Sandworm Team

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
The Sandworm Team, a threat actor associated with Russia's military intelligence-linked group, has demonstrated significant capabilities in developing custom malware to target Operational Technology (OT) and Industrial Control Systems (ICSs). Since at least 2015, the team has used the "BlackEnergy" malware for distributed denial of service (DDoS), espionage, and destructive attacks. A unique variant, BlackEnergy 3, reemerged in Ukraine in 2015, where the Sandworm Team was first identified. This malware has since become their signature tool, underscoring the potential threat they pose to US and European critical systems. In 2022, the Sandworm Team attempted to disrupt Ukrainian energy providers using the "Industroyer" (also known as CrashOverride) and "Caddy Wiper" malware. Furthermore, the Russian hacker group "Solntsepek," tied to the Sandworm Team, claimed responsibility for a cyber attack against Ukraine's largest telecommunications provider. The team has also managed to implant malware on thousands of WatchGuard firewall devices worldwide, demonstrating their widespread reach and sophisticated hacking abilities. The Sandworm Team is part of the Russian GRU Unit 74455, separate from other more established GRU-affiliated groups like Fancy Bear (APT28) and Forest Blizzard. The team is led by Evgenii Serebriakov, who authored a master’s thesis on "Information Confrontation in World Politics." The Sandworm Team is recognized as Russia’s leading cyber attack capability, having conducted complex attacks that caused electrical outages in Ukraine and the most expensive destructive attack in history: NotPetya. Their activities suggest an ongoing interest in targeting critical infrastructure globally.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
BlackEnergy
2
BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks a
Industroyer
2
Industroyer, also known as CrashOverride, is a potent malware specifically designed to target Industrial Control Systems (ICS) used in electrical substations. It first gained notoriety for its role in the 2016 cyberattack on Ukraine's power grid, which resulted in a six-hour blackout in Kyiv. The ma
Blackenergy Apt
1
BlackEnergy APT, also known as Sandworm Team or BlackEnergy APT Group, is a form of malware that gained notoriety in the last decade for its destructive actions, particularly in Ukraine. This malicious software is designed to infiltrate systems, often through suspicious downloads, emails, or website
Solntsepek
1
Solntsepek is a notorious malware associated with the Russian state-sponsored threat actor, Seashell Blizzard, which is affiliated with the GRU. The group has been identified by Microsoft as one of the three hacktivist groups that regularly interact with Seashell Blizzard, alongside InfoCentr and th
Crashoverride
1
CrashOverride, also known as Industroyer, is a notorious malware that was leveraged in 2016 to disrupt Ukraine's power grid at the transmission substation level. This malicious software, believed to be state-sponsored by Russia, manipulated Industrial Control Systems (ICS) equipment through the abus
Caddy Wiper
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Microsoft
Vulnerability
Phishing
Apt
Exploit
Russia
Espionage
Russia’s
Ics
russian
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TRITONUnspecified
1
Triton is a sophisticated malware that has been historically used to target the energy sector. It was notably used in 2017 by the Russian Central Scientific Research Institute of Chemistry and Mechanics (TsNIIkhM) to attack a Middle East petrochemical facility. The malware, also known as Trisis and
StuxnetUnspecified
1
Stuxnet, a notorious malware discovered in 2010, is one of the most infamous Advanced Persistent Threat (APT) attacks in history. This military-grade cyberweapon was co-developed by the United States and Israel to specifically target Iran's nuclear enrichment facility at Natanz. The Stuxnet worm, a
KillDiskUnspecified
1
KillDisk is a potent malware, initially designed to overwrite targeted files instead of encrypting them. First seen in action during December 2016, it disrupted recovery processes by erasing critical system and workstation files. The TeleBots group notably used KillDisk in the final stages of their
NotPetyaUnspecified
1
NotPetya is a notorious malware that was unleashed in 2017, primarily targeting Ukraine but eventually impacting systems worldwide. This malicious software, which initially appeared to be ransomware, was later revealed to be data destructive malware, causing widespread disruption rather than seeking
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SandwormUnspecified
3
Sandworm, a threat actor linked to Russia, has been implicated in numerous high-profile cyber attacks. This group's activities have primarily targeted Ukraine, compromising the country's critical infrastructure and telecommunications providers. The Sandworm group is known for its fileless attack met
ELECTRUMUnspecified
1
Electrum, a threat actor identified in cyberattacks against Ukraine on February 1, 2022, is known for its Bitcoin-themed attacks. These attacks often involve the use of PDF delivery documents referencing Electrum Bitcoin wallets, similar to those seen in subsequent attacks in April. The initial load
APT28Unspecified
1
APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2014-4114Unspecified
1
CVE-2014-4114 is a significant vulnerability that lies within the design or implementation of software. This flaw specifically targets the Microsoft Windows OLE Package Manager, enabling remote code execution. The exploit was primarily used in .pps files, which are PowerPoint presentation files, mak
Source Document References
Information about the Sandworm Team Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
5 months ago
Operational Technology Threats - ReliaQuest
CERT-EU
7 months ago
Critical Infrastructure Remains the Brass Ring for Cyber Attackers in 2024
InfoSecurity-magazine
10 months ago
#mWISE: FBI Director Urges Greater Private-Public Collaboration
CERT-EU
a year ago
3rd April – Threat Intelligence Report - Check Point Research
CERT-EU
a year ago
Russian Cyber War: An Elite Russian Hacker Spells Out His Vision for "Information Confrontation in World Politics"
CERT-EU
a year ago
Anomali Cyber Watch: Cadet Blizzard - New GRU APT, ChamelDoH Hard-to-Detect Linux RAT, Stealthy DoubleFinger Targets Cryptocurrency
MITRE
a year ago
Anticipating Cyber Threats as the Ukraine Crisis Escalates | Mandiant
MITRE
a year ago
Sandworm Team and the Ukrainian Power Authority Attacks | Mandiant
MITRE
a year ago
VOODOO BEAR | Threat Actor Profile | CrowdStrike
MITRE
a year ago
ELECTRUM Threat Group | Dragos
MITRE
a year ago
Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers
MITRE
a year ago
Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure | Mandiant
Securityaffairs
a year ago
Leaked documents from Russian firm NTC Vulkan show Sandworm cyberwarfare arsenal