Cyble analyzes Sandworm, an APT group with known ties to the Russian military, breaking down its tactics, targets, and tools utilized by this potent threat.
The Sandworm APT group is a destructive cyber threat group linked to Russia’s GRU military unit 74455. In October 2020, six officers from this unit were indicted by the US for a series of high-profile cyberattacks: the 2015 and 2016 assaults on Ukrainian electrical grids, the 2017 global NotPetya attack, interference in the 2017 French presidential campaign, the Olympic Destroyer cyber attack during the 2018 Winter Olympics, and operations against the OPCW and Georgia from 2018 to 2019, often collaborating with APT28.
Unlike most Russian state-backed threat groups, which usually focus on a specific mission, Sandworm is a uniquely versatile threat actor. It engages across the entire spectrum of cyber espionage, attacks, and influence operations. These activities encompass the full range of special operations typically executed by the GRU’s Information Operation Troops (VIO), to which Sandworm is likely subordinated. As such, Sandworm exemplifies the concept of information confrontation (IPb) that forms the foundation of Russia’s modern cyber forces.
With Russia’s full-scale invasion in its third year, Sandworm remains a formidable threat to Ukraine. Yet the threat posed by Sandworm is far from limited to Ukraine. Researchers continue to see operations from the group that are global in scope in key political, military, and economic hotspots for Russia. Additionally, with a record number of people participating in national elections in 2024, Sandworm’s history of attempting to interfere in democratic processes further elevates the severity of the threat the group may pose in the near term.
Country of Origin
Sandworm is a Russian State-sponsored cyber espionage group and has ties to two GRU units known as Unit 74455.
Targeted Countries
Sandworm is recognized for its extensive cyber espionage endeavors, which encompass a diverse array of countries and regions. These include Azerbaijan, Belarus, Denmark, France, Georgia, Iran, Israel, Kazakhstan, Kyrgyzstan, Lithuania, Poland, Russia, Ukraine.
Aliases
APT 44, Iron Viking, CTG-7263, Voodoo Bear, Quedagh, TEMP.Noble, ATK 14, BE2, UAC-0082, UAC-0113, FROZENBARENTS, IRIDIUM and Seashell Blizzard.
Targeted Sectors
- Education
- Energy
- Government
- Defence
- Industrial
- Telecommunications
- Critical Infrastructure
- Media
- Civil society organizations
Links to Other APTs
Researchers suspect that Sandworm may be linked to TeleBots.
Sandworm Lifecycle
APT44 is a highly advanced adversary known for its diverse initial access methods, including phishing, vulnerability exploitation, and supply chain compromises. The group often targets edge infrastructure, such as routers and VPNs, to gain footholds for activities like reconnaissance, data theft, and wiper malware deployment. APT44 employs living-off-the-land (LOTL) techniques for persistence and favors open-source or criminally sourced tools over custom malware. Operating with high security, APT44 adapts to avoid detection, leveraging criminal marketplaces to sustain its offensive capabilities.
Initial Infection
APT44 is a highly advanced adversary known for its diverse initial access methods, including phishing, vulnerability exploitation, and supply chain compromises. To gain footholds, the group often targets edge infrastructure, such as routers and VPNs.
Phishing
Sandworm, known by Google as “FrozenBarents,” has been targeting the European energy sector since November 2022, notably attacking the Caspian Pipeline Consortium (CPC). Sandworm employs a range of tactics, including phishing websites, emails, and online personas, to lure victims. The group has launched numerous phishing campaigns using spoofed “Ukroboronprom” websites to target Ukrainian defense industry workers, Ukr.net users, and even Ukrainian Telegram channels. Additionally, Sandworm creates online personas to spread disinformation on platforms like YouTube and Telegram, often leaking stolen data from their phishing or network intrusions.
Figure 1 – Phishing website for Caspian Pipeline Consortium (Source: Google)
Exploited Vulnerabilities
The Sandworm group has exploited various vulnerabilities in its campaigns. Sandworm Team has exploited vulnerabilities in Microsoft Po
werPoint via OLE objects (CVE-2014-4114) and in Microsoft Word using crafted TIFF images (CVE-2013-3906) to gain further access.
Some important vulnerabilities targeted are:
CVE-2023-28771: Zyxel Multiple Firewalls OS Command Injection Vulnerability.
CVE-2023-33009: Zyxel Multiple Firewalls Buffer Overflow Vulnerability.
CVE-2023-33010: Zyxel Multiple Firewalls Buffer Overflow Vulnerability.
CVE-2022-30190: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.
CVE-2021-4034: Red Hat Polkit Out-of-Bounds Read and Write Vulnerability.
CVE-2019-10149: Exim Mail Transfer Agent (MTA) Improper Input Validation.
CVE-2014-4114: Microsoft Windows Object Linking & Embedding (OLE) Remote Code Execution Vulnerability.
CVE-2014-0751: Directory traversal vulnerability in CimWebServer.exe (aka the WebView component) in GE Intelligent Platforms Proficy HMI/SCADA.
Execution and Persistence
Sandworm employs various techniques to execute malware and maintain persistence on target systems. They scheduled Industroyer2 to disrupt power in a Ukrainian region and concurrently set up CaddyWiper on the same machine to erase traces of Industroyer2. Additionally, attackers executed code on the firewall to retrieve its configuration and current usernames.
Sandworm maintained persistence on infected systems by encrypting its configuration in the Windows registry and setting up tasks or registry entries for automatic execution. Additionally, persistence is achieved through a dropper that creates a scheduled task or adds an entry in the “Run” branch of the registry. On Linux systems, they modify Cron to insert rogue jobs for persistence. Additionally, the attackers compromised a web server within the target organization, uploading a webshell to ensure continuous access.
Tools used by Sandworm
Sandworm employs a diverse range of tools in its cyberespionage operation. These tools encompass ArguePatch, AWFULSHRED, BIASBOAT, BlackEnergy, CaddyWiper, Chisel, Colibri Loader, Cyclops Blink, DarkCrystal RAT, Gcat, GOSSIPFLOW, Industroyer2, JuicyPotato, LOADGRIP, ORCSHRED, P.A.S., PassKillDisk, Pitvotnacci, PsList, QUEUESEED, RansomBoggs, RottenPotato, SOLOSHRED, SwiftSlicer, VPNFilter, Warzone RAT, Weevly, Living off the Land.
ArguePatch: ArguePatch is a loader utilized to deploy CaddyWiper malware in campaigns targeting Ukraine. It is a modified version of a legitimate component from the Hex-Rays IDA Pro software, specifically the remote IDA debugger server, win32_remote.exe.
AWFULSHRED: AWFULSHRED is data wiper malware for systems running Linux.
BIASBOAT: The Linux variant of QUEUESEED is a C++ backdoor designed to gather basic system information and execute commands from a remote server.
BlackEnergy: First reported in 2007, BlackEnergy malware began as an HTTP-based toolkit for generating bots that can conduct Distributed Denial of Service (DDoS) attacks. By 2010, BlackEnergy 2 had evolved, expanding its capabilities beyond DDoS. In 2014, BlackEnergy 3 emerged, featuring a range of plugins and was used in targeted attacks.
CaddyWiper: CaddyWiper is a destructive data wiper employed in attacks against Ukrainian organizations. It erases user data and partition information from connected drives.
Colibri Loader: Colibri Loader, previously sold on an underground Russian forum, has been utilized by Sandworm in earlier campaigns. The operators boast that this loader is highly stealthy and capable of targeting Windows systems to deploy additional malware onto the infected machines.
CyclopsBlink: Cyclops Blink is a sophisticated, large-scale modular malware framework designed to target network devices. To date, the malware has predominantly been deployed on WatchGuard devices.
DarkCrystal RAT (DCRat): DCRat is a comprehensive .NET-based backdoor with a modular architecture that allows for extensive customization through plugins. Affiliates use DCRat Studio, a specialized IDE, to develop these plugins, enhancing the tool’s functionality. Its flexible design makes DCRat versatile for various malicious activities.
Gcat: Gcat is a Python-based backdoor that utilizes Gmail as its command-and-control server. Sandworm has employed Gcat to deploy BlackEnergy and other malware onto compromised systems.
GOSSIPFLOW: GOSSIPFLOW is a Go-based malware designed for Windows that establishes tunneling using the Yamux multiplexer library. It offers SOCKS5 proxy functionality, facilitating data exfiltration and securing communication with the command-and-control server.
Industroyer2: Industroyer2 is a compiled, static malware capable of communicating via the IEC-104 protocol, similar to the IEC-104 module in Industroyer. Researchers believe it was designed to impact high-voltage electrical substations.
JuicyPotato: JuicyPotato is a variant of RottenPotatoNG designed for privilege escalation following an initial compromise.
LOADGRIP: The Linux variant of QUEUESEED, developed in C, is designed to inject a payload into processes using the ptrace API. The payload is typically encrypted, with the decryption key generated from a constant and a machine-specific ID.
PassKillDisk: PassKillDisk is a data wiper malware used by Sandworm.
QUEUESEED: This C++ backdoor for Windows gathers basic system information and executes commands from a remote server. It manages file operations, command execution, and updates with self-deletion capability. Communications are secured via HTTPS, and data is encrypted using RSA and AES. It maintains persistence by encrypting its configuration in the Windows registry and setting up tasks or registry entries for automatic execution.
RansomBoggs: RansomBoggs is a .NET-based ransomware used by sandworm in attacks against Ukrainian targets.
RottenPotato: RottenPotato is a Local Privilege Escalation tool that enables escalation from Windows Service Accounts to SYSTEM.
SwiftSlicer: SwiftSlicer is a destructive malware used for targeting Ukrainian targets.
VPNFilter: VPNFilter is a multi-stage, modular malware platform with versatile capabilities, supporting both intelligence gathering and destructive cyber attack operations.
Warzone RAT: Warzone RAT is a widely available commodity info stealer written in C++ and sold on criminal forums. It is also found in cracked versions on GitHub. This RAT reuses code from the Ave Maria stealer.
Network
The Go-based malware, used on Windows, establishes tunneling through the Yamux multiplexer library, offering SOCKS5 proxy functionality for data exfiltration and securing communication with the command-and-control server. Despite the presence of Command & Control traffic, encryption obscured the commands sent back from the server. This cyber-espionage campaign is attributed to the ‘Sandworm Team,’ named by iSIGHT due to their use of encoded references to the classic sci-fi series Dune in command-and-control URLs and various malware samples. During the 2015 Ukraine Electric Power Attack, the Sandworm Team employed BlackEnergy to manage communication between compromised hosts and command-and-control servers via HTTP POST requests, while the Kapeka backdoor handled incoming commands through the WinHttp 5.1 COM interface.
Conclusion
The Sandworm APT group, linked to Russia’s GRU military unit 74455, exemplifies a sophisticated and destructive cyber threat. With a track record of high-profile attacks, including disruptions to Ukrainian power grids and the global NotPetya incident, Sandworm’s operations reveal their strategic depth. Their campaigns involve a broad range of techniques, from exploiting vulnerabilities and deploying modular malware like Industroyer2 and CaddyWiper to maintaining persistence through encrypted configurations and rogue jobs.
Recommendations:
To counter the Sandworm APT group and similar sophisticated cyber threats, consider the following recommendations:
Enhanced Monitoring and Detection: Implement advanced monitoring systems to detect anomalous activity and potential indicators of compromise. Utilize threat intelligence feeds to stay informed about emerging tactics, techniques, and procedures used by Sandworm.
Regular Vulnerability Assessments: Conduct frequent vulnerability assessments and penetration testing to identify and address weaknesses in your network and systems. Patch known vulnerabilities promptly to reduce the risk of exploitation.
Robust Network Segmentation: Segment your network to limit lateral movement and confine the impact of potential breaches. Use firewalls and access controls to restrict communication between different network segments.
Strong Access Controls: Implement strict access controls, including multi-factor authentication (MFA) and least privilege principles. Regularly review and update access permissions to ensure that only authorized users have access to sensitive systems and data.
Endpoint Protection: Deploy comprehensive endpoint protection solutions, including anti-malware, intrusion prevention systems (IPS), and behavior monitoring tools. Ensure that these solutions are regularly updated and configured to detect and block advanced threats.
Regular Backups: Maintain regular, encrypted backups of critical data and systems. Store backups offline or in a secure environment to protect them from ransomware and other destructive malware.
Incident Response Plan: Establish and evaluate an incident response strategy to guarantee a prompt and organized reaction to cyber incidents. This strategy should encompass protocols for controlling, eliminating, restoring, and engaging with involved parties.
Employee Training: Conduct regular cybersecurity training and awareness programs for employees. Focus on recognizing phishing attempts, social engineering tactics, and safe computing practices.
Secure Configuration Management: Regularly review and update the configuration of network devices, servers, and software to ensure they adhere to security best practices. Disable unnecessary services and features to reduce attack surfaces.
Collaboration and Information Sharing: Engage with industry groups, government agencies, and cybersecurity organizations to share information and collaborate on threat intelligence and mitigation strategies.
MITRE attack Techniques Associated with Sandworm
Exploit Public-Facing Application (T1190): Exploiting vulnerabilities in Microsoft PowerPoint (CVE-2014-4114) and Microsoft Word (CVE-2013-3906).
External Remote Services (T1133): Using compromised VPNs and routers to gain initial access.
Exploitation for Client Execution (T1203): Leveraging software vulnerabilities for remote code execution.
Boot or Logon Autostart Execution (T1547): Creating scheduled tasks or registry entries (e.g., “Run” registry keys) for persistence.
Create or Modify System Process (T1543): Modifying Cron jobs on Linux to maintain persistence.
Indicator Removal on Host (T1070): Using CaddyWiper to erase traces of previous malware like Industroyer2.
Obfuscated Files or Information (T1027): Encrypting configurations in the Windows registry to hide from detection.
Exfiltration Over Command and Control Channel (T1041): Using SOCKS5 proxies and encrypted channels for data exfiltration via GOSSIPFLOW.
Data Destruction (T1485): Using CaddyWiper to erase data on compromised systems.
