APT Profile: Sandworm
Threat actors range from teenagers eager to earn quick cash to state-sponsored actors with agendas behind their operations. The agendas of these state-sponsored groups may include espionage activities on neighboring countries or attacks against critical infrastructures of opposing nations. Russia is one of the nations with a high number of APT (Advanced Persistent Threat) groups to mobilize against their targets. Among them is Sandworm, which was involved in the Russia-Ukraine war. Sandworm is one of the more active and dangerous APTs in cyberspace. Just like their namesake from the famous Dune series by Frank Herbert, they pose a significant danger to the safety of people, especially with their objective of targeting critical infrastructures.
Who is Sandworm?
Sandworm, also known as ELECTRUM, Black Energy, and VOODOO BEAR, is a pernicious APT that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455 by the US. They have been actively playing a role in cyberspace for Russia’s strategic benefits since at least 2009, conducting many major attacks against multiple countries and causing billions of dollars in damage. They mostly rely on spear phishing to deliver malware and leverage from zero days.
Who are Sandworm’s Targets?
Researchers observed the Sandworm conducting malicious activities across Europe, North America, and Asia. They primarily target Industrial Control Systems (ICS) in critical areas such as energy & utilities, national security, international affairs, and telecommunications around the globe. However, since their emergence, under Russia’s strategic objectives, their main target seems to be Ukraine. In the last decade, they have performed multiple high-impact attacks against Ukraine on critical infrastructures.
What are the Motivations Behind Sandworm’s Attacks?
With the Russian invasion of Ukraine, there was a substantial increase in cyberattacks in the region. Critical infrastructures were affected, and the Russian cyber forces targeted top-secret information. The cyber forces used to diminish the morale of the Ukrainian citizens through defacements or other destructive attacks on the critical infrastructures of Ukraine, such as DDoS attacks on government portals.
The war was not the beginning of cyber attacks on Ukraine by Russia. The origins of the Russian attacks can be pinpointed to even a decade earlier. The first recorded Russian cyberattacks against Ukraine happened during the mass protests in 2013. The war amplified the attacks in number and magnitude. Sandworm was one of the front runners of the Russian cyber forces targeting Ukraine during this decade, and they still are.
SOCRadar tracks the Russia-Ukraine Cyberwar as a campaign. In SOCRadar Labs, you can find and track the events.
How does Sandworm Operate?
Sandworm, through its operation lifetime, has multiple records of attacks on ICS. The group is affiliated with two of the first four types of known ICS-targeting malware, “BlackEnergy” and “Industroyer.” Both targeted Ukrainian critical infrastructures. They did not stop there and developed “Industroyer2” ICS-targeting malware and used it against Ukraine. However, this time they added another layer with the inclusion of “CaddyWiper,” “ORCSHRED,” “SOLOSHRED,” and “AWFULSHRED.” The aim was to hamper the recovery process and destroy disks on the targeted machines. In another attack in 2017, they deployed “NotPetya” as a wiper on Ukraine, which is considered a skewed version of “Petya” ransomware.
Even though it is their main area, Sandworm does not only manage ICS attacks with malware and altered versions of ransomware as wipers. They started to deploy legitimate ransomware such as the “RansomBoggs” and “Prestige” against organizations in Ukraine and other countries. These attacks are attributed to Sandworm because RansomBoggs’ PowerShell script is nearly identical to the deployment of Industroyer2. The same script, POWERGAP, was also used to deliver CaddyWiper.
Which Tools Does Sandworm Use?
BlackEnergy is a malware toolkit used by criminal and APT actors since 2007. Although initially designed to create botnets to conduct Distributed Denial of Service (DDoS) attacks, its use has evolved over the last decade to support various plug-ins. It is a well-known malware leveraged by Sandworm in multiple attacks. Variants include BlackEnergy 2 and BlackEnergy 3.
Industroyer is a sophisticated malware framework designed to disrupt ICS, particularly components used in power grids. Sandworm used Industroyer and its variants in multiple attacks targeting power grids in Ukraine. This is the first publicly known malware specifically designed to target and impact operations in the electric grid. Variants include Industroyer2.
KillDisk is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. Sandworm first used it in attacks against Ukraine in 2015 as a component of BlackEnergy. Since then KillDisk has evolved into stand-alone malware used by Sandworm and other threat actors.
NotPetya is an altered variant of Petya encryption malware. NotPetya acts as ransomware. It irrecoverably destroys data and disk structures on compromised systems. Sandworm used it in the 2017 worldwide attacks causing 10$ billion in damage. NotPetya also contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.
Olympic Destroyer is malware that renders infected computer systems inoperable. It acts as a worm spreading across networks to maximize its destructive impact. Sandworm used it against the 2018 Pyeongchang Winter Olympics.
CaddyWiper is a wiper malware designed to damage target systems by erasing user data, programs, and hard drives. Sandworm used it in attacks on Ukrainian government agencies before the Russian invasion.
Other tools that are potentially associated with Sandworm can be found on SOCRadar.
When the Russian invasion of Ukraine began on February 24, 2022, many security researchers predicted that Russia would use all of its cyber capabilities to complete its mission. In light of all the information in the article, it is clear that Russian cyber warfare capabilities are undeniably devastating and have been used in the war. Yet, they were not as effective as the previous attacks. If we look at the attacks attributed to Sandworm, such as the 5 year-long cyber espionage activity, we can see that their previous attacks were more sophisticated and harmful. This situation might be the result of two main factors. One is that Ukraine received tremendous help outside its nation to prevent Russian cyberattacks. The other one is that large-scale destructive attacks require extensive preparation and patience, which means time is needed. But in war, the time is short for these sophisticated attacks.
What are the Security Recommendations Against Sandworm?
- ICS is the main target of the Sandworm APT group. So, ICS should have minimal internet dependency. They must be put behind firewalls and isolated from the external network.
- SOCRadar tracks threat actors continuously and gathers IOCs for the tracked actors. You can feed security devices like firewalls, IPSs, or SOAR solutions for better security against potential threats.
- Cybersecurity researchers detected that Sandworm leverages phishing to gain initial access in some cases. Train your staff to raise security awareness to prevent potential phishing attacks.
- Sandworm used ransomware or wipers in some of its attacks. Back up your data to prevent further damage and reinstate the affected systems rapidly.
Keep an eye on the external attack surface of your environment. Make sure to patch all the critical vulnerabilities and not leave any vulnerable ports open. SOCRadar can aid you in this endeavor with its External Attack Surface Management.
MITRE ATT&CK Techniques
Techniques – Enterprise
Active Scanning: Vulnerability Scanning
Gather Victim Host Information: Software
Gather Victim Identity Information: Email Addresses
Gather Victim Identity Information: Employee Names
Gather Victim Network Information: Domain Properties
Gather Victim Org Information: Business Relationships
Phishing for Information: Spearphishing Link
Search Open Websites/Domains
Search Victim-Owned Websites
Acquire Infrastructure: Domains
Acquire Infrastructure: Server
Compromise Infrastructure: Botnet
Develop Capabilities: Malware
Establish Accounts: Social Media Accounts
Establish Accounts: Email Accounts
Obtain Capabilities: Tool
Obtain Capabilities: Vulnerabilities
External Remote Services
Phishing: Spearphishing Attachment
Phishing: Spearphishing Link
Supply Chain Compromise: Compromise Software Supply Chain
Valid Accounts: Domain Accounts
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: Windows Command Shell
Command and Scripting Interpreter: Visual Basic
Exploitation for Client Execution
User Execution: Malicious Link
User Execution: Malicious File
Windows Management Instrumentation
Create Account: Domain Account
Server Software Component: SQL Stored Procedures
Server Software Component: Web Shell
Deobfuscate/Decode Files or Information
Impair Defenses: Disable Windows Event Logging
Indicator Removal: File Deletion
Masquerading: Match Legitimate Name or Location
Obfuscated Files or Information: Software Packing
System Binary Proxy Execution: Rundll32
Brute Force: Password Spraying
Credentials from Password Stores: Credentials from Web Browsers
Input Capture: Keylogging
OS Credential Dumping: LSASS Memory
Account Discovery: Domain Account
Account Discovery: Email Account
File and Directory Discovery
Remote System Discovery
System Information Discovery
System Network Configuration Discovery
System Network Connections Discovery
System Owner/User Discovery
Lateral Tool Transfer
Remote Services: SMB/Windows Admin Shares
Data from Local System
Command and Control
Application Layer Protocol: Web Protocols
Data Encoding: Standard Encoding
Ingress Tool Transfer
Remote Access Software
Web Service: Bidirectional Communication
Exfiltration Over C2 Channel
Defacement: External Defacement
Disk Wipe: Disk Structure Wipe
Endpoint Denial of Service
Techniques – ICS
Exploit Public-Facing Application
External Remote Services
Graphical User Interface
Lateral Tool Transfer
Command and Control
Inhibit Response Function
Block Command Message
Block Reporting Message
Impair Process Control
Unauthorized Command Message