Hubbry Logo
search button
Sign in
Sandworm (hacker group)
Sandworm (hacker group)
Comunity Hub
MainMain
arrow-down
History
arrow-down
starMore
arrow-down
Sign in
Sign in
bob

Bob

Have a question related to this hub?

bob

Alice

Got something to say related to this hub?
Share it here.

#general is a chat channel to discuss anything related to the hub.
Hubbry Logo
search button
Sign in
Sandworm (hacker group)
Sandworm (hacker group)
Community hub for the Wikipedia article
logoWikipedian hub
Sandworm (hacker group)
Sandworm (hacker group)
Main
Welcome to the community hub built on top of the Sandworm (hacker group) Wikipedia article. Here, you can discuss, collect, and organize anything related to Sandworm (hacker group). The purpose of the hub...
Add your contribution
Media Collections
1
Timelines
0
Articles
0
Notes collections
0
Days in Chronicle
0
Sandworm (hacker group)

Sandworm is an advanced persistent threat operated by MUN 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service.[3] Other names for the group, given by cybersecurity researchers, include APT44,[4] Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard,[5] and Iron Viking.[6][7][8]

Key Information

The team is believed to be behind the December 2015 Ukraine power grid cyberattack,[9][10][11] the 2017 cyberattacks on Ukraine using the NotPetya malware,[12] various interference efforts in the 2017 French presidential election,[6] and the cyberattack on the 2018 Winter Olympics opening ceremony.[13][14] Then-United States Attorney for the Western District of Pennsylvania Scott Brady described the group's cyber campaign as "representing the most destructive and costly cyber-attacks in history."[6]

History

[edit]

2014

[edit]

On 3 September 2014 iSIGHT Partners (now Mandiant) discovered a spear-phishing campaign exploiting a zero-day vulnerability via weaponized Microsoft Office documents. The vulnerability, dubbed CVE-2014-4114, affected all versions of Windows from Vista to 8.1 and allowed attackers to execute arbitrary code on a target machine. Researchers were able to attribute the attack to the Sandworm group and observed that the Ukrainian government was one target of the campaign. Notably, this attack coincided with a NATO summit on Ukraine in Wales.[15]

2015 Ukraine power grid hack

[edit]
Main article: 2015 Ukraine power grid hack

On 23 December 2015, hackers launched a coordinated cyberattack against 3 energy companies in Ukraine and succeeded in temporarily disrupting the supply of electricity to about 230,000 Ukrainians for 1-6 hours.

In January, iSight Partners released a report linking the attack to Sandworm based on the usage of BlackEnergy 3. [16]

2016 Ukraine power grid hack

[edit]
Main article: 2016 Kyiv cyberattack

On 17 December 2016, a year after the previous power grid attack, hackers again disrupted the Ukrainian power grid with a cyber attack. About one fifth of Kyiv lost power for an hour. While the outage was ultimately short, a report released 3 years after the attack by security firm Dragos outlines a theory that the malware, known as Industroyer or CRASHOVERRIDE, was meant to destroy physical electrical equipment. By exploiting a known vulnerability in the protective relays, the malware may have been designed to obfuscate any safety issues such that when engineers worked to restore power, an overload of current would be sent to destroy transformers or power lines. Such destruction would have potentially harmed utility workers as well as led to a much longer power outage if it had succeeded. [17]

2018 Winter Olympics

[edit]

On 9 February 2018 during the opening ceremony of the Winter Olympics in Pyeongchang, South Korea hackers launched a cyberattack and successfully disrupted IT infrastructure including WiFi, televisions around the Pyeongchang Olympic Stadium showing the ceremony, RFID-based security gates, and the official Olympics app which was used for digital ticketing. Staff were able to restore most critical functions before the opening ceremony was over, but the entire network had to be rebuilt from scratch. Wiper malware had wormed through every domain controller and rendered them inoperable.[13]

3 days later Cisco Talos published a report dubbing the malware "Olympic Destroyer." The report listed similarities in the malware's propagation techniques to the "BadRabbit" and "Nyetya" malware strains and stated disruption of the games as the attack's objective.[18]

Attribution of the Olympic Destroyer malware proved difficult as it appeared the author(s) had included code samples belonging to multiple threat actors as false flags. Intezer published a report on 12 February showing code similarities to samples attributed to 3 Chinese threat actors while a follow-up Talos report noted a "weak" clue pointing to another wiper created by a spinoff of the Lazarus Group, a North Korean APT.[19][20]

The Kaspersky GReAT team on 8 March published 2 blog posts discussing the current industry theories and their own original research. In the technical article Kaspersky, a Russian company, showed in detail how they discovered file headers pointing to Lazarus Group were forged but stopped short of attributing the Olympic Destroyer malware to any non-North Korean group.[21][22]

GRU Colonel Yevgeny Serebryakov

[edit]

Following his expulsion from the Netherlands in April 2018 on suspicion of preparing cyberattacks on the assets of the Organisation for the Prohibition of Chemical Weapons (OPCW), GRU Colonel Yevgeny Mikhailovich (or Mikhaylovich) Serebryakov (or Serebriakov) (Russian: Евгений Михайлович Серебряков born 26 July 1981, Kursk, USSR) allegedly later headed Sandworm.[23][24][25][26][27] On 4 October 2018, Evgenii Mikhaylovich Serebriakov was indicted for his support in numerous GRU operations.[28][a]

US indictment (2020)

[edit]
FBI wanted poster listing 6 Russian military officers indicted for cyber crimes.

On 19 October 2020, a US-based grand jury released an indictment charging six alleged Unit 74455 officers with cybercrimes.[29][30][31] The officers, Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko, and Petr Nikolayevich Pliskin, were all individually charged with conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers, and aggravated identity theft. Five of the six were accused of overtly developing hacking tools, while Ochichenko was accused of participating in spearphishing attacks against the 2018 Winter Olympics and conducting technical reconnaissance on and attempting to hack the official domain of the Parliament of Georgia.[6][b]

Concurrent with the US indictment announcement, the UK's National Cyber Security Centre (NCSC) published a report which publicly associated Sandworm with the 2018 Winter Olympics attack.[2]

Exim exploitation (2020)

[edit]

On 28 May 2020 the National Security Agency published a cybersecurity advisory warning that the Sandworm group was actively exploiting a remote code execution vulnerability (referred to as CVE-2019-10149) in Exim[38] to gain full control of mail servers.[39] At the time the advisory was published, an updated version of Exim had been available for a year and the NSA urged administrators to patch their mail servers.[citation needed]

[edit]

In February 2022, Sandworm allegedly released the Cyclops Blink as malware. The malware is similar to VPNFilter.[40] The malware allows a botnet to be constructed, and affects Asus routers and WatchGuard Firebox and XTM appliances. CISA issued a warning about this malware.[41]

War crimes request (March 2022)

[edit]

In late March 2022, human rights investigators and lawyers in the UC Berkeley School of Law sent a formal request to the Prosecutor of the International Criminal Court in The Hague.[42] They urged the International Criminal Court to consider war crimes charges against Russian hackers for cyberattacks against Ukraine.[42] Sandworm was specifically named in relation to December 2015 attacks on electrical utilities in western Ukraine and 2016 attacks on utilities in Kyiv in 2016.[42]

Ukrainian power grid attack (April 2022)

[edit]

In April 2022, Sandworm attempted a power blackout in Ukraine.[43] It is said to be the first attack in five years to use an Industroyer malware variant called Industroyer2.[44]

SwiftSlicer (January 2023)

[edit]

On 25 January 2023, ESET attributed an Active Directory vulnerability wiper to Sandworm.[45]

Infamous Chisel (August 2023)

[edit]

On 31 August 2023, the cybersecurity agencies of the US, UK, Canada, Australia, and New Zealand (collectively known as Five Eyes) jointly published a report on a new malware campaign and attributed it to Sandworm. The malware, dubbed "Infamous Chisel", targeted Android devices used by the Ukrainian military. After initial infection, the malware establishes persistent access then periodically collects and exfiltrates data from the compromised device. Collected information includes:

  • Device system information
  • Application data from many types of apps:
    • chat - Skype, Telegram, WhatsApp, Signal, Viber, Discord
    • browser - Opera, Brave, Firefox, Chrome
    • two-factor authentication (2FA) - Google Authenticator
    • VPN - OpenVPN, VPN Proxy Master
    • file sync - OneDrive, Dropbox
    • finance - Binance, PayPal, Trust Wallet, Google Wallet
  • Applications specific to the Ukrainian military

The malware also periodically collects open ports and banners of services running on other hosts on the local network. Additionally, an SSH server is created and configured to run as a Tor hidden service. An attacker could then connect remotely to the infected device without revealing their true IP address.[46]

Name

[edit]

The name "Sandworm" was dubbed by researchers at iSight Partners (now Mandiant) due to references in the malware source code to Frank Herbert's novel Dune.[47]

In 2024, given the active and persistent threats Sandworm posed to governments and critical infrastructure operators globally, Mandiant "graduated" Sandworm into an APT group, dubbing it APT44.[4]

See also

[edit]

Notes

[edit]
  1. ^ GRU officers indicted by the United States Department of Justice on 4 October 2018 include Oleg Mikhaylovich Sotnikov, 46, and Alexey Valerevich Minin, 46 and Military Unit 26165 personel Aleksei Sergeyevich Morenets, 41, Evgenii Mikhaylovich Serebriakov, 37, Ivan Sergeyevich Yermakov, 32, Artem Andreyevich Malyshev, 30, and Dmitriy Sergeyevich Badin, 27.[28] Military Unit 26165 is also known the GRU headquarters and is located at 20 Komsomolsky Prospekt in Moscow.[24]
  2. ^ The United States Department of State Diplomatic Security Service: Rewards for Justice is offering a reward of up to $10 million for information leading to the identification or location of the GRU officers Petr Nikolayevich Pliskin (Russian: Петр Николаевич Плискин), Artem Valeryevich Ochichenko (Russian: Артем Валерьевич Очиченко), Anatoliy Sergeyevich Kovalev (Russian: Анатолий Сергеевич Ковалев), Pavel Valeryevich Frolov (Russian: Павел Валерьевич Фролов), Sergey Vladimirovich Detistov (Russian: Сергей Владимирович Детистов) and Yuriy Sergeyevich Andrienko (Russian: Юрий Сергеевич Андриенко) of the Main Center for Technologies Special Forces of the GRU Russian Ground Forces (Unit 74455) which is associated with "Sandworm Team," Telebots," "Voodoo Bear," and "Iron Viking."[32][33][34][35][36][37]

References

[edit]
  1. ^ Adam Meyers (29 January 2018). "VOODOO BEAR | Threat Actor Profile | CrowdStrike". Crowdstrike.
  2. ^ a b c "UK exposes series of Russian cyber attacks against Olympic and Paralympic Games". National Cyber Security Centre. 19 October 2020.
  3. ^ Greenberg, Andy (2019). Sandworm: a new era of cyberwar and the hunt for the Kremlin's most dangerous hackers. Knopf Doubleday. ISBN 978-0-385-54441-2.
  4. ^ a b "APT44: Unearthing Sandworm" (PDF). Retrieved 12 September 2024.
  5. ^ "How Microsoft names threat actors". Microsoft. Retrieved 21 January 2024.
  6. ^ a b c d "Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace". DOJ Office of Public Affairs. United States Department of Justice. 19 October 2020. Retrieved 23 July 2021.
  7. ^ Timberg, Craig; Nakashima, Ellen; Munzinger, Hannes; Tanriverdi, Hakan (30 March 2023). "Secret trove offers rare look into Russian cyberwar ambitions". The Washington Post. Retrieved 31 March 2023.
  8. ^ "Russia's FSB malign activity: factsheet: Cyber operations and the Russian intelligence services". National Cyber Security Centre (NCSC) and Foreign, Commonwealth and Development Office. 7 December 2023. Archived from the original on 8 December 2023. Retrieved 18 October 2024.
  9. ^ "Hackers shut down Ukraine power grid". www.ft.com. 5 January 2016. Retrieved 28 October 2020.
  10. ^ Volz, Dustin (25 February 2016). "U.S. government concludes cyber attack caused Ukraine power outage". Reuters. Retrieved 28 October 2020.
  11. ^ Hern, Alex (7 January 2016). "Ukrainian blackout caused by hackers that attacked media company, researchers say". The Guardian. ISSN 0261-3077. Retrieved 28 October 2020.
  12. ^ "The Untold Story of NotPetya, the Most Devastating Cyberattack in History". Wired. ISSN 1059-1028. Retrieved 28 October 2020.
  13. ^ a b Greenberg, Andy. "Inside Olympic Destroyer, the Most Deceptive Hack in History". Wired. ISSN 1059-1028. Retrieved 28 October 2020.
  14. ^ Andrew S. Bowen (24 November 2020). Russian Military Intelligence: Background and Issues for Congress (PDF) (Report). Congressional Research Service. p. 16. Retrieved 21 July 2021.
  15. ^ Stephen Ward (14 October 2014). "iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign". Archived from the original on 14 October 2014. Retrieved 5 November 2023.
  16. ^ Hultquist, John (7 January 2016). "Sandworm Team and the Ukrainian Power Authority Attacks". iSIGHT Partners. Archived from the original on 29 January 2016.
  17. ^ Joe Slowik (15 August 2019). "CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack" (PDF). Dragos Inc.
  18. ^ Warren Mercer (12 February 2018). "Olympic Destroyer Takes Aim At Winter Olympics". Cisco Talos.
  19. ^ Rascagneres, Paul; Lee, Martin (26 February 2018). "Who Wasn't Responsible for Olympic Destroyer?". Cisco Talos.
  20. ^ Jay Rosenberg (12 February 2018). "2018 Winter Cyber Olympics: Code Similarities with Cyber Attacks in Pyeongchang". Archived from the original on 30 June 2020.
  21. ^ Kaspersky GReAT Team (8 March 2018). "OlympicDestroyer is here to trick the industry". Archived from the original on 31 January 2019.
  22. ^ Kaspersky GReAT Team (8 March 2018). "The devil's in the Rich header". Archived from the original on 22 February 2019.
  23. ^ Рождественский, Илья (Rozhdestvensky, Ilya) (4 September 2024). "Часть IV: Кадры решают всё. Что за люди служат в ГРУ?" [Part IV: Cadres Decide Everything. What Kind of People Serve in the GRU?]. Центра «Досье» (dossier.center) (in Russian). Archived from the original on 28 August 2025. Retrieved 2 September 2025.{{cite news}}: CS1 maint: multiple names: authors list (link)
  24. ^ a b "Западные спецслужбы раскрыли четырех ГРУ-шников, взломавших лабораторию ОЗХО и JIT" [Western intelligence agencies uncovered four GRU officers who hacked into the OPCW and JIT laboratory]. The Insider (theins.ru) (in Russian). 4 October 2018. Archived from the original on 17 August 2025. Retrieved 2 September 2025.
  25. ^ "В московском таксопарке рассказали о поездке предполагаемого агента ГРУ" [A Moscow taxi company told about the trip of an alleged GRU agent]. «РБК» (www.rbc.ru) (in Russian). 4 October 2018. Archived from the original on 29 July 2025. Retrieved 2 September 2025.
  26. ^ Девяткина, Маргарита (Devyatkina, Margarita); Солопов, Максим (Solopov, Maxim); Кокорева, Мария (Kokoreva, Maria); Костина, Екатерина (Kostina, Ekaterina) (4 October 2018). "Минобороны Нидерландов назвало имена высланных россиян: Этих людей военное ведомство подозревает в попытке совершить кибератаку на серверы Организации по запрещению химического оружия" [The Ministry of Defense of the Netherlands named the names of the expelled Russians: The military department suspects these people of trying to carry out a cyberattack on the servers of the Organization for the Prohibition of Chemical Weapons]. «РБК» (www.rbc.ru) (in Russian). Archived from the original on 29 July 2025. Retrieved 2 September 2025.{{cite news}}: CS1 maint: multiple names: authors list (link)
  27. ^ Сапронова, Юлия (Sapronova, Yulia) (4 October 2018). "Скандал с обвинениями россиян в хакерских атаках. Минобороны Нидерландов рассказало, что в апреле 2018 года из страны за попытку взлома серверов ОЗХО были высланы четверо россиян. Случившееся может стать поводом для новых санкций против России. Главное — в обзоре РБК" [Scandal with accusations of Russians in hacker attacks. The Ministry of Defense of the Netherlands said that in April 2018, four Russians were expelled from the country for attempting to hack the OPCW servers. The incident may become a reason for new sanctions against Russia. The main thing is in the RBC review]. «РБК» (www.rbc.ru) (in Russian). Archived from the original on 16 June 2025. Retrieved 2 September 2025.{{cite news}}: CS1 maint: multiple names: authors list (link)
  28. ^ a b "U.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation Operations". United States Department of Justice. 4 October 2018. Archived from the original on 15 June 2025. Retrieved 2 September 2025.
  29. ^ Cimpanu, Catalin. "US charges Russian hackers behind NotPetya, KillDisk, OlympicDestroyer attacks". ZDNet. Retrieved 28 October 2020.
  30. ^ "Russian cyber-attack spree shows what unrestrained internet warfare looks like". The Guardian. 19 October 2020. Retrieved 28 October 2020.
  31. ^ "US Indicts Sandworm, Russia's Most Destructive Cyberwar Unit". Wired. ISSN 1059-1028. Retrieved 28 October 2020.
  32. ^ "Petr Nikolayevich Pliskin". United States Department of State Diplomatic Security Service: Rewards for Justice. Archived from the original on 9 October 2024. Retrieved 9 October 2024.
  33. ^ "Artem Valeryevich Ochichenko". United States Department of State Diplomatic Security Service: Rewards for Justice. Archived from the original on 9 October 2024. Retrieved 9 October 2024.
  34. ^ "Anatoliy Sergeyevich Kovalev". United States Department of State Diplomatic Security Service: Rewards for Justice. Archived from the original on 9 October 2024. Retrieved 9 October 2024.
  35. ^ "Pavel Valeryevich Frolov". United States Department of State Diplomatic Security Service: Rewards for Justice. Archived from the original on 9 October 2024. Retrieved 9 October 2024.
  36. ^ "Sergey Vladimirovich Detistov". United States Department of State Diplomatic Security Service: Rewards for Justice. Archived from the original on 9 October 2024. Retrieved 9 October 2024.
  37. ^ "Yuriy Sergeyevich Andrienko". United States Department of State Diplomatic Security Service: Rewards for Justice. Archived from the original on 9 October 2024. Retrieved 9 October 2024.
  38. ^ Satnam Narang (6 June 2019). "CVE-2019-10149: Critical Remote Command Execution Vulnerability Discovered In Exim". Retrieved 4 November 2023.
  39. ^ "Exim Mail Transfer Agent Actively Exploited by Russian GRU Cyber Actors". National Security Agency. Archived from the original on 24 March 2023.
  40. ^ Hardcastle, Jessica Lyons. "Cyclops Blink malware sets up shop in ASUS routers". www.theregister.com. Retrieved 21 March 2022.
  41. ^ "CISA Adds Eight Known Exploited Vulnerabilities to Catalog | CISA". www.cisa.gov. 11 April 2022. Retrieved 13 April 2022.
  42. ^ a b c Greenberg, Andy (12 May 2022). "The Case for War Crimes Charges Against Russia's Sandworm Hackers". Wired. Retrieved 7 July 2022.
  43. ^ Greenberg, Andy. "Russia's Sandworm Hackers Attempted a Third Blackout in Ukraine". Wired. ISSN 1059-1028. Retrieved 13 April 2022.
  44. ^ "Industroyer2: Industroyer reloaded". www.welivesecurity.com. Retrieved 13 April 2022.
  45. ^ Živé.sk (27 January 2023). "Na Ukrajine maže počítače nový trójsky kôň. Hackeri majú byť prepojení na Rusko". Živé.sk (in Slovak). Retrieved 27 January 2023.
  46. ^ "Infamous Chisel Malware Analysis Report". Cybersecurity & Infrastructure Security Agency. 31 August 2023. Retrieved 6 November 2023.
  47. ^ Kim Zetter (14 October 2014). "Russian 'Sandworm' Hack Has Been Spying on Foreign Governments for Years". Wired. Archived from the original on 14 October 2014.

Further reading

[edit]
[edit]
Hub tags