Sandworm (hacker group)

Last updated

Sandworm
Formationc. 2004–2007
Type Advanced persistent threat
Purpose Cyberespionage, cyberwarfare
Headquarters22 Kirova Street
Khimki, Russia
Region
Russia
Methods Zero-days, spearphishing, malware
Official language
Russian
Parent organization
 GRU
Affiliations Fancy Bear
Formerly called
Voodoo Bear [1]
Iron Viking [2]
Telebots [2]

Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. [3] Other names for the group, given by cybersecurity researchers, include Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, [4] and Iron Viking. [5] [6]

Contents

The team is believed to be behind the December 2015 Ukraine power grid cyberattack, [7] [8] [9] the 2017 cyberattacks on Ukraine using the NotPetya malware, [10] various interference efforts in the 2017 French presidential election, [5] and the cyberattack on the 2018 Winter Olympics opening ceremony. [11] [12] Then-United States Attorney for the Western District of Pennsylvania Scott Brady described the group's cyber campaign as "representing the most destructive and costly cyber-attacks in history." [5]

History

2014

On September 3, 2014 iSIGHT Partners (now Trellix) discovered a spear-phishing campaign exploiting a zero-day vulnerability via weaponized Microsoft Office documents. The vulnerability, dubbed CVE-2014-4114, affected all versions of Windows from Vista to 8.1 and allowed attackers to execute arbitrary code on a target machine. Researchers were able to attribute the attack to the Sandworm group and observed that the Ukrainian government was one target of the campaign. Notably, this attack coincided with a NATO summit on Ukraine in Wales. [13]

2015 Ukraine power grid hack

On December 23, 2015, hackers launched a coordinated cyberattack against 3 energy companies in Ukraine and succeeded in temporarily disrupting the supply of electricity to about 230,000 Ukrainians for 1-6 hours.

In January, iSight Partners released a report linking the attack to Sandworm based on the usage of BlackEnergy 3. [14]

2016 Ukraine power grid hack

On December 17, 2016, a year after the previous power grid attack, hackers again disrupted the Ukrainian power grid with a cyber attack. About one fifth of Kyiv lost power for an hour. While the outage was ultimately short, a report released 3 years after the attack by security firm Dragos outlines a theory that the malware, known as Industroyer or CRASHOVERRIDE, was meant to destroy physical electrical equipment. By exploiting a known vulnerability in the protective relays, the malware may have been designed to obfuscate any safety issues such that when engineers worked to restore power, an overload of current would be sent to destroy transformers or power lines. Such destruction would have led to a much longer power outage as well as potentially harmed utility workers if it had succeeded. [15]

2018 Winter Olympics

On February 9, 2018 during the opening ceremony of the Winter Olympics in Pyeongchang, South Korea hackers launched a cyberattack and successfully disrupted IT infrastructure including WiFi, TVs around the Pyeongchang Olympic Stadium showing the ceremony, RFID-based security gates, and the official Olympics app which was used for digital ticketing. Staff were able to restore most critical functions before the opening ceremony was over, but the entire network had to be rebuilt from scratch. Wiper malware had wormed through every domain controller and rendered them inoperable. [11]

3 days later Cisco Talos published a report dubbing the malware "Olympic Destroyer". The report listed similarities in the malware's propogation techniques to the "BadRabbit" and "Nyetya" malware strains and stated disruption of the games as the attack's objective. [16]

Attribution of the Olympic Destroyer malware proved difficult as it appeared the author(s) had included code samples belonging to multiple threat actors as false flags. Intezer published a report on Feb 12 showing code similarities to samples attributed to 3 Chinese threat actors while a follow-up Talos report noted a "weak" clue pointing to another wiper created by a spinoff of the Lazarus Group, a North Korean APT. [17] [18]

The Kaspersky GReAT team on March 8 published 2 blog posts discussing the current industry theories and their own original research. In the technical article Kaspersky, a Russian company, showed in detail how they discovered file headers pointing to Lazarus Group were forged but stopped short of attributing the Olympic Destroyer malware to any non-North Korean group. [19] [20]

US Indictment (2020)

FBI wanted poster listing 6 Russian military officers indicted for cyber crimes. FBI GRU Sandworm Wanted Poster.pdf
FBI wanted poster listing 6 Russian military officers indicted for cyber crimes.

On 19 October 2020, a US-based grand jury released an indictment charging six alleged Unit 74455 officers with cybercrimes. [21] [22] [23] The officers, Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko, and Petr Nikolayevich Pliskin, were all individually charged with conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers, and aggravated identity theft. Five of the six were accused of overtly developing hacking tools, while Ochichenko was accused of participating in spearphishing attacks against the 2018 Winter Olympics and conducting technical reconnaissance on and attempting to hack the official domain of the Parliament of Georgia. [5]

Concurrent with the US indictment announcement, the UK's National Cyber Security Centre (NCSC) published a report which publicly associated Sandworm with the 2018 Winter Olympics attack. [2]

Exim Exploitation (2020)

On May 28, 2020 the National Security Agency published a cybersecurity advisory warning that the Sandworm group was actively exploiting a remote code execution vulnerability (referred to as CVE-2019-10149) in Exim [24] to gain full control of mail servers. [25] At the time the advisory was published, an updated version of Exim had been available for a year and the NSA urged administrators to patch their mail servers.

In February 2022, Sandworm allegedly released the Cyclops Blink as malware. The malware is similar to VPNFilter. [26] The malware allows a botnet to be constructed, and affects Asus routers and WatchGuard Firebox and XTM appliances. CISA issued a warning about this malware. [27]

War Crimes Request (March 2022)

In late March 2022, human rights investigators and lawyers in the UC Berkeley School of Law sent a formal request to the Prosecutor of the International Criminal Court in The Hague. [28] They urged the International Criminal Court to consider war crimes charges against Russian hackers for cyberattacks against Ukraine. [28] Sandworm was specifically named in relation to December 2015 attacks on electrical utilities in western Ukraine and 2016 attacks on utilities in Kyiv in 2016. [28]

Ukrainian Power Grid Attack (April 2022)

In April 2022, Sandworm attempted a blackout in Ukraine. [29] It is said to be the first attack in five years to use an Industroyer malware variant called Industroyer2. [30]

SwiftSlicer (January 2023)

On 25 January 2023, ESET attributed an Active Directory vulnerability wiper to Sandworm. [31]

Infamous Chisel (August 2023)

On August 31, 2023, the cybersecurity agencies of the US, UK, Canada, Australia, and New Zealand (collectively known as Five Eyes) jointly published a report on a new malware campaign and attributed it to Sandworm. The malware, dubbed "Infamous Chisel", targeted Android devices used by the Ukrainian military. After initial infection, the malware establishes persistent access then periodically collects and exfiltrates data from the compromised device. Collected information includes:

The malware also periodically collects open ports and banners of services running on other hosts on the local network. Additionally, an SSH server is created and configured to run as a Tor hidden service. An attacker could then connect remotely to the infected device without revealing their true IP address. [32]

Name

The name "Sandworm" was dubbed by researchers at iSight Partners (now Trellix) due to references in the malware source code to Frank Herbert's novel Dune. [33]

See also

Related Research Articles

<span class="mw-page-title-main">ESET</span> Slovak internet security company

ESET, s.r.o., is a software company specializing in cybersecurity. ESET's security products are made in Europe and provide security software in over 200 countries and territories worldwide. Its software is localized into more than 30 languages.

<span class="mw-page-title-main">Cyberwarfare</span> Use of digital attacks against a nation

Cyberwarfare is the use of cyber attacks against an enemy state, causing comparable harm to actual warfare and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage, propaganda, manipulation or economic warfare.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of cyber-dissidents and other active measures. According to investigative journalist Andrei Soldatov, some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB and formerly a part of the 16th KGB department. An analysis by the Defense Intelligence Agency in 2017 outlines Russia's view of "Information Countermeasures" or IPb as "strategically decisive and critically important to control its domestic populace and influence adversary states", dividing 'Information Countermeasures' into two categories of "Informational-Technical" and "Informational-Psychological" groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to "attempts to change people's behavior or beliefs in favor of Russian governmental objectives."

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and Alexey De-Monderik. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack (DDoS).

<span class="mw-page-title-main">Andy Greenberg</span> American technology journalist

Andy Greenberg is a technology journalist serving as a senior writer at Wired magazine. He previously worked as a staff writer at Forbes magazine and as a contributor for Forbes.com. He has published the books This Machine Kills Secrets concerning whistleblowing, Sandworm, concerning the eponymous hacking group, and Tracers in the Dark, concerning cryptocurrency tracing as a law enforcement investigative technique.

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR), a view shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides cloud workload and endpoint security, threat intelligence, and cyberattack response services. The company has been involved in investigations of several high-profile cyberattacks, including the 2014 Sony Pictures hack, the 2015–16 cyber attacks on the Democratic National Committee (DNC), and the 2016 email leak involving the DNC.

On December 23, 2015, the power grid in two western oblasts of Ukraine was hacked, which resulted in power outages for roughly 230,000 consumers in Ukraine for 1-6 hours. The attack took place during the ongoing Russo-Ukrainian War (2014-present) and is attributed to a Russian advanced persistent threat group known as "Sandworm". It is the first publicly acknowledged successful cyberattack on a power grid.

<span class="mw-page-title-main">Petya (malware family)</span> Family of encrypting ransomware discovered in 2016

Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system.

<span class="mw-page-title-main">2017 Ukraine ransomware attacks</span> Series of powerful cyberattacks using the Petya malware

A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms. Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia. ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%. On 28 June 2017, the Ukrainian government stated that the attack was halted. On 30 June 2017, the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target.

Industroyer is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016. The attack cut a fifth of Kyiv, the capital, off power for one hour and is considered to have been a large-scale test. The Kyiv incident was the second cyberattack on Ukraine's power grid in two years. The first attack occurred on December 23, 2015. Industroyer is the first ever known malware specifically designed to attack electrical grids. At the same time, it is the fourth malware publicly revealed to target industrial control systems, after Stuxnet, Havex, and BlackEnergy.

Cisco Talos, or Cisco Talos Intelligence Group, is a cybersecurity technology and information security company based in Fulton, Maryland. It is a part of Cisco Systems Inc. Talos' threat intelligence powers Cisco Secure products and services, including malware detection and prevention systems. Talos provides Cisco customers and internet users with customizable defensive technologies and techniques through several of their own open-source products, including the Snort intrusion prevention system and ClamAV anti-virus engine.

<span class="mw-page-title-main">Russo-Ukrainian cyberwarfare</span> Informatic component of the confrontation between Russia and Ukraine

Cyberwarfare is a component of the confrontation between Russia and Ukraine since the Revolution of Dignity in 2013-2014. While the first attacks on information systems of private enterprises and state institutions of Ukraine were recorded during mass protests in 2013, Russian cyberweapon Uroburos had been around since 2005. Russian cyberwarfare continued with the 2015 Ukraine power grid hack at Christmas 2015 and again in 2016, paralysis of the State Treasury of Ukraine in December 2016, a Mass hacker supply-chain attack in June 2017 and attacks on Ukrainian government websites in January 2022.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

<span class="mw-page-title-main">IT Army of Ukraine</span> Ukrainian cyberwarfare volunteer group

The IT Army of Ukraine is a volunteer cyberwarfare organisation created at the end of February 2022 to fight against digital intrusion of Ukrainian information and cyberspace after the beginning of the Russian invasion of Ukraine on February 24, 2022. The group also conducts offensive cyberwarfare operations, and Chief of Head of State Special Communications Service of Ukraine Victor Zhora said its enlisted hackers would only attack military targets.

Cyclops Blink is malicious Linux ELF executable, compiled for the 32-bit PowerPC architecture. It targeted routers and firewall devices from WatchGuard and ASUS and adds them to a botnet for command and control (C&C). The malware is reported to be originated from the hacker group Sandworm.

Pipedream is a software framework for malicious code targeting programmable logic controllers (PLCs) and industrial control systems (ICS). First publicly disclosed in 2022, it has been described as a "Swiss Army knife" for hacking. It is believed to have been developed by state-level Advanced Persistent Threat actors.

References

  1. Adam Meyers (29 January 2018). "VOODOO BEAR | Threat Actor Profile | CrowdStrike". Crowdstrike.
  2. 1 2 3 "UK exposes series of Russian cyber attacks against Olympic and Paralympic Games". National Cyber Security Centre. 19 October 2020.
  3. Greenberg, Andy (2019). Sandworm: a new era of cyberwar and the hunt for the Kremlin's most dangerous hackers. Knopf Doubleday. ISBN   978-0-385-54441-2.
  4. "How Microsoft names threat actors". Microsoft. Retrieved 21 January 2024.
  5. 1 2 3 4 "Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace". DOJ Office of Public Affairs. United States Department of Justice. 19 October 2020. Retrieved 23 July 2021.
  6. Timberg, Craig; Nakashima, Ellen; Munzinger, Hannes; Tanriverdi, Hakan (30 March 2023). "Secret trove offers rare look into Russian cyberwar ambitions". The Washington Post . Retrieved 31 March 2023.
  7. "Hackers shut down Ukraine power grid". www.ft.com. 5 January 2016. Retrieved 28 October 2020.
  8. Volz, Dustin (25 February 2016). "U.S. government concludes cyber attack caused Ukraine power outage". Reuters. Retrieved 28 October 2020.
  9. Hern, Alex (7 January 2016). "Ukrainian blackout caused by hackers that attacked media company, researchers say". The Guardian. ISSN   0261-3077 . Retrieved 28 October 2020.
  10. "The Untold Story of NotPetya, the Most Devastating Cyberattack in History". Wired. ISSN   1059-1028 . Retrieved 28 October 2020.
  11. 1 2 Greenberg, Andy. "Inside Olympic Destroyer, the Most Deceptive Hack in History". Wired. ISSN   1059-1028 . Retrieved 28 October 2020.
  12. Andrew S. Bowen (24 November 2020). Russian Military Intelligence: Background and Issues for Congress (PDF) (Report). Congressional Research Service. p. 16. Retrieved 21 July 2021.
  13. Stephen Ward (14 October 2014). "iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign". Archived from the original on 14 October 2014. Retrieved 5 November 2023.
  14. Hultquist, John (7 January 2016). "Sandworm Team and the Ukrainian Power Authority Attacks". iSIGHT Partners. Archived from the original on 29 January 2016.
  15. Joe Slowik (15 August 2019). "CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack" (PDF). Dragos Inc.
  16. Warren Mercer (12 February 2018). "Olympic Destroyer Takes Aim At Winter Olympics". Cisco Talos.
  17. Rascagneres, Paul; Lee, Martin (26 February 2018). "Who Wasn't Responsible for Olympic Destroyer?". Cisco Talos.
  18. Jay Rosenberg (12 February 2018). "2018 Winter Cyber Olympics: Code Similarities with Cyber Attacks in Pyeongchang". Archived from the original on 30 June 2020.
  19. Kaspersky GReAT Team (8 March 2018). "OlympicDestroyer is here to trick the industry". Archived from the original on 31 January 2019.
  20. Kaspersky GReAT Team (8 March 2018). "The devil's in the Rich header". Archived from the original on 22 February 2019.
  21. Cimpanu, Catalin. "US charges Russian hackers behind NotPetya, KillDisk, OlympicDestroyer attacks". ZDNet. Retrieved 28 October 2020.
  22. "Russian cyber-attack spree shows what unrestrained internet warfare looks like". The Guardian. 19 October 2020. Retrieved 28 October 2020.
  23. "US Indicts Sandworm, Russia's Most Destructive Cyberwar Unit". Wired. ISSN   1059-1028 . Retrieved 28 October 2020.
  24. Satnam Narang (6 June 2019). "CVE-2019-10149: Critical Remote Command Execution Vulnerability Discovered In Exim" . Retrieved 4 November 2023.
  25. "Exim Mail Transfer Agent Actively Exploited by Russian GRU Cyber Actors". National Security Agency. Archived from the original on 24 March 2023.
  26. Hardcastle, Jessica Lyons. "Cyclops Blink malware sets up shop in ASUS routers". www.theregister.com. Retrieved 21 March 2022.
  27. "CISA Adds Eight Known Exploited Vulnerabilities to Catalog | CISA". www.cisa.gov. 11 April 2022. Retrieved 13 April 2022.
  28. 1 2 3 Greenberg, Andy (12 May 2022). "The Case for War Crimes Charges Against Russia's Sandworm Hackers". Wired . Retrieved 7 July 2022.
  29. Greenberg, Andy. "Russia's Sandworm Hackers Attempted a Third Blackout in Ukraine". Wired. ISSN   1059-1028 . Retrieved 13 April 2022.
  30. "Industroyer2: Industroyer reloaded". www.welivesecurity.com. Retrieved 13 April 2022.
  31. Živé.sk (27 January 2023). "Na Ukrajine maže počítače nový trójsky kôň. Hackeri majú byť prepojení na Rusko". Živé.sk (in Slovak). Retrieved 27 January 2023.
  32. "Infamous Chisel Malware Analysis Report". Cybersecurity & Infrastructure Security Agency. 31 August 2023. Retrieved 6 November 2023.
  33. Kim Zetter (14 October 2014). "Russian 'Sandworm' Hack Has Been Spying on Foreign Governments for Years". Wired. Archived from the original on 14 October 2014.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.