Sandworm Team

Threat Actor updated 22 days ago (2024-11-29T14:27:21.103Z)
Download STIX
Preview STIX
The Sandworm Team, a threat actor associated with Russia's military intelligence-linked group, has demonstrated significant capabilities in developing custom malware to target Operational Technology (OT) and Industrial Control Systems (ICSs). Since at least 2015, the team has used the "BlackEnergy" malware for distributed denial of service (DDoS), espionage, and destructive attacks. A unique variant, BlackEnergy 3, reemerged in Ukraine in 2015, where the Sandworm Team was first identified. This malware has since become their signature tool, underscoring the potential threat they pose to US and European critical systems. In 2022, the Sandworm Team attempted to disrupt Ukrainian energy providers using the "Industroyer" (also known as CrashOverride) and "Caddy Wiper" malware. Furthermore, the Russian hacker group "Solntsepek," tied to the Sandworm Team, claimed responsibility for a cyber attack against Ukraine's largest telecommunications provider. The team has also managed to implant malware on thousands of WatchGuard firewall devices worldwide, demonstrating their widespread reach and sophisticated hacking abilities. The Sandworm Team is part of the Russian GRU Unit 74455, separate from other more established GRU-affiliated groups like Fancy Bear (APT28) and Forest Blizzard. The team is led by Evgenii Serebriakov, who authored a master’s thesis on "Information Confrontation in World Politics." The Sandworm Team is recognized as Russia’s leading cyber attack capability, having conducted complex attacks that caused electrical outages in Ukraine and the most expensive destructive attack in history: NotPetya. Their activities suggest an ongoing interest in targeting critical infrastructure globally.
Description last updated: 2024-05-04T19:29:16.621Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Industroyer is a possible alias for Sandworm Team. Industroyer, also known as CrashOverride, is a potent malware specifically designed to target Industrial Control Systems (ICS) used in electrical substations. It first gained notoriety for its role in the 2016 cyberattack on Ukraine's power grid, which resulted in a six-hour blackout in Kyiv. The ma
2
BlackEnergy is a possible alias for Sandworm Team. BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks a
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sandworm Threat Actor is associated with Sandworm Team. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which cUnspecified
3