Sandworm (hacker group)

Sandworm is an Advanced Persistent Threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service.[1] Other names for the group, given by cybersecurity researchers, include Telebots, Voodoo Bear, and Iron Viking.[2][3]

Sandworm
Formationc. 2004–2007
TypeAdvanced persistent threat
PurposeCyberespionage, cyberwarfare
Headquarters22 Kirova Street
Khimki, Russia
Region
Russia
MethodsZero-days, spearphishing, malware
Official language
Russian
Parent organization
GRU
AffiliationsFancy Bear
Formerly called
Voodoo Bear
Iron Viking
Telebots

History

The team is believed to be behind the December 2015 Ukraine power grid cyberattack,[4][5][6] the 2017 cyberattacks on Ukraine using the NotPetya malware,[7] various interference efforts in the 2017 French presidential election,[2] and the cyberattack on the 2018 Winter Olympics opening ceremony.[8][9] Then-United States Attorney for the Western District of Pennsylvania Scott Brady described the group's cyber campaign as "representing the most destructive and costly cyber-attacks in history."[2]

On 19 October 2020, a US-based grand jury released an indictment charging six alleged Unit 74455 officers with cybercrimes.[10][11][12] The officers, Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko, and Petr Nikolayevich Pliskin, were all individually charged with conspiracy to conduct computer fraud and abuse, conspiracy to commit wire fraud, wire fraud, damaging protected computers, and aggravated identity theft. Five of the six were accused of overtly developing hacking tools, while Ochichenko was accused of participating in spearphishing attacks against the 2018 Winter Olympics and conducting technical reconnaissance on and attempting to hack the official domain of the Parliament of Georgia.[2]

In February 2022, Sandworm allegedly released the Cyclops Blink as malware. The malware is similar to VPNFilter.[13] The malware allows a botnet to be constructed, and affects Asus routers and WatchGuard Firebox and XTM appliances. CISA issued a warning about this malware.[14]

In late March 2022, human rights investigators and lawyers in the UC Berkeley School of Law sent a formal request to the Prosecutor of the International Criminal Court in The Hague.[15] They urged the International Criminal Court to consider war crimes charges against Russian hackers for cyberattacks against Ukraine.[15] Sandworm was specifically named in relation to December 2015 attacks on electrical utilities in western Ukraine and 2016 attacks on utilities in Kyiv in 2016.[15]

In April 2022, Sandworm attempted a blackout in Ukraine.[16] It is said to be the first attack in five years to use an Industroyer malware variant called Industroyer2.[17]

On 25 January 2023, ESET attributed an Active Directory vulnerability wiper to Sandworm.[18]

See also

References
  1. Greenberg, Andy (2019). Sandworm: a new era of cyberwar and the hunt for the Kremlin's most dangerous hackers. Knopf Doubleday. ISBN 978-0-385-54441-2.
  2. "Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace". DOJ Office of Public Affairs. United States Department of Justice. 19 October 2020. Retrieved 23 July 2021.
  3. Timberg, Craig; Nakashima, Ellen; Munzinger, Hannes; Tanriverdi, Hakan (30 March 2023). "Secret trove offers rare look into Russian cyberwar ambitions". The Washington Post. Retrieved 31 March 2023.
  4. "Hackers shut down Ukraine power grid". www.ft.com. 5 January 2016. Retrieved 28 October 2020.
  5. Volz, Dustin (25 February 2016). "U.S. government concludes cyber attack caused Ukraine power outage". Reuters. Retrieved 28 October 2020.
  6. Hern, Alex (7 January 2016). "Ukrainian blackout caused by hackers that attacked media company, researchers say". The Guardian. ISSN 0261-3077. Retrieved 28 October 2020.
  7. "The Untold Story of NotPetya, the Most Devastating Cyberattack in History". Wired. ISSN 1059-1028. Retrieved 28 October 2020.
  8. Greenberg, Andy. "Inside Olympic Destroyer, the Most Deceptive Hack in History". Wired. ISSN 1059-1028. Retrieved 28 October 2020.
  9. Andrew S. Bowen (24 November 2020). Russian Military Intelligence: Background and Issues for Congress (PDF) (Report). Congressional Research Service. p. 16. Retrieved 21 July 2021.
  10. Cimpanu, Catalin. "US charges Russian hackers behind NotPetya, KillDisk, OlympicDestroyer attacks". ZDNet. Retrieved 28 October 2020.
  11. "Russian cyber-attack spree shows what unrestrained internet warfare looks like". The Guardian. 19 October 2020. Retrieved 28 October 2020.
  12. "US Indicts Sandworm, Russia's Most Destructive Cyberwar Unit". Wired. ISSN 1059-1028. Retrieved 28 October 2020.
  13. Hardcastle, Jessica Lyons. "Cyclops Blink malware sets up shop in ASUS routers". www.theregister.com. Retrieved 21 March 2022.
  14. "CISA Adds Eight Known Exploited Vulnerabilities to Catalog | CISA". www.cisa.gov. Retrieved 13 April 2022.
  15. Greenberg, Andy (12 May 2022). "The Case for War Crimes Charges Against Russia's Sandworm Hackers". Wired. Retrieved 7 July 2022.
  16. Greenberg, Andy. "Russia's Sandworm Hackers Attempted a Third Blackout in Ukraine". Wired. ISSN 1059-1028. Retrieved 13 April 2022.
  17. "Industroyer2: Industroyer reloaded". www.welivesecurity.com. Retrieved 13 April 2022.
  18. Živé.sk (27 January 2023). "Na Ukrajine maže počítače nový trójsky kôň. Hackeri majú byť prepojení na Rusko". Živé.sk (in Slovak). Retrieved 27 January 2023.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.