Sandworm Team

Also known as: APT44, BlackEnergy (Group), ELECTRUM, FROZENBARENTS, IRIDIUM, IRON VIKING, Quedagh, Sandworm Team, Seashell Blizzard, Telebots, Voodoo Bear, Sandworm, VOODOO BEAR, BE2, UAC-0113, Blue Echidna, PHANTOM, BlackEnergy Lite, TEMP.Noble, G0034, TeleBots, UAC-0082

Sandworm Team is a destructive threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455. US District Court Indictment GRU Unit 74455 October 2020 UK NCSC Olympic Attacks October 2020 This group has been active since at least 2009. iSIGHT Sandworm 2014 CrowdStrike VOODOO BEAR USDOJ Sandworm Feb 2020 NCSC Sandworm Feb 2020

In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019. US District Court Indictment GRU Unit 74455 October 2020 UK NCSC Olympic Attacks October 2020 Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28. US District Court Indictment GRU Oct 2018

🌍 Country Russia
πŸ“… Activity 2014 β€” 2015
🎯 Incident Type Espionage
🧭 ATT&CK G0034
Electric Energy Industrial Private sector Government
2014
2015

Targeted Victims

Russia Lithuania Kyrgyzstan Israel Ukraine Belarus Kazakhstan Georgia Poland Azerbaijan Iran

Introduction

Sandworm Team is a destructive threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455. US District Court Indictment GRU Unit 74455 October 2020 UK NCSC Olympic Attacks October 2020 This group has been active since at least 2009. iSIGHT Sandworm 2014 CrowdStrike VOODOO BEAR USDOJ Sandworm Feb 2020 NCSC Sandworm Feb 2020 In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019. US District Court Indictment GRU Unit 74455 October 2020 UK NCSC Olympic Attacks October 2020 Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28. US District Court Indictment GRU Oct 2018

Activities and Tactics

Targeted Sectors: Electric, Energy, Industrial, Private sector, Government

Country of Origin: πŸ‡·πŸ‡Ί Russia

First Seen: 2014

Last Activity: 2015

Incident Type: Espionage

Suspected Victims: Russia, Lithuania, Kyrgyzstan, Israel, Ukraine, Belarus, Kazakhstan, Georgia, Poland, Azerbaijan…

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No atomic indicators are listed in this profile. The APTnotes snapshot indexes 2 public reports that may contain IOCs; see Source Attribution for dataset links.

Malware and Tools

  • CyberGate:
  • Cyber Eye RAT:

Attribution and Evidence

Country of Origin: Russia Additional attribution information pending cataloguing.

References

[1] MITRE ATT&CK MITRE ATT&CK entry [2] US District Court Indictment GRU Unit 74455 October 2020 [3] UK NCSC Olympic Attacks October 2020 [4] iSIGHT Sandworm 2014 [5] CrowdStrike VOODOO BEAR [6] USDOJ Sandworm Feb 2020 [7] NCSC Sandworm Feb 2020 [8] US District Court Indictment GRU Oct 2018