Sandworm Team
G00342 reportsAnalyst assessment — key judgments
- Signature techniques: T1593.001 (Social Media), AML.T0016.002 (Generative AI), T1053.005 (Scheduled Task).
- Primary targeting: KR, CN, IN, KP.
- Steady activity: 1 report(s) in last 30d vs 1 prior (+0%).
- Recent movement: 2 new technique(s), 12 new infrastructure indicator(s) in the last 30 days.
- Hunt coverage 22% of 40 observed techniques (31 gap(s)).
- Assessment confidence: medium (60).
Activity & trend
Movement — last 30 days
Overview
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.(Citation: US District Court Indictment GRU Oct 2018)
ATT&CK technique matrix
- T1593.001 · Social Mediaconf 601
- AML.T0016.002 · Generative AIconf 601
- T1053.005 · Scheduled Taskconf 601
- T1113 · Screen Captureconf 601
- T1033 · System Owner/User Discoveryconf 601
- T1548.002 · Bypass User Account Controlconf 601
- T1547 · Boot or Logon Autostart Executionconf 601
- T1115 · Clipboard Dataconf 601
- T1082 · System Information Discoveryconf 601
- T1071 · Application Layer Protocolconf 601
- T1053 · Scheduled Task/Jobconf 601
- T1106 · Native APIconf 601
Threat catalogue · engineering roadmap
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
Relationships
Activity
| Title | Source | Severity | Collected |
|---|