Sandworm Team

Threat Actor updated 7 months ago (2024-05-04T20:19:15.850Z)

Download STIX

Preview STIX

The Sandworm Team, a threat actor associated with Russia's military intelligence-linked group, has demonstrated significant capabilities in developing custom malware to target Operational Technology (OT) and Industrial Control Systems (ICSs). Since at least 2015, the team has used the "BlackEnergy" malware for distributed denial of service (DDoS), espionage, and destructive attacks. A unique variant, BlackEnergy 3, reemerged in Ukraine in 2015, where the Sandworm Team was first identified. This malware has since become their signature tool, underscoring the potential threat they pose to US and European critical systems. In 2022, the Sandworm Team attempted to disrupt Ukrainian energy providers using the "Industroyer" (also known as CrashOverride) and "Caddy Wiper" malware. Furthermore, the Russian hacker group "Solntsepek," tied to the Sandworm Team, claimed responsibility for a cyber attack against Ukraine's largest telecommunications provider. The team has also managed to implant malware on thousands of WatchGuard firewall devices worldwide, demonstrating their widespread reach and sophisticated hacking abilities. The Sandworm Team is part of the Russian GRU Unit 74455, separate from other more established GRU-affiliated groups like Fancy Bear (APT28) and Forest Blizzard. The team is led by Evgenii Serebriakov, who authored a master’s thesis on "Information Confrontation in World Politics." The Sandworm Team is recognized as Russia’s leading cyber attack capability, having conducted complex attacks that caused electrical outages in Ukraine and the most expensive destructive attack in history: NotPetya. Their activities suggest an ongoing interest in targeting critical infrastructure globally.

Description last updated: 2024-05-04T19:29:16.621Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Industroyer is a possible alias for Sandworm Team. Industroyer, also known as CrashOverride, is a potent malware specifically designed to target Industrial Control Systems (ICS) used in electrical substations. It first gained notoriety for its role in the 2016 cyberattack on Ukraine's power grid, which resulted in a six-hour blackout in Kyiv. The ma	2
BlackEnergy is a possible alias for Sandworm Team. BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks a	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Sandworm Threat Actor is associated with Sandworm Team. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which c	Unspecified	3

Source Document References

Information about the Sandworm Team Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	8 months ago	Operational Technology Threats - ReliaQuest
CERT-EU	a year ago	Critical Infrastructure Remains the Brass Ring for Cyber Attackers in 2024
InfoSecurity-magazine	a year ago	#mWISE: FBI Director Urges Greater Private-Public Collaboration
CERT-EU	2 years ago	3rd April – Threat Intelligence Report - Check Point Research
CERT-EU	a year ago	Russian Cyber War: An Elite Russian Hacker Spells Out His Vision for "Information Confrontation in World Politics"
CERT-EU	a year ago	Anomali Cyber Watch: Cadet Blizzard - New GRU APT, ChamelDoH Hard-to-Detect Linux RAT, Stealthy DoubleFinger Targets Cryptocurrency
MITRE	2 years ago	Anticipating Cyber Threats as the Ukraine Crisis Escalates \| Mandiant
MITRE	2 years ago	Sandworm Team and the Ukrainian Power Authority Attacks \| Mandiant
MITRE	2 years ago	VOODOO BEAR \| Threat Actor Profile \| CrowdStrike
MITRE	2 years ago	ELECTRUM Threat Group \| Dragos
MITRE	2 years ago	Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers
MITRE	2 years ago	Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure \| Mandiant
Securityaffairs	2 years ago	Leaked documents from Russian firm NTC Vulkan show Sandworm cyberwarfare arsenal