Sandworm Team

APT / StateG0034
OriginRússia
Techniques (MITRE ATT&CK)79
SourceMITRE ATT&CK
Also known as:ELECTRUMTelebotsIRON VIKINGBlackEnergy (Group)QuedaghVoodoo BearIRIDIUMSeashell BlizzardFROZENBARENTSAPT44

Vexday analysis

Sandworm Team é um grupo de ameaça destrutivo atribuído à Unidade Militar 74455 do Centro Principal de Tecnologias Especiais (GTsST) do GRU, serviço de inteligência militar russo, com atividade documentada desde pelo menos 2009. Em outubro de 2020, os Estados Unidos indiciaram seis oficiais da Unidade 74455 associados ao grupo por operações cibernéticas que incluem os ataques de 2015 e 2016 contra empresas de energia elétrica e organizações governamentais ucranianas, o ataque global NotPetya de 2017, ações contra a campanha presidencial francesa de 2017 e o ataque Olympic Destroyer de 2018. O grupo é rastreado pelo MITRE ATT&CK sob o identificador G0034, com 79 técnicas documentadas e 4 CVEs atribuídas, sendo também conhecido pelos aliases ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh e Voodoo Bear.

Techniques (MITRE ATT&CK) 79

How the group operates, mapped to the MITRE ATT&CK matrix and organized by the phases of an attack.

Reconnaissance
Email AddressesEmployee NamesDomain PropertiesBusiness RelationshipsSoftwareSearch Open Websites/DomainsSearch Victim-Owned WebsitesVulnerability ScanningSpearphishing Link
Resource development
Acquire InfrastructureDomainsServerServerBotnetSocial Media AccountsEmail AccountsSocial Media AccountsMalwareToolVulnerabilitiesUpload Malware
Initial access
Exploit Public-Facing ApplicationSupply Chain CompromiseCompromise Software Supply ChainTrusted RelationshipSpearphishing AttachmentSpearphishing Link
Execution
Windows Management InstrumentationScheduled TaskPowerShellVisual BasicSoftware Deployment ToolsNative APIExploitation for Client ExecutionMalicious LinkMalicious File
Persistence
External Remote ServicesWeb Shell
Credential access
LSASS MemoryNTDSNetwork SniffingSteal Web Session CookieCredentials from Web Browsers
Discovery
Remote System DiscoverySystem Owner/User DiscoverySystem Network Connections DiscoverySystem Information DiscoveryFile and Directory DiscoveryDomain AccountEmail Account
Lateral movement
SMB/Windows Admin SharesLateral Tool Transfer
Collection
Data from Local SystemKeyloggingDatabases
Command and control
Web ProtocolsProxyBidirectional CommunicationIngress Tool TransferStandard EncodingRemote Access ToolsNon-Standard Port
Exfiltration
Exfiltration Over C2 Channel
Impact
Data DestructionData Encrypted for ImpactService StopInhibit System RecoveryExternal DefacementEndpoint Denial of ServiceDisk Structure Wipe
stealth
Obfuscated Files or InformationCommand ObfuscationMasqueradingMatch Legitimate Resource Name or LocationFile DeletionValid AccountsDomain AccountsDeobfuscate/Decode Files or InformationRundll32

Exploited vulnerabilities 4

CVEs this group is known to exploit, per MITRE ATT&CK. Ordered by real-world severity.

CVE-2014-7169CRITICALEPSS 100%KEVCVE-2013-3906HIGHEPSS 85%KEVCVE-2014-4114HIGHEPSS 82%KEVCVE-2016-6662EPSS 68%

Sandworm Team uses real techniques and exploits real flaws. TrueHacking's AI Autonomous Pentest simulates these attacks against your infrastructure and brings more security to your application.

Explore the AI Autonomous Pentest →