. This malicious software was designed to overwrite crucial files used by the Windows operating system, thereby causing significant disruption and damage to infected systems. The malwareUnspecified
3
The Brute Ratel Malware is associated with Sandworm. Brute Ratel C4 (BRc4) is a potent malware that has been used in various cyber-attacks over the past 15 years. The malware infects systems through deceptive MSI installers, which deploy the BRc4 by disguising the payload as legitimate software such as vierm_soft_x64.dll under rundll32 execution. VariUnspecified
2
The Acidrain Malware is associated with Sandworm. AcidRain is a malicious software, or malware, that was first described in March, following a cyberattack that disrupted approximately 10,000 satellite modems associated with communications provider Viasat's KA-SAT network. The malware was discovered by cybersecurity firm SentinelOne in February 2022Unspecified
2
The Acidpour Malware is associated with Sandworm. AcidPour is a newly identified malware variant that has been specifically designed to target Linux x86 devices. As a malicious software, AcidPour exploits and damages the targeted systems, potentially stealing personal information, disrupting operations, or holding data hostage for ransom. It infiltUnspecified
2
The KillDisk Malware is associated with Sandworm. KillDisk is a potent malware, initially designed to overwrite targeted files instead of encrypting them. First seen in action during December 2016, it disrupted recovery processes by erasing critical system and workstation files. The TeleBots group notably used KillDisk in the final stages of their Unspecified
2
The Prestige Ransomware Malware is associated with Sandworm. In October 2022, a new strain of ransomware known as Prestige was reported by Microsoft. This malware had not been observed by Microsoft prior to its deployment and was found targeting transportation and logistics organizations in Ukraine and Poland. Prestige ransomware infects systems through suspiUnspecified
2
The Olympic Destroyer Malware is associated with Sandworm. Olympic Destroyer is a notorious malware that was deployed by Sandworm, a cyber-espionage group, during the 2018 Pyeongchang Winter Olympics. The malware caused significant disruption to the event's IT infrastructure, including broadcasting, ticketing, various Olympics websites, and Wi-Fi at the hosUnspecified
2
The Roarbat Malware is associated with Sandworm. RoarBat is a malicious software (malware) employed by the Sandworm hacking group, known for its operations against Windows devices. The malware utilizes a BAT script to execute harmful activities, with evidence suggesting that it shares similarities with a cyber attack on Ukrinform, the Ukrainian naUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sandworm Apt Threat Actor is associated with Sandworm. Sandworm APT, a threat actor linked to Russia, has been identified as the malicious entity behind several significant cyber-attacks. The group is known for its sophisticated operations and evolving tactics, often targeting critical infrastructure and government entities. In one of its most disruptivUnspecified
4
The Sandworm Team Threat Actor is associated with Sandworm. The Sandworm Team, a threat actor associated with Russia's military intelligence-linked group, has demonstrated significant capabilities in developing custom malware to target Operational Technology (OT) and Industrial Control Systems (ICSs). Since at least 2015, the team has used the "BlackEnergy" Unspecified
3
The Sednit Threat Actor is associated with Sandworm. Sednit, also known as APT28, Fancy Bear, Strontium/Forest Blizzard, Pawn Storm, Sofacy, and BlueDelta, is a threat actor group associated with Russia’s military intelligence. This group has been active since at least 2007, targeting governments, militaries, and security organizations worldwide. SednUnspecified
3
The Gamaredon Threat Actor is associated with Sandworm. Gamaredon, a Russia-aligned threat actor, has emerged as one of the most active Advanced Persistent Threat (APT) groups in Ukraine, particularly since Russia's 2022 invasion of the country. Composed of regular officers from the Russian Federal Security Service (FSB) and some former law enforcement oUnspecified
3
The APT40 Threat Actor is associated with Sandworm. APT40, a threat actor attributed to China, is a cyber espionage group that primarily targets countries of strategic importance to the Belt and Road Initiative. The group is known for its use of a variety of attack vectors, notably spear-phishing emails posing as individuals likely to be of interest Unspecified
2
The The Dukes Threat Actor is associated with Sandworm. The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, Nobelium, and BlueBravo, is a threat actor associated with the Russian government. The group has been active since at least 2008 and has targeted various governments, think tanks, diplomatic entities, and political parties. Notably, in SeUnspecified
2
The Cozy Bear Threat Actor is associated with Sandworm. Cozy Bear, also known as APT29 and Midnight Blizzard, is a threat actor believed to be linked to the Russian government. This entity has been behind numerous cyberattacks with malicious intent, targeting various organizations and systems worldwide. The first significant intrusion attributed to Cozy Unspecified
2
The Frozenlake Threat Actor is associated with Sandworm. Frozenlake, also known as APT28, Fancy Bear, Forest Blizzard, and several other names, is a threat actor believed to be sponsored by the Russian military. The group has been involved in numerous cyber-attacks, primarily targeting Ukraine's energy sector. Their modus operandi includes exploiting vulnUnspecified
2
The APT29 Threat Actor is associated with Sandworm. APT29, also known as Midnight Blizzard and linked to Russia's Foreign Intelligence Service (SVR), is a notorious threat actor that has been implicated in several high-profile cyberattacks. The group has demonstrated sophisticated capabilities, exploiting vulnerabilities such as the WinRAR 0day flaw Unspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-38831 Vulnerability is associated with Sandworm. CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabilUnspecified
4
The CVE-2014-4114 Vulnerability is associated with Sandworm. CVE-2014-4114 is a significant vulnerability that lies within the design or implementation of software. This flaw specifically targets the Microsoft Windows OLE Package Manager, enabling remote code execution. The exploit was primarily used in .pps files, which are PowerPoint presentation files, makis related to
2
Source Document References
Information about the Sandworm Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
2 days ago
ESET
15 days ago
DARKReading
24 days ago
DARKReading
2 months ago
BankInfoSecurity
2 months ago
InfoSecurity-magazine
3 months ago
DARKReading
3 months ago
Securityaffairs
3 months ago
Securityaffairs
4 months ago
BankInfoSecurity
a year ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
InfoSecurity-magazine
7 months ago
DARKReading
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
InfoSecurity-magazine
4 months ago
Securityaffairs
4 months ago