Sandworm
The Sandworm threat group, also known as Unit 74455, is purported to be a unit of the Russian GRU. The GRU is responsible for all Russian military intelligence. Sandworm has also been referred to as Voodoo Bear, Iron Viking, ELECTRUM, Blackneergy Group, Quedagh, and Telebots. Sandworm threat operatives have been active since approximately 2009.
In 2020 the United States indicted six officers believed to be associated with Sandworm for attacks against various Ukrainian and Georgian utilities and government organizations, and more. Per Wikipedia, the officers were Yuriy Sergeyevich Andrienko (Юрий Сергеевич Андриенко), Sergey Vladimirovich Detistov (Сергей Владимирович Детистов), Pavel Valeryevich Frolov (Павел Валерьевич Фролов), Anatoliy Sergeyevich Kovalev (Анатолий Сергеевич Ковалев), Artem Valeryevich Ochichenko (Артем Валерьевич Очиченко), and Petr Nikolayevich Pliskin (Петр Николаевич Плискин). According to Wikipedia, all six were “individually charged with conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers, and aggravated identity theft. In addition, five of the six were accused of overtly developing hacking tools, while Ochichenko was accused of participating in spear phishing attacks against the 2018 Winter Olympics and conducting technical reconnaissance on and attempting to hack the official domain of the Parliament of Georgia.”
Sandworm was also believed to be complicit in the NotPetya attack, malicious activity against the 2018 French presidential campaign, the 2018 Winter Olympics attacks, and attacks targeted against the Organization for the Prohibition of Chemical Weapons. The NotPetya attack alone resulted in approximately $1 billion in damages and loss within US organizations. In addition, NotPetya hit medical facilities and hospitals hard during that period. Threat researchers believe these attacks by Sandworm were supported by assistance from GRU Unit 26165, also known as the notorious APT28.
Techniques used by Sandworm include Block Command Message, Block Reporting Message, Device Restart/Shutdown, Exploit Public-Facing Application, External Remote Services, Graphical User Interface (used in a SCADA environment to open breakers), Spear phishing attachments, System Firmware, Remote Services, Unauthorized Command Message, Valid Accounts, Connection Proxy, Scripting, Command-Line Interface, Lateral Tool Transfer, masquerading, and Remote Services.
Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.
Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.