Sandworm (hacker group)

Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.

The team is believed to be behind the December 2015 Ukraine power grid cyberattack,  the 2017 cyberattacks on Ukraine using the NotPetya malware, various interference efforts in the 2017 French presidential election, and the cyberattack on the 2018 Winter Olympics opening ceremony. Then-United States Attorney for the Western District of Pennsylvania Scott Brady described the group's cyber campaign as "representing the most destructive and costly cyber-attacks in history."

2014
On September 3, 2014 iSIGHT Partners (now Mandiant) discovered a spear-phishing campaign exploiting a zero-day vulnerability via weaponized Microsoft Office documents. The vulnerability, dubbed CVE-2014-4114, affected all versions of Windows from Vista to 8.1 and allowed attackers to execute arbitrary code on a target machine. Researchers were able to attribute the attack to the Sandworm group and observed that the Ukrainian government was one target of the campaign. Notably, this attack coincided with a NATO summit on Ukraine in Wales.

2015 Ukraine power grid hack
On December 23, 2015, hackers launched a coordinated cyberattack against 3 energy companies in Ukraine and succeeded in temporarily disrupting the supply of electricity to about 230,000 Ukrainians for 1-6 hours.

In January, iSight Partners released a report linking the attack to Sandworm based on the usage of BlackEnergy 3.

2016 Ukraine power grid hack
On December 17, 2016, a year after the previous power grid attack, hackers again disrupted the Ukrainian power grid with a cyber attack. About one fifth of Kyiv lost power for an hour. While the outage was ultimately short, a report released 3 years after the attack by security firm Dragos outlines a theory that the malware, known as Industroyer or CRASHOVERRIDE, was meant to destroy physical electrical equipment. By exploiting a known vulnerability in the protective relays, the malware may have been designed to obfuscate any safety issues such that when engineers worked to restore power, an overload of current would be sent to destroy transformers or power lines. Such destruction would have potentially harmed utility workers as well as led to a much longer power outage if it had succeeded.

2018 Winter Olympics
On February 9, 2018 during the opening ceremony of the Winter Olympics in Pyeongchang, South Korea hackers launched a cyberattack and successfully disrupted IT infrastructure including WiFi, TVs around the Pyeongchang Olympic Stadium showing the ceremony, RFID-based security gates, and the official Olympics app which was used for digital ticketing. Staff were able to restore most critical functions before the opening ceremony was over, but the entire network had to be rebuilt from scratch. Wiper malware had wormed through every domain controller and rendered them inoperable.

3 days later Cisco Talos published a report dubbing the malware "Olympic Destroyer". The report listed similarities in the malware's propagation techniques to the "BadRabbit" and "Nyetya" malware strains and stated disruption of the games as the attack's objective.

Attribution of the Olympic Destroyer malware proved difficult as it appeared the author(s) had included code samples belonging to multiple threat actors as false flags. Intezer published a report on Feb 12 showing code similarities to samples attributed to 3 Chinese threat actors while a follow-up Talos report noted a "weak" clue pointing to another wiper created by a spinoff of the Lazarus Group, a North Korean APT.

The Kaspersky GReAT team on March 8 published 2 blog posts discussing the current industry theories and their own original research. In the technical article Kaspersky, a Russian company, showed in detail how they discovered file headers pointing to Lazarus Group were forged but stopped short of attributing the Olympic Destroyer malware to any non-North Korean group.

US Indictment (2020)
On 19 October 2020, a US-based grand jury released an indictment charging six alleged Unit 74455 officers with cybercrimes. The officers, Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko, and Petr Nikolayevich Pliskin, were all individually charged with conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers, and aggravated identity theft. Five of the six were accused of overtly developing hacking tools, while Ochichenko was accused of participating in spearphishing attacks against the 2018 Winter Olympics and conducting technical reconnaissance on and attempting to hack the official domain of the Parliament of Georgia.

Concurrent with the US indictment announcement, the UK's National Cyber Security Centre (NCSC) published a report which publicly associated Sandworm with the 2018 Winter Olympics attack.

Exim Exploitation (2020)
On May 28, 2020 the National Security Agency published a cybersecurity advisory warning that the Sandworm group was actively exploiting a remote code execution vulnerability (referred to as CVE-2019-10149) in Exim to gain full control of mail servers. At the time the advisory was published, an updated version of Exim had been available for a year and the NSA urged administrators to patch their mail servers.

Cyclops Blink (2022)
In February 2022, Sandworm allegedly released the Cyclops Blink as malware. The malware is similar to VPNFilter. The malware allows a botnet to be constructed, and affects Asus routers and WatchGuard Firebox and XTM appliances. CISA issued a warning about this malware.

War Crimes Request (March 2022)
In late March 2022, human rights investigators and lawyers in the UC Berkeley School of Law sent a formal request to the Prosecutor of the International Criminal Court in The Hague. They urged the International Criminal Court to consider war crimes charges against Russian hackers for cyberattacks against Ukraine. Sandworm was specifically named in relation to December 2015 attacks on electrical utilities in western Ukraine and 2016 attacks on utilities in Kyiv in 2016.

Ukrainian Power Grid Attack (April 2022)
In April 2022, Sandworm attempted a blackout in Ukraine. It is said to be the first attack in five years to use an Industroyer malware variant called Industroyer2.

SwiftSlicer (January 2023)
On 25 January 2023, ESET attributed an Active Directory vulnerability wiper to Sandworm.

Infamous Chisel (August 2023)
On August 31, 2023, the cybersecurity agencies of the US, UK, Canada, Australia, and New Zealand (collectively known as Five Eyes) jointly published a report on a new malware campaign and attributed it to Sandworm. The malware, dubbed "Infamous Chisel", targeted Android devices used by the Ukrainian military. After initial infection, the malware establishes persistent access then periodically collects and exfiltrates data from the compromised device. Collected information includes:


 * device system information
 * application data from many types of apps:
 * chat - Skype, Telegram, WhatsApp, Signal, Viber, Discord
 * browser - Opera, Brave, Firefox, Chrome
 * two-factor authentication (2FA) - Google Authenticator
 * VPN - OpenVPN, VPN Proxy Master
 * file sync - OneDrive, Dropbox
 * finance - Binance, PayPal, Trust Wallet, Google Wallet
 * applications specific to the Ukrainian military

The malware also periodically collects open ports and banners of services running on other hosts on the local network. Additionally, an SSH server is created and configured to run as a Tor hidden service. An attacker could then connect remotely to the infected device without revealing their true IP address.

Name
The name "Sandworm" was dubbed by researchers at iSight Partners (now Mandiant) due to references in the malware source code to Frank Herbert's novel Dune.