Understanding Sandworm, a State-Sponsored Threat Group

The Russian state-sponsored threat group Sandworm, operated by military cyberwarfare unit 74455, is one of the most formidable global cyberthreat collectives in recent memory. This threat group is believed to be part of the Russian military intelligence agency known as the Main Directorate of the General Staff (GRU).¹The cyberwarfare agency also operates under other names such as Telebots, Voodoo Bear, and Iron Viking.² Sandworm is one of the most technically sophisticated threat groups in the world and, according to numerous authorities, responsible for the NotPetya attack.³ Worldwide, NotPetya losses have soared to more than US$10 billion.⁴

Sandworm’s impact continues to be devastating. The group has contributed significantly to the Russian invasion of Ukraine through power grid attacks, industrial control systems (ICS)/operational technology (OT) attacks, Supervisory Control and Data Acquisition (SCADA) attacks, website defacement, and distributed denial of service (DDOS) attacks on government portals and other critical infrastructures.⁵ Sandworm’s level of ferocity in warfare is unprecedented and its level of technical expertise far exceeds most other threat groups. It is vital that all organizations utilize threat intelligence and understand threat group capabilities in order to build a proper defense around their network security.

How Does Sandworm Operate?

Sandworm has existed for more than a decade.⁶ Over the group’s lifetime, it has successfully developed ICS/OT-related malware and attacked many ICS/OT networks with devastating results. As Sandworms' expertise became more sophisticated, the group destroyed infrastructures and wiped hard drives with wiper attacks to impede speedy recoveries.

Sandworm has also developed and deployed ransomware against global organizations and used sophisticated PowerShell scripts to deliver other malicious payloads and obtain command and control. Many times, Sandworm conducted these attacks while remaining completely invisible to its targets’ cyberdefenses.

Many times, Sandworm conducted…attacks while remaining completely invisible to its targets’ cyberdefenses.

What Tools Does Sandworm Use?

Sandworm is known for using a variety of powerful tools to launch its devastating attacks.

These may include:

• Industroyer and Industroyer2⁷are highly sophisticated malware toolsets that were developed to disrupt ICS/OT and crucial components of SCADA power grids.⁸ Sandworm used these sophisticated toolsets in numerous successful Ukrainian power grid attacks.⁹ The group is the first publicly known threat group to successfully bring down power grids.
• BlackEnergy¹⁰ is another Sandworm toolkit used for advanced persistent threat (APT) attacks that has existed for a relatively long time. BlackEnergy can create botnets to conduct DDoS attacks that are exceedingly difficult to combat because they are simultaneously coming from many different geographical directions.
• KillDisk¹¹ is a hard drive-wiping tool designed to overwrite files and render any computer unusable. Sandworm used KillDisk initially in Ukrainian attacks, along with BlackEnergy. In more recent years, these toolsets have leaked and are not being used by other threat groups.
• NotPetya¹² is a variant of Petya encryption ransomware. It destroys data and hard disks on compromised systems. NotPetya has wormlike features, allowing it to spread itself across a network using various other tools and exploits.
• Olympic Destroyer¹³ is a malware toolset that renders infected computer systems inoperable. It has wormlike attributes and spreads across networks destroying every computer in its path. Sandworm used this toolkit during the 2018 Winter Olympics.¹⁴
• CaddyWiper¹⁵ is a hard drive-wiping type of malware that destroys computers by erasing data, applications, security tools, and programs. These tools have been used against Ukraine and for attacks conducted by other threat groups.

This list is not exhaustive, as many other toolsets have been used or developed by Sandworm.

Sandworm in Action

To better understand Sandworm and its implications, it is worth examining its attack history.

SCADA Attacks
In May 2023, Sandworm attacked more than 20 SCADA and enterprise networks in Denmark, shutting down networks and interrupting power supply chains.¹⁶ These attacks were unprecedented in Denmark and a prime example of vulnerabilities associated with centralized SCADA networks.

Sandworm conducted the Danish attacks due to zero-day vulnerabilities associated with Zyxel Firewalls. Zyxel released news of the vulnerabilities 2 weeks after the attacks in Denmark. This Sandworm attack shows how highly technical government-based threat groups have gained unprecedented intelligence and knowledge of previously unreported critical vulnerabilities.

Critical CISA Alerts
In 2020, the US National Security Agency (NSA) issued an advisory warning readers about a recent Unix MTA vulnerability in Exim.¹⁷ Through this vulnerability, Sandworm was able to gain full control of the Unix mail servers. Soon afterward, the US Cybersecurity and Infrastructure Security Agency (CISA) issued critical alerts warning that Sandworm had released a new malware, Cyclops Blink, a type of virtual private network (VPN) filter that allows a botnet to be constructed and affects Asus routers and WatchGuard appliances.¹⁸

In 2022, The Hague issued war crime charges against Sandworm due to the SCADA attacks in Ukraine and a blackout attack that used malware tools, Industroyer and Industroyer2, designed by Sandworm.¹⁹Additionally, in January 2023, a Czech cybersecurity firm attributed an active directory (AD) vulnerability wiper attack to Sandworm.²⁰ It is also known that early in the Russian invasion of Ukraine, many Ukrainian organizations suffered from coordinated wiper attacks.²¹

Targeting of Android Devices
In August 2023, various global agencies reported yet another Sandworm malware campaign, “Infamous Chisel,” that targeted Android devices used by the Ukrainian military.²² This new and advanced malware was able to establish persistence and exfiltrate data from affected devices. The data included chat logs; telegrams; data from Skype, WhatsApp, Signal, and Viber; and data collected from several widely known Android browsers. Additionally, the malware stole application data from Google Authenticator, OpenVPN, and VPN Proxy Master. Any Android data contained in OneDrive or DropBox was exfiltrated along with financial information from PayPal, Google Wallet, and other financial applications.

The Hunt for Sandworm

Six threat actors from Sandworm were indicted in 2020 for multiple attacks against Ukrainian SCADA and IT networks, and Ukrainian government agencies.²³ Sandworm actors were also implicated in election interference during the 2017 French Presidential elections and attacks against the country of Georgia in 2018 and 2019.²⁴ Sandworm’s continued investment and expertise in OT-oriented attacks are considered second to none. Sandworm is considered an APT that will not give up until its objectives are concluded.

In response, the US Federal Bureau of Investigation (FBI) has stepped up its hunt for 6 Sandworm officers. The bureau has listed them on the FBI’s Most Wanted Site²⁵ and is offering a US$10 million bounty to assist in locating and arresting the threat actors. Many other countries have also named Sandworm in their most wanted bulletins and offered significant monetary bounties to help arrest or locate the threat actors.

Conclusion

Sandworm is a prolific and devastating threat group that can attack opponents across the globe at will. It has the capabilities to bring down critical infrastructures and assist in targeted military assaults. While Sandworm is government-sponsored and traditionally attacks political and military opponents, it can easily monetize these attacks to finance other political and military attacks. Lastly, some or many of the toolsets designed and used by Sandworm will eventually reach other threat groups that are after financial gain or conduct cyberterrorism. It is imperative that everyone understands what is at stake when a group such as Sandworm has an organization in its crosshairs. Nothing short of the complete collapse of water, electricity, communications, healthcare, and other vital services is at stake.

Due to the lack of security and sophistication of many ICS/OT infrastructures, every cybersecurity professional should carefully collect threat intelligence on Sandworm. It is of critical importance to rapidly increase security and monitoring of both IT and ICS/OT services.

Patrick Barnett, CISA, CISM, CEH, CISSP, PCI QSA, PCIP

Is an incident response principal consultant for Secureworks. He has more than 30 years of experience as a cybersecurity professional and specializes in network engineering with a focus on security. In previous roles, he acted as chief information security officer (CISO) and chief information officer (CIO) and has served as vice president at a large financial enterprise. Barnett is driven by a passion for seeing cybersecurity done right and is committed to aiding organizations in defining proper policies, procedures, and mechanisms to respond to security events of any size.

Endnotes

¹ Congressional Research Service, “Russian Cyber Units,” USA, 2 February 2022
² Cybersecurity and Infrastructure Security Agency, “Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure,” USA, 9 May 2022
³ Merchant, Z.; “NotPetya: The Cyberattack That Shook the World,” The Economic Times, 4 March 2022
⁴ Op cit Merchant
⁵ Antoniuk, D.; “A Year of Wipers: How the Kremlin-Backed Sandworm has Attacked Ukraine During the War,” The Record, 1 March 2023
⁶ Greenberg, A.; Sandworm, 2019
⁷ MITRE ATT&CK, “Industroyer2”
⁸ SOCRadar, “What Do You Need to Know About Cybersecurity in Power Grids?,” 15 April 2022
⁹Op cit Antoniuk
¹⁰ New Jersey Cybersecurity and Communications Integration Cell, “BlackEnergy,” USA, 10 August 2017 https://en.wikipedia.org/wiki/BlackEnergy
¹¹ MITRE ATT&CK, “KillDisk”
¹² Greenberg, A.; “The Untold Story of NotPetya, the Most Devastating Cyberattack in History,” WIRED, 22 August 2018
¹³ Greenberg, A.; "The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History,” WIRED, 17 October 2019
¹⁴ Ibid.
¹⁵ Malware News, “Analysis of CaddyWiper,” March 2022
¹⁶ Prince, B.; “Sandworm Team Targeted SCADA Systems: Trend Micro,” SecurityWeek, 20 October 2014
¹⁷ National Security Agency, “Sandworm Actors Exploiting Vulnerability in Exim Mail Transfer Agent,” USA, 28 May 2020
¹⁸ Cybersecurity and Infrastructure Security Agency, “New Sandworm Malware Cyclops Blink Replaces VPNFilter,” USA, 23 February 2022
¹⁹ Greenberg, A.; “The Case for War Crimes Charges Against Russia’s Sandworm Hackers,” WIRED, 12 May 2022
²⁰ Proska, K.; J. Wolfram; et al.; “Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology,” Mandiant, 9 November 2023
²¹Op cit Greenberg, 2022
²² Cybersecurity and Infrastructure Security Agency, Infamous Chisel Malware Analysis Report, USA, 31 August 2023
²³ US Department of Justice Office of Public Affairs, “Six Russian GRU Officers Charged in Connection With Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace," USA, 19 October 2020
²⁴  Ibid.
²⁵ FBI, “Cyber’s Most Wanted,” USA