Telebots

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
TeleBots, a notorious threat actor group also known as Sandworm, BlackEnergy, Iron Viking, Voodoo Bear, and Seashell Blizzard, has been identified as operating under the control of Unit 74455 of the Russian GRU's Main Center for Special Technologies (GTsST). Active since 2000, the group is recognized for its sophisticated cyber-espionage campaigns. The group's activities have been linked to the Russian military intelligence agency, GRU, by Western intelligence agencies. TeleBots has developed a reputation for deploying various malware, including Linux ransomware on non-Windows servers, and using stolen Windows credentials to push ransomware in the final stages of their attacks. In June 2017, the group was implicated in the global outbreak of Diskcoder.C ransomware, also known as Petya and NotPetya. The outbreak reportedly originated from companies infected with a TeleBots backdoor, which resulted from the compromise of the financial software M.E.Doc, popular in Ukraine. Evidence of a strong code similarity between the Win32/Exaramel backdoor and the Industroyer main backdoor further links TeleBots to the Industroyer, NotPetya, and BlackEnergy incidents. The group's modus operandi typically involves the use of KillDisk malware in the final stages of their attacks, overwriting files with specific file extensions on the victims' disks. One such instance involved the deployment of VBS backdoor via a possibly compromised M.E.Doc update server mechanism. Documents dated between 2016 and 2020 reveal that the group has been contracted by Russian intelligence, including GRU Unit 74455, for the development of tools, training programs, and an intrusion platform. The consistent activity and evolving techniques of TeleBots underscore the persistent threat posed by state-sponsored cyber espionage groups.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Sandworm
5
Sandworm, a threat actor linked to Russia, has been identified as a significant cybersecurity risk. Known for its sophisticated and malicious activities, Sandworm has notably compromised 11 Ukrainian telecommunications providers, disrupting services and posing a substantial threat to the digital inf
BlackEnergy
3
BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks a
Voodoo Bear
3
VOODOO BEAR, also known as Sandworm, Seashell Blizzard, and other names such as Iridium, Iron Viking, Telebots, and APT44, is a highly advanced threat actor with a suspected nexus to the Russian Federation. First identified in January 2018, this group has been active since 2000 and operates under th
NotPetya
2
NotPetya is a notorious malware that was unleashed in 2017, primarily targeting Ukraine but eventually impacting systems worldwide. This malicious software, which initially appeared to be ransomware, was later revealed to be data destructive malware, causing widespread disruption rather than seeking
IRON VIKING
2
Iron Viking, a threat actor group also known as Sandworm, Telebots, Voodoo Bear, and other names, has been active since 2000. This group operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). Iron Viking is notorious for its destructive cyber-espi
Seashell Blizzard
2
Seashell Blizzard, also known as Iridium, Sandworm, Voodoo Bear, and APT44, is a state-sponsored threat actor group affiliated with the Russian military intelligence service (GRU). Microsoft has identified this group as distinct from other Advanced Persistent Threat (APT) groups operating under the
Sandworm Apt
1
The Sandworm Advanced Persistent Threat (APT) group, a threat actor believed to be linked to Russia, has been identified as a significant cybersecurity concern. This entity has displayed malicious intent and demonstrated its capacity to execute sophisticated cyber-attacks. The naming convention "San
Industroyer
1
Industroyer, also known as CrashOverride, is a potent malware specifically designed to target Industrial Control Systems (ICS) used in electrical substations. It first gained notoriety for its role in the 2016 cyberattack on Ukraine's power grid, which resulted in a six-hour blackout in Kyiv. The ma
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
russian
Russia
Ransomware
Malware
Linux
Windows
Vpn
Ransom
Telegram
Wiper
Backdoor
Apt
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
petyaUnspecified
1
Petya is a type of malware, specifically ransomware, that infected Windows-based systems primarily through phishing emails. It was notorious for its ability to disrupt operations and hold data hostage for ransom. Petya, along with other types of ransomware like WannaCry, NotPetya, TeslaCrypt, and Da
Win32/exaramelUnspecified
1
Win32/Exaramel is a type of malware, specifically a backdoor, that can infiltrate systems through suspicious downloads, emails, or websites. Once deployed by a dropper, it can exploit and damage the infected computer or device, potentially stealing personal information or disrupting operations. The
Killdisk WiperUnspecified
1
None
KillDiskUnspecified
1
KillDisk is a potent malware, initially designed to overwrite targeted files instead of encrypting them. First seen in action during December 2016, it disrupted recovery processes by erasing critical system and workstation files. The TeleBots group notably used KillDisk in the final stages of their
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
HadesUnspecified
1
Hades is a notable threat actor, known for its distinctive tactics and infrastructure in executing cyber attacks. The cybersecurity industry first observed Hades' operations in June 2021, with its activities marked by the use of advanced tools such as Advanced Port Scanner, MegaSync, Rclone, and Mal
ELECTRUMUnspecified
1
Electrum, a threat actor identified in cyberattacks against Ukraine on February 1, 2022, is known for its Bitcoin-themed attacks. These attacks often involve the use of PDF delivery documents referencing Electrum Bitcoin wallets, similar to those seen in subsequent attacks in April. The initial load
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Telebots Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
3 months ago
Previously unknown Kapeka backdoor linked to Sandworm APT
Securityaffairs
7 months ago
Russia-linked APT Sandworm was inside Ukraine telecoms giant Kyivstar for months
Securityaffairs
8 months ago
Russian Sandworm disrupts power in Ukraine with a new OT attack
BankInfoSecurity
9 months ago
Ukrainian Telcos Targeted by Suspected Sandworm Hackers
Securityaffairs
9 months ago
Russia-linked Sandworm APT compromised 11 Ukrainian telecommunications providers
Securityaffairs
a year ago
Russia-linked hackers target Ukrainian military with Infamous Chisel Android malware
CERT-EU
a year ago
Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks
MITRE
a year ago
New TeleBots backdoor: First evidence linking Industroyer to NotPetya | WeLiveSecurity
MITRE
a year ago
TeleBots are back: Supply‑chain attacks against Ukraine | WeLiveSecurity
MITRE
a year ago
KillDisk Disk-Wiping Malware Adds Ransomware Component
ESET
a year ago
A year of wiper attacks in Ukraine | WeLiveSecurity
Securityaffairs
a year ago
Microsoft sheds light on a year of Russian hybrid warfare in Ukraine
Securityaffairs
a year ago
Leaked documents from Russian firm NTC Vulkan show Sandworm cyberwarfare arsenal
CERT-EU
a year ago
Hacker Group Names Are Now Absurdly Out of Control | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker – National Cyber Security Consulting
CERT-EU
a year ago
Gehackt door een zeekoe of een groep mango’s
Securityaffairs
a year ago
Sandworm APT uses WinRAR in destructive attacks on Ukraine