Sandworm (hacker group)
Sandworm (hacker group)
Main page
2645867

Sandworm (hacker group)

logo
Community Hub0 subscribers
What are your thoughts?
Be the first to start a discussion here.
Be the first to start a discussion here.
Sandworm (hacker group)

Sandworm is an advanced persistent threat operated by MUN 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include APT44, Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.

The team is believed to be behind the December 2015 Ukraine power grid cyberattack, the 2017 cyberattacks on Ukraine using the NotPetya malware, various interference efforts in the 2017 French presidential election, and the cyberattack on the 2018 Winter Olympics opening ceremony. Then-United States Attorney for the Western District of Pennsylvania Scott Brady described the group's cyber campaign as "representing the most destructive and costly cyber-attacks in history."

On 3 September 2014 iSIGHT Partners (now Mandiant) discovered a spear-phishing campaign exploiting a zero-day vulnerability via weaponized Microsoft Office documents. The vulnerability, dubbed CVE-2014-4114, affected all versions of Windows from Vista to 8.1 and allowed attackers to execute arbitrary code on a target machine. Researchers were able to attribute the attack to the Sandworm group and observed that the Ukrainian government was one target of the campaign. Notably, this attack coincided with a NATO summit on Ukraine in Wales.

On 23 December 2015, hackers launched a coordinated cyberattack against 3 energy companies in Ukraine and succeeded in temporarily disrupting the supply of electricity to about 230,000 Ukrainians for 1-6 hours.

In January, iSight Partners released a report linking the attack to Sandworm based on the usage of BlackEnergy 3.

On 17 December 2016, a year after the previous power grid attack, hackers again disrupted the Ukrainian power grid with a cyber attack. About one fifth of Kyiv lost power for an hour. While the outage was ultimately short, a report released 3 years after the attack by security firm Dragos outlines a theory that the malware, known as Industroyer or CRASHOVERRIDE, was meant to destroy physical electrical equipment. By exploiting a known vulnerability in the protective relays, the malware may have been designed to obfuscate any safety issues such that when engineers worked to restore power, an overload of current would be sent to destroy transformers or power lines. Such destruction would have potentially harmed utility workers as well as led to a much longer power outage if it had succeeded.

On 9 February 2018 during the opening ceremony of the Winter Olympics in Pyeongchang, South Korea hackers launched a cyberattack and successfully disrupted IT infrastructure including WiFi, televisions around the Pyeongchang Olympic Stadium showing the ceremony, RFID-based security gates, and the official Olympics app which was used for digital ticketing. Staff were able to restore most critical functions before the opening ceremony was over, but the entire network had to be rebuilt from scratch. Wiper malware had wormed through every domain controller and rendered them inoperable.

3 days later Cisco Talos published a report dubbing the malware "Olympic Destroyer." The report listed similarities in the malware's propagation techniques to the "BadRabbit" and "Nyetya" malware strains and stated disruption of the games as the attack's objective.

See all
User Avatar
No comments yet.