Telebots

Threat Actor updated 2 months ago (2024-11-29T14:06:14.630Z)
Download STIX
Preview STIX
TeleBots, a notorious threat actor group also known as Sandworm, BlackEnergy, Iron Viking, Voodoo Bear, and Seashell Blizzard, has been identified as operating under the control of Unit 74455 of the Russian GRU's Main Center for Special Technologies (GTsST). Active since 2000, the group is recognized for its sophisticated cyber-espionage campaigns. The group's activities have been linked to the Russian military intelligence agency, GRU, by Western intelligence agencies. TeleBots has developed a reputation for deploying various malware, including Linux ransomware on non-Windows servers, and using stolen Windows credentials to push ransomware in the final stages of their attacks. In June 2017, the group was implicated in the global outbreak of Diskcoder.C ransomware, also known as Petya and NotPetya. The outbreak reportedly originated from companies infected with a TeleBots backdoor, which resulted from the compromise of the financial software M.E.Doc, popular in Ukraine. Evidence of a strong code similarity between the Win32/Exaramel backdoor and the Industroyer main backdoor further links TeleBots to the Industroyer, NotPetya, and BlackEnergy incidents. The group's modus operandi typically involves the use of KillDisk malware in the final stages of their attacks, overwriting files with specific file extensions on the victims' disks. One such instance involved the deployment of VBS backdoor via a possibly compromised M.E.Doc update server mechanism. Documents dated between 2016 and 2020 reveal that the group has been contracted by Russian intelligence, including GRU Unit 74455, for the development of tools, training programs, and an intrusion platform. The consistent activity and evolving techniques of TeleBots underscore the persistent threat posed by state-sponsored cyber espionage groups.
Description last updated: 2024-04-18T15:17:05.028Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Sandworm is a possible alias for Telebots. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which c
5
Voodoo Bear is a possible alias for Telebots. VOODOO BEAR, also known as Sandworm, Seashell Blizzard, and other names such as Iridium, Iron Viking, Telebots, and APT44, is a highly advanced threat actor with a suspected nexus to the Russian Federation. First identified in January 2018, this group has been active since 2000 and operates under th
3
BlackEnergy is a possible alias for Telebots. BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks a
3
NotPetya is a possible alias for Telebots. NotPetya is a destructive malware that posed as ransomware, causing significant global damage in 2017. Despite its appearance as ransomware, NotPetya was not designed to extort money but rather to destroy data and disrupt operations, particularly targeting Ukraine's infrastructure. NotPetya was attr
2
Seashell Blizzard is a possible alias for Telebots. Seashell Blizzard, also known as Iridium, Sandworm, Voodoo Bear, and APT44, is a state-sponsored threat actor group affiliated with the Russian military intelligence service (GRU). Microsoft has identified this group as distinct from other Advanced Persistent Threat (APT) groups operating under the
2
IRON VIKING is a possible alias for Telebots. Iron Viking, a threat actor group also known as Sandworm, Telebots, Voodoo Bear, and other names, has been active since 2000. This group operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). Iron Viking is notorious for its destructive cyber-espi
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
russian
Russia
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Telebots Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
10 months ago
Securityaffairs
a year ago
Securityaffairs
a year ago
BankInfoSecurity
a year ago
Securityaffairs
a year ago
Securityaffairs
a year ago
CERT-EU
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
ESET
2 years ago
Securityaffairs
2 years ago
Securityaffairs
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
Securityaffairs
2 years ago