ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Sandworm Team, Iron Viking, Voodoo Bear

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Sandworm Team, Iron Viking, Voodoo Bear

NamesSandworm Team (Trend Micro)
Sandworm (ESET)
Iron Viking (SecureWorks)
CTG-7263 (SecureWorks)
Voodoo Bear (CrowdStrike)
Quedagh (F-Secure)
TEMP.Noble (FireEye)
ATK 14 (Thales)
BE2 (Kaspersky)
UAC-0082 (CERT-UA)
CountryRussia Russia
SponsorState-sponsored
MotivationSabotage and destruction
First seen2009
DescriptionSandworm Team is a Russian cyberespionage group that has operated since approximately 2009. The group likely consists of Russian pro-hacktivists. Sandworm Team targets mainly Ukrainian entities associated with energy, industrial control systems, SCADA, government, and media. Sandworm Team has been linked to the Ukrainian energy sector attack in late 2015.

This group appears to be closely associated with, or evolved into, TeleBots.
ObservedSectors: Education, Energy, Government, Telecommunications.
Countries: Azerbaijan, Belarus, France, Georgia, Iran, Israel, Kazakhstan, Kyrgyzstan, Lithuania, Poland, Russia, Ukraine.
Tools usedArguePatch, AWFULSHRED, BlackEnergy, CaddyWiper, Cyclops Blink, Gcat, Industroyer2, ORCSHRED, P.A.S., PassKillDisk, PsList, SOLOSHRED, VPNFilter.
Operations performedOct 2014The vulnerability was disclosed by iSIGHT Partners, which said that the vulnerability had already been exploited in a small number of cyberespionage attacks against NATO, several unnamed Ukrainian government organizations, a number of Western European governmental organizations, companies operating in the energy sector, European telecoms firms, and a US academic organization.
<https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks>
Dec 2015Widespread power outages on the Ukraine
The power outage was described as technical failures taking place on Wednesday, December 23 that impacted a region around Ivano-Frankivisk Oblast. One report suggested the utility began to disconnect power substations for no apparent reason. The same report goes on to describe a virus was launched from the outside and it brought down the “remote management system” (a reference to the SCADA and or EMS). The outage was reported to have lasted six hours before electrical service was restored. At least two reports suggest the utility had initiated manual controls for restoration of service and the SCADA system was still off-line due to the infection.
<https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage>
Late 2017ANSSI has been informed of an intrusion campaign targeting the monitoring software Centreon distributed by the French company CENTREON which resulted in the breach of several French entities.
<https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf>
Jun 2019New Sandworm Malware Cyclops Blink Replaces VPNFilter
<https://www.cisa.gov/uscert/ncas/alerts/aa22-054a>
Aug 2019Russian military cyber actors, publicly known as Sandworm Team, have been exploiting a vulnerability in Exim mail transfer agent (MTA) software since at least last August.
<https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2196511/exim-mail-transfer-agent-actively-exploited-by-russian-gru-cyber-actors/>
Apr 2022Industroyer2: Industroyer reloaded
<https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/>
May 2022Sandworm uses a new version of ArguePatch to attack targets in Ukraine
<https://www.welivesecurity.com/2022/05/20/sandworm-ukraine-new-version-arguepatch-malware-loader/>
Jun 2022Russian hackers start targeting Ukraine with Follina exploits
<https://www.bleepingcomputer.com/news/security/russian-hackers-start-targeting-ukraine-with-follina-exploits/>
Counter operationsOct 2020Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace
<https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and>
Apr 2022Justice Department Announces Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate (GRU)
<https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation>
Information<https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/>
<https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/>
<https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/>
<https://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-anew/>
MITRE ATT&CK<https://attack.mitre.org/groups/G0034/>

Last change to this card: 19 July 2022

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]