<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v16/theme/favicon.ico" type='image/x-icon'> <title>Sandworm Team, ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh, Voodoo Bear, IRIDIUM, Seashell Blizzard, FROZENBARENTS, APT44, Group G0034 | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-tourist.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-select.min.css" /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/versions/v16/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href="/versions/v16/"><img src="/versions/v16/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/versions/v16/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/versions/v16/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/groups">Groups</a> <a class="dropdown-item" href="/versions/v16/software">Software</a> <a class="dropdown-item" href="/versions/v16/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/resources/">Get Started</a> <a class="dropdown-item" href="/versions/v16/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/versions/v16/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v16/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/versions/v16/resources/faq/">FAQ</a> <a class="dropdown-item" href="/versions/v16/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/versions/v16/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/versions/v16/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v16/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v16/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v16.1" target="_blank">ATT&CK v16.1</a> which is the current version of ATT&CK. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div class="container-fluid d-none"> ATT&CK v16 has been released! Check out the <a href='https://medium.com/mitre-attack/attack-v16-561c76af94cf'>blog post</a> for more information. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v16/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v16/groups/">Groups</a></li> <li class="breadcrumb-item">Sandworm Team</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> Sandworm Team </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020."data-reference="UK NCSC Olympic Attacks October 2020">^{<a href="https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span> This group has been active since at least 2009.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017."data-reference="iSIGHT Sandworm 2014">^{<a href="https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018."data-reference="CrowdStrike VOODOO BEAR">^{<a href="https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved September 12, 2024."data-reference="USDOJ Sandworm Feb 2020">^{<a href="https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia/index.html" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020."data-reference="NCSC Sandworm Feb 2020">^{<a href="https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p><p>In October 2020, the US indicted six GRU Unit 74455 officers associated with <a href="/versions/v16/groups/G0034">Sandworm Team</a> for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide <a href="/versions/v16/software/S0368">NotPetya</a> attack, targeting of the 2017 French presidential campaign, the 2018 <a href="/versions/v16/software/S0365">Olympic Destroyer</a> attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020."data-reference="UK NCSC Olympic Attacks October 2020">^{<a href="https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span> Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as <a href="/versions/v16/groups/G0007">APT28</a>.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020."data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div id="card-id" class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>G0034 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="Names that have overlapping reference to a group entry and may refer to the same or similar group in threat intelligence reporting">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Associated Groups</span>: ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh, Voodoo Bear, IRIDIUM, Seashell Blizzard, FROZENBARENTS, APT44 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors</span>: Dragos Threat Intelligence; Hakan KARABACAK </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version</span>: 4.1 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>31 May 2017 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>12 September 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of G0034" href="/versions/v16/groups/G0034/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of G0034" href="/groups/G0034/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="aliasDescription">Associated Group Descriptions</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> ELECTRUM </td> <td> <p><span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020."data-reference="Dragos ELECTRUM">^{<a href="https://www.dragos.com/resource/electrum/" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020."data-reference="UK NCSC Olympic Attacks October 2020">^{<a href="https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr> <td> Telebots </td> <td> <p><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020."data-reference="NCSC Sandworm Feb 2020">^{<a href="https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020."data-reference="UK NCSC Olympic Attacks October 2020">^{<a href="https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr> <td> IRON VIKING </td> <td> <p><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020."data-reference="Secureworks IRON VIKING ">^{<a href="https://www.secureworks.com/research/threat-profiles/iron-viking" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020."data-reference="UK NCSC Olympic Attacks October 2020">^{<a href="https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr> <td> BlackEnergy (Group) </td> <td> <p><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020."data-reference="NCSC Sandworm Feb 2020">^{<a href="https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020."data-reference="UK NCSC Olympic Attacks October 2020">^{<a href="https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr> <td> Quedagh </td> <td> <p><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017."data-reference="iSIGHT Sandworm 2014">^{<a href="https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span> <span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016."data-reference="F-Secure BlackEnergy 2014">^{<a href="https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020."data-reference="UK NCSC Olympic Attacks October 2020">^{<a href="https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr> <td> Voodoo Bear </td> <td> <p><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018."data-reference="CrowdStrike VOODOO BEAR">^{<a href="https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020."data-reference="UK NCSC Olympic Attacks October 2020">^{<a href="https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr> <td> IRIDIUM </td> <td> <p><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="MSTIC. (2022, October 14). New "Prestige" ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023."data-reference="Microsoft Prestige ransomware October 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p> </td> </tr> <tr> <td> Seashell Blizzard </td> <td> <p><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023."data-reference="Microsoft Threat Actor Naming July 2023">^{<a href="https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p> </td> </tr> <tr> <td> FROZENBARENTS </td> <td> <p><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024."data-reference="Leonard TAG 2023">^{<a href="https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr> <td> APT44 </td> <td> <p><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024."data-reference="mandiant_apt44_unearthing_sandworm">^{<a href="https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="campaigns">Campaigns</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">First Seen</th> <th scope="col">Last Seen</th> <th scope="col">References</th> <th scope="col">Techniques</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v16/campaigns/C0028">C0028</a> </td> <td> <a href="/versions/v16/campaigns/C0028">2015 Ukraine Electric Power Attack</a> </td> <td style="white-space:nowrap">December 2015 <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton">^{<a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span> </td> <td style="white-space:nowrap">January 2016 <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton">^{<a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span> </td> <td> <p><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Andy Greenberg. (2017, June 28). How an Entire Nation Became Russia's Test Lab for Cyberwar. Retrieved September 27, 2023."data-reference="Andy Greenberg June 2017">^{<a href="https://www.wired.com/story/russian-hackers-attack-ukraine/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> <td> <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v16/techniques/T0803">Block Command Message</a>, <a href="/versions/v16/techniques/T0804">Block Reporting Message</a>, <a href="/versions/v16/techniques/T0805">Block Serial COM</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/005">Visual Basic</a>, <a href="/versions/v16/techniques/T0885">Commonly Used Port</a>, <a href="/versions/v16/techniques/T0884">Connection Proxy</a>, <a href="/versions/v16/techniques/T1136">Create Account</a>: <a href="/versions/v16/techniques/T1136/002">Domain Account</a>, <a href="/versions/v16/techniques/T0813">Denial of Control</a>, <a href="/versions/v16/techniques/T0814">Denial of Service</a>, <a href="/versions/v16/techniques/T0816">Device Restart/Shutdown</a>, <a href="/versions/v16/techniques/T1133">External Remote Services</a>, <a href="/versions/v16/techniques/T0822">External Remote Services</a>, <a href="/versions/v16/techniques/T0823">Graphical User Interface</a>, <a href="/versions/v16/techniques/T1562">Impair Defenses</a>: <a href="/versions/v16/techniques/T1562/001">Disable or Modify Tools</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/004">File Deletion</a>, <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v16/techniques/T1056">Input Capture</a>: <a href="/versions/v16/techniques/T1056/001">Keylogging</a>, <a href="/versions/v16/techniques/T1570">Lateral Tool Transfer</a>, <a href="/versions/v16/techniques/T0867">Lateral Tool Transfer</a>, <a href="/versions/v16/techniques/T0826">Loss of Availability</a>, <a href="/versions/v16/techniques/T0827">Loss of Control</a>, <a href="/versions/v16/techniques/T0828">Loss of Productivity and Revenue</a>, <a href="/versions/v16/techniques/T0831">Manipulation of Control</a>, <a href="/versions/v16/techniques/T1112">Modify Registry</a>, <a href="/versions/v16/techniques/T1040">Network Sniffing</a>, <a href="/versions/v16/techniques/T1566">Phishing</a>: <a href="/versions/v16/techniques/T1566/001">Spearphishing Attachment</a>, <a href="/versions/v16/techniques/T1055">Process Injection</a>, <a href="/versions/v16/techniques/T0886">Remote Services</a>, <a href="/versions/v16/techniques/T1018">Remote System Discovery</a>, <a href="/versions/v16/techniques/T0846">Remote System Discovery</a>, <a href="/versions/v16/techniques/T1218">System Binary Proxy Execution</a>: <a href="/versions/v16/techniques/T1218/011">Rundll32</a>, <a href="/versions/v16/techniques/T0857">System Firmware</a>, <a href="/versions/v16/techniques/T0855">Unauthorized Command Message</a>, <a href="/versions/v16/techniques/T1204">User Execution</a>: <a href="/versions/v16/techniques/T1204/002">Malicious File</a>, <a href="/versions/v16/techniques/T1078">Valid Accounts</a>, <a href="/versions/v16/techniques/T0859">Valid Accounts</a> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0025">C0025</a> </td> <td> <a href="/versions/v16/campaigns/C0025">2016 Ukraine Electric Power Attack</a> </td> <td style="white-space:nowrap">December 2016 <span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span> </td> <td style="white-space:nowrap">December 2016 <span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span> </td> <td> <p><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Joe Slowik 2019, August 15 CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack Retrieved. 2019/10/22 "data-reference="Joe Slowik August 2019">^{<a href="https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> <td> <a href="/versions/v16/techniques/T1098">Account Manipulation</a>, <a href="/versions/v16/techniques/T1110">Brute Force</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/005">Visual Basic</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/001">PowerShell</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v16/techniques/T0807">Command-Line Interface</a>, <a href="/versions/v16/techniques/T1554">Compromise Host Software Binary</a>, <a href="/versions/v16/techniques/T1136">Create Account</a>, <a href="/versions/v16/techniques/T1136">Create Account</a>: <a href="/versions/v16/techniques/T1136/002">Domain Account</a>, <a href="/versions/v16/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v16/techniques/T1543/003">Windows Service</a>, <a href="/versions/v16/techniques/T1562">Impair Defenses</a>: <a href="/versions/v16/techniques/T1562/002">Disable Windows Event Logging</a>, <a href="/versions/v16/techniques/T1570">Lateral Tool Transfer</a>, <a href="/versions/v16/techniques/T0867">Lateral Tool Transfer</a>, <a href="/versions/v16/techniques/T1036">Masquerading</a>: <a href="/versions/v16/techniques/T1036/008">Masquerade File Type</a>, <a href="/versions/v16/techniques/T1036">Masquerading</a>: <a href="/versions/v16/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/versions/v16/techniques/T1036">Masquerading</a>: <a href="/versions/v16/techniques/T1036/010">Masquerade Account Name</a>, <a href="/versions/v16/techniques/T0849">Masquerading</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v16/techniques/T1027/002">Software Packing</a>, <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v16/techniques/T1003/001">LSASS Memory</a>, <a href="/versions/v16/techniques/T1021">Remote Services</a>: <a href="/versions/v16/techniques/T1021/002">SMB/Windows Admin Shares</a>, <a href="/versions/v16/techniques/T0886">Remote Services</a>, <a href="/versions/v16/techniques/T1018">Remote System Discovery</a>, <a href="/versions/v16/techniques/T0853">Scripting</a>, <a href="/versions/v16/techniques/T1505">Server Software Component</a>: <a href="/versions/v16/techniques/T1505/001">SQL Stored Procedures</a>, <a href="/versions/v16/techniques/T0859">Valid Accounts</a>, <a href="/versions/v16/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0034">C0034</a> </td> <td> <a href="/versions/v16/campaigns/C0034">2022 Ukraine Electric Power Attack</a> </td> <td style="white-space:nowrap">June 2022 <span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024."data-reference="Mandiant-Sandworm-Ukraine-2022">^{<a href="https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span> </td> <td style="white-space:nowrap">October 2022 <span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024."data-reference="Mandiant-Sandworm-Ukraine-2022">^{<a href="https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span> </td> <td> <p><span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024."data-reference="Mandiant-Sandworm-Ukraine-2022">^{<a href="https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span><span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Dragos, Inc.. (2023, December 11). ELECTRUM Targeted Ukrainian Electric Entity Using Custom Tools and CaddyWiper Malware, October 2022. Retrieved March 28, 2024."data-reference="Dragos-Sandworm-Ukraine-2022">^{<a href="https://www.dragos.com/blog/new-details-electrum-ukraine-electric-sector-compromise-2022/" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span> </p> </td> <td> <a href="/versions/v16/techniques/T0895">Autorun Image</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/001">PowerShell</a>, <a href="/versions/v16/techniques/T0807">Command-Line Interface</a>, <a href="/versions/v16/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v16/techniques/T1543/002">Systemd Service</a>, <a href="/versions/v16/techniques/T1485">Data Destruction</a>, <a href="/versions/v16/techniques/T1484">Domain or Tenant Policy Modification</a>: <a href="/versions/v16/techniques/T1484/001">Group Policy Modification</a>, <a href="/versions/v16/techniques/T1570">Lateral Tool Transfer</a>, <a href="/versions/v16/techniques/T1036">Masquerading</a>: <a href="/versions/v16/techniques/T1036/004">Masquerade Task or Service</a>, <a href="/versions/v16/techniques/T1095">Non-Application Layer Protocol</a>, <a href="/versions/v16/techniques/T1572">Protocol Tunneling</a>, <a href="/versions/v16/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v16/techniques/T1053/005">Scheduled Task</a>, <a href="/versions/v16/techniques/T0853">Scripting</a>, <a href="/versions/v16/techniques/T1505">Server Software Component</a>: <a href="/versions/v16/techniques/T1505/003">Web Shell</a>, <a href="/versions/v16/techniques/T0894">System Binary Proxy Execution</a>, <a href="/versions/v16/techniques/T0855">Unauthorized Command Message</a> </td> </tr> </tbody> </table> </div> <!--stop-indexing-for-search--> <div class="dropdown h3 mt-3 float-right"> <button class="btn btn-navy dropdown-toggle" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>ATT&amp;CK^&reg; Navigator Layers</b> </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> <h6 class="dropdown-header">Enterprise Layer</h6> <a class="dropdown-item" href="/versions/v16/groups/G0034/G0034-enterprise-layer.json" download target="_blank">download</a> <!-- only show view on navigator link if layer link is defined --> <a class="dropdown-item" href="#" id="view-layer-on-navigator-enterprise" target="_blank">view <img width="10" src="/versions/v16/theme/images/external-site-dark.jpeg"></a> <script src="/versions/v16/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS var layerURL = window.location.protocol + "//" + window.location.host + base_url + "groups/G0034/G0034-enterprise-layer.json"; document.getElementById("view-layer-on-navigator-enterprise").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-enterprise").classList.add("d-none"); } </script> <div class="dropdown-divider"></div> <h6 class="dropdown-header">Mobile Layer</h6> <a class="dropdown-item" href="/versions/v16/groups/G0034/G0034-mobile-layer.json" download target="_blank">download</a> <!-- only show view on navigator link if layer link is defined --> <a class="dropdown-item" href="#" id="view-layer-on-navigator-mobile" target="_blank">view <img width="10" src="/versions/v16/theme/images/external-site-dark.jpeg"></a> <script src="/versions/v16/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS var layerURL = window.location.protocol + "//" + window.location.host + base_url + "groups/G0034/G0034-mobile-layer.json"; document.getElementById("view-layer-on-navigator-mobile").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-mobile").classList.add("d-none"); } </script> <div class="dropdown-divider"></div> <h6 class="dropdown-header">ICS Layer</h6> <a class="dropdown-item" href="/versions/v16/groups/G0034/G0034-ics-layer.json" download target="_blank">download</a> <!-- only show view on navigator link if layer link is defined --> <a class="dropdown-item" href="#" id="view-layer-on-navigator-ics" target="_blank">view <img width="10" src="/versions/v16/theme/images/external-site-dark.jpeg"></a> <script src="/versions/v16/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS var layerURL = window.location.protocol + "//" + window.location.host + base_url + "groups/G0034/G0034-ics-layer.json"; document.getElementById("view-layer-on-navigator-ics").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-ics").classList.add("d-none"); } </script> </div> </div> <!--start-indexing-for-search--> <h2 class="pt-3 mb-2" id="techniques">Techniques Used</h2> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Use</th> </tr> </thead> <tbody> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1087">T1087</a> </td> <td> <a href="/versions/v16/techniques/T1087/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1087">Account Discovery</a>: <a href="/versions/v16/techniques/T1087/002">Domain Account</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used a tool to query Active Directory using LDAP, discovering information about usernames listed in AD.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."data-reference="ESET Telebots Dec 2016">^{<a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span> </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1087/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1087">Account Discovery</a>: <a href="/versions/v16/techniques/T1087/003">Email Account</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> used malware to enumerate email settings, including usernames and passwords, from the M.E.Doc application.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020."data-reference="ESET Telebots July 2017">^{<a href="https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span> </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1098">T1098</a> </td> <td> <a href="/versions/v16/techniques/T1098">Account Manipulation</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used the <code>sp_addlinkedsrvlogin</code> command in MS-SQL to create a link between a created account and other servers in the network.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1583">T1583</a> </td> <td> <a href="/versions/v16/techniques/T1583">Acquire Infrastructure</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> used various third-party email campaign management services to deliver phishing emails.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024."data-reference="Leonard TAG 2023">^{<a href="https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1583/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1583/001">Domains</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has registered domain names and created URLs that are often designed to mimic or spoof legitimate websites, such as email login pages, online file sharing and storage websites, and password reset pages, while also hosting these items on legitimate, compromised network infrastructure.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Joseph Slowik, DomainTools. (2021, March 3). Centreon to Exim and Back: On the Trail of Sandworm. Retrieved April 6, 2024."data-reference="Slowik Sandworm 2021">^{<a href="https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1583/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1583/004">Server</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has leased servers from resellers instead of leasing infrastructure directly from hosting companies to enable its operations.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1595">T1595</a> </td> <td> <a href="/versions/v16/techniques/T1595/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1595">Active Scanning</a>: <a href="/versions/v16/techniques/T1595/002">Vulnerability Scanning</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has scanned network infrastructure for vulnerabilities as part of its operational planning.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1071">T1071</a> </td> <td> <a href="/versions/v16/techniques/T1071/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a>'s BCS-server tool connects to the designated C2 server via HTTP.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."data-reference="ESET Telebots Dec 2016">^{<a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used <a href="/versions/v16/software/S0089">BlackEnergy</a> to communicate between compromised hosts and their command-and-control servers via HTTP post requests. <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton">^{<a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1110">T1110</a> </td> <td> <a href="/versions/v16/techniques/T1110">Brute Force</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used a script to attempt RPC authentication against a number of hosts.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1059">T1059</a> </td> <td> <a href="/versions/v16/techniques/T1059/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/001">PowerShell</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span> <p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p><p>During the <a href="https://attack.mitre.org/campaigns/C0034">2022 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> utilized a PowerShell utility called TANKTRAP to spread and launch a wiper using Windows Group Policy.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024."data-reference="Mandiant-Sandworm-Ukraine-2022">^{<a href="https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1059/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/003">Windows Command Shell</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used the <code>xp_cmdshell</code> command in MS-SQL.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1059/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/005">Visual Basic</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has created VBScripts to run an SSH server.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020."data-reference="ESET BlackEnergy Jan 2016">^{<a href="https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."data-reference="ESET Telebots Dec 2016">^{<a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020."data-reference="ESET Telebots June 2017">^{<a href="https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> installed a VBA script called <code>vba_macro.exe</code>. This macro dropped <code>FONTCACHE.DAT</code>, the primary <a href="/versions/v16/software/S0089">BlackEnergy</a> implant; <code>rundll32.exe</code>, for executing the malware; <code>NTUSER.log</code>, an empty file; and desktop.ini, the default file used to determine folder displays on Windows machines. <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton">^{<a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p><p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> created VBScripts to run on an SSH server.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1586">T1586</a> </td> <td> <a href="/versions/v16/techniques/T1586/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1586">Compromise Accounts</a>: <a href="/versions/v16/techniques/T1586/001">Social Media Accounts</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> creates credential capture webpages to compromise existing, legitimate social media accounts.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Joseph Slowik, DomainTools. (2021, March 3). Centreon to Exim and Back: On the Trail of Sandworm. Retrieved April 6, 2024."data-reference="Slowik Sandworm 2021">^{<a href="https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1554">T1554</a> </td> <td> <a href="/versions/v16/techniques/T1554">Compromise Host Software Binary</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used a trojanized version of Windows Notepad to add a layer of persistence for <a href="/versions/v16/software/S0604">Industroyer</a>.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1584">T1584</a> </td> <td> <a href="/versions/v16/techniques/T1584/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1584">Compromise Infrastructure</a>: <a href="/versions/v16/techniques/T1584/004">Server</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> compromised legitimate Linux servers running the EXIM mail transfer agent for use in subsequent campaigns.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="National Security Agency. (2020, March 28). Sandworm Actors Exploiting Vulnerability In EXIM Mail Transfer Agent. Retrieved March 1, 2024."data-reference="NSA Sandworm 2020">^{<a href="https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024."data-reference="Leonard TAG 2023">^{<a href="https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1584/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1584">Compromise Infrastructure</a>: <a href="/versions/v16/techniques/T1584/005">Botnet</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used a large-scale botnet to target Small Office/Home Office (SOHO) network devices.<span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022."data-reference="NCSC Cyclops Blink February 2022">^{<a href="https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1136">T1136</a> </td> <td> <a href="/versions/v16/techniques/T1136/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1136">Create Account</a>: <a href="/versions/v16/techniques/T1136/002">Domain Account</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> created privileged domain accounts to be used for further exploitation and lateral movement. <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton">^{<a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> created two new accounts, "admin" and "система" (System). The accounts were then assigned to a domain matching local operation and were delegated new privileges.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1543">T1543</a> </td> <td> <a href="/versions/v16/techniques/T1543/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v16/techniques/T1543/002">Systemd Service</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0034">2022 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> configured Systemd to maintain persistence of GOGETTER, specifying the <code>WantedBy=multi-user.target</code> configuration to run GOGETTER when the system begins accepting user logins.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024."data-reference="Mandiant-Sandworm-Ukraine-2022">^{<a href="https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1543/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v16/techniques/T1543/003">Windows Service</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used an arbitrary system service to load at system boot for persistence for <a href="/versions/v16/software/S0604">Industroyer</a>. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary. <span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2017">^{<a href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1555">T1555</a> </td> <td> <a href="/versions/v16/techniques/T1555/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v16/techniques/T1555/003">Credentials from Web Browsers</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a>'s CredRaptor tool can collect saved passwords from various internet browsers.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."data-reference="ESET Telebots Dec 2016">^{<a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1485">T1485</a> </td> <td> <a href="/versions/v16/techniques/T1485">Data Destruction</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used <a href="/versions/v16/software/S0693">CaddyWiper</a>, <a href="/versions/v16/software/S0195">SDelete</a>, and the <a href="/versions/v16/software/S0089">BlackEnergy</a> KillDisk component to overwrite files on victim systems. <span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="US-CERT. (2016, February 25). ICS Alert (IR-ALERT-H-16-056-01) Cyber-Attack Against Ukrainian Critical Infrastructure. Retrieved June 10, 2020."data-reference="US-CERT Ukraine Feb 2016">^{<a href="https://www.us-cert.gov/ics/alerts/IR-ALERT-H-16-056-01" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020."data-reference="ESET Telebots June 2017">^{<a href="https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span><span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024."data-reference="Mandiant-Sandworm-Ukraine-2022">^{<a href="https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span> Additionally, <a href="/versions/v16/groups/G0034">Sandworm Team</a> has used the JUNKMAIL tool to overwrite files with null bytes.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024."data-reference="mandiant_apt44_unearthing_sandworm">^{<a href="https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0034">2022 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> deployed <a href="/versions/v16/software/S0693">CaddyWiper</a> on the victim’s IT environment systems to wipe files related to the OT capabilities, along with mapped drives, and physical drive partitions.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024."data-reference="Mandiant-Sandworm-Ukraine-2022">^{<a href="https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1132">T1132</a> </td> <td> <a href="/versions/v16/techniques/T1132/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1132">Data Encoding</a>: <a href="/versions/v16/techniques/T1132/001">Standard Encoding</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a>'s BCS-server tool uses base64 encoding and HTML tags for the communication traffic between the C2 server.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."data-reference="ESET Telebots Dec 2016">^{<a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span> </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1486">T1486</a> </td> <td> <a href="/versions/v16/techniques/T1486">Data Encrypted for Impact</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used <a href="/versions/v16/software/S1058">Prestige</a> ransomware to encrypt data at targeted organizations in transportation and related logistics industries in Ukraine and Poland.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="MSTIC. (2022, October 14). New "Prestige" ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023."data-reference="Microsoft Prestige ransomware October 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1213">T1213</a> </td> <td> <a href="/versions/v16/techniques/T1213">Data from Information Repositories</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> exfiltrates data of interest from enterprise databases using Adminer.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024."data-reference="Leonard TAG 2023">^{<a href="https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1005">T1005</a> </td> <td> <a href="/versions/v16/techniques/T1005">Data from Local System</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has exfiltrated internal documents, files, and other data from compromised hosts.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1491">T1491</a> </td> <td> <a href="/versions/v16/techniques/T1491/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1491">Defacement</a>: <a href="/versions/v16/techniques/T1491/002">External Defacement</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> defaced approximately 15,000 websites belonging to Georgian government, non-government, and private sector organizations in 2019.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020."data-reference="UK NCSC Olympic Attacks October 2020">^{<a href="https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1140">T1140</a> </td> <td> <a href="/versions/v16/techniques/T1140">Deobfuscate/Decode Files or Information</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a>'s VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and decompresses it using GZip.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."data-reference="ESET Telebots Dec 2016">^{<a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020."data-reference="ESET Telebots July 2017">^{<a href="https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1587">T1587</a> </td> <td> <a href="/versions/v16/techniques/T1587/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1587">Develop Capabilities</a>: <a href="/versions/v16/techniques/T1587/001">Malware</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has developed malware for its operations, including malicious mobile applications and destructive malware such as <a href="/versions/v16/software/S0368">NotPetya</a> and <a href="/versions/v16/software/S0365">Olympic Destroyer</a>.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1561">T1561</a> </td> <td> <a href="/versions/v16/techniques/T1561/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1561">Disk Wipe</a>: <a href="/versions/v16/techniques/T1561/002">Disk Structure Wipe</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used the <a href="/versions/v16/software/S0089">BlackEnergy</a> KillDisk component to corrupt the infected system's master boot record.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="US-CERT. (2016, February 25). ICS Alert (IR-ALERT-H-16-056-01) Cyber-Attack Against Ukrainian Critical Infrastructure. Retrieved June 10, 2020."data-reference="US-CERT Ukraine Feb 2016">^{<a href="https://www.us-cert.gov/ics/alerts/IR-ALERT-H-16-056-01" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020."data-reference="ESET Telebots June 2017">^{<a href="https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1484">T1484</a> </td> <td> <a href="/versions/v16/techniques/T1484/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1484">Domain or Tenant Policy Modification</a>: <a href="/versions/v16/techniques/T1484/001">Group Policy Modification</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0034">2022 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> leveraged Group Policy Objects (GPOs) to deploy and execute malware.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024."data-reference="Mandiant-Sandworm-Ukraine-2022">^{<a href="https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1499">T1499</a> </td> <td> <a href="/versions/v16/techniques/T1499">Endpoint Denial of Service</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> temporarily disrupted service to Georgian government, non-government, and private sector websites after compromising a Georgian web hosting provider in 2019.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1585">T1585</a> </td> <td> <a href="/versions/v16/techniques/T1585/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1585">Establish Accounts</a>: <a href="/versions/v16/techniques/T1585/001">Social Media Accounts</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has established social media accounts to disseminate victim internal-only documents and other sensitive data.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1585/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1585">Establish Accounts</a>: <a href="/versions/v16/techniques/T1585/002">Email Accounts</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has created email accounts that mimic legitimate organizations for its spearphishing operations.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1041">T1041</a> </td> <td> <a href="/versions/v16/techniques/T1041">Exfiltration Over C2 Channel</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has sent system information to its C2 server using HTTP.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."data-reference="ESET Telebots Dec 2016">^{<a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span> </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1190">T1190</a> </td> <td> <a href="/versions/v16/techniques/T1190">Exploit Public-Facing Application</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> exploits public-facing applications for initial access and to acquire infrastructure, such as exploitation of the EXIM mail transfer agent in Linux systems.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="National Security Agency. (2020, March 28). Sandworm Actors Exploiting Vulnerability In EXIM Mail Transfer Agent. Retrieved March 1, 2024."data-reference="NSA Sandworm 2020">^{<a href="https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024."data-reference="Leonard TAG 2023">^{<a href="https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1203">T1203</a> </td> <td> <a href="/versions/v16/techniques/T1203">Exploitation for Client Execution</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has exploited vulnerabilities in Microsoft PowerPoint via OLE objects (CVE-2014-4114) and Microsoft Word via crafted TIFF images (CVE-2013-3906).<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Ward, S.. (2014, October 14). iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign. Retrieved June 10, 2020."data-reference="iSight Sandworm Oct 2014">^{<a href="https://web.archive.org/web/20160503234007/https://www.isightpartners.com/2014/10/cve-2014-4114/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span><span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="Wu, W. (2014, October 14). An Analysis of Windows Zero-day Vulnerability ‘CVE-2014-4114’ aka "Sandworm". Retrieved June 18, 2020."data-reference="TrendMicro Sandworm October 2014">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-windows-zero-day-vulnerability-cve-2014-4114-aka-sandworm/" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span><span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Li, H. (2013, November 5). McAfee Labs Detects Zero-Day Exploit Targeting Microsoft Office. Retrieved June 18, 2020."data-reference="McAfee Sandworm November 2013">^{<a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1133">T1133</a> </td> <td> <a href="/versions/v16/techniques/T1133">External Remote Services</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network. <a href="/versions/v16/groups/G0034">Sandworm Team</a> has also used VPN tunnels established in legitimate software company infrastructure to gain access to internal networks of that software company's users.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020."data-reference="ESET BlackEnergy Jan 2016">^{<a href="https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span><span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020."data-reference="ESET Telebots June 2017">^{<a href="https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span><span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021."data-reference="ANSSI Sandworm January 2021">^{<a href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024."data-reference="mandiant_apt44_unearthing_sandworm">^{<a href="https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> installed a modified Dropbear SSH client as the backdoor to target systems. <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton">^{<a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1083">T1083</a> </td> <td> <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has enumerated files on a compromised host.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1592">T1592</a> </td> <td> <a href="/versions/v16/techniques/T1592/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1592">Gather Victim Host Information</a>: <a href="/versions/v16/techniques/T1592/002">Software</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has researched software code to enable supply-chain operations, most notably for the 2017 <a href="/versions/v16/software/S0368">NotPetya</a> attack. <a href="/versions/v16/groups/G0034">Sandworm Team</a> also collected a list of computers using specific software as part of its targeting efforts.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1589">T1589</a> </td> <td> <a href="/versions/v16/techniques/T1589/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1589">Gather Victim Identity Information</a>: <a href="/versions/v16/techniques/T1589/002">Email Addresses</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has obtained valid emails addresses while conducting research against target organizations that were subsequently used in spearphishing campaigns.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1589/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1589">Gather Victim Identity Information</a>: <a href="/versions/v16/techniques/T1589/003">Employee Names</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a>'s research of potential victim organizations included the identification and collection of employee information.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1590">T1590</a> </td> <td> <a href="/versions/v16/techniques/T1590/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1590">Gather Victim Network Information</a>: <a href="/versions/v16/techniques/T1590/001">Domain Properties</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> conducted technical reconnaissance of the Parliament of Georgia's official internet domain prior to its 2019 attack.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1591">T1591</a> </td> <td> <a href="/versions/v16/techniques/T1591/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1591">Gather Victim Org Information</a>: <a href="/versions/v16/techniques/T1591/002">Business Relationships</a> </td> <td> <p>In preparation for its attack against the 2018 Winter Olympics, <a href="/versions/v16/groups/G0034">Sandworm Team</a> conducted online research of partner organizations listed on an official PyeongChang Olympics partnership site.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1562">T1562</a> </td> <td> <a href="/versions/v16/techniques/T1562/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1562">Impair Defenses</a>: <a href="/versions/v16/techniques/T1562/001">Disable or Modify Tools</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> modified in-registry internet settings to lower internet security. <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton">^{<a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1562/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1562">Impair Defenses</a>: <a href="/versions/v16/techniques/T1562/002">Disable Windows Event Logging</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> disabled event logging on compromised systems.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1070">T1070</a> </td> <td> <a href="/versions/v16/techniques/T1070/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/004">File Deletion</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used backdoors that can delete files used in an attack from an infected system.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."data-reference="ESET Telebots Dec 2016">^{<a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020."data-reference="ESET Telebots July 2017">^{<a href="https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span><span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024."data-reference="Mandiant-Sandworm-Ukraine-2022">^{<a href="https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, vba_macro.exe deletes itself after <code>FONTCACHE.DAT</code>, <code>rundll32.exe</code>, and the associated .lnk file is delivered. <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton">^{<a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1105">T1105</a> </td> <td> <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."data-reference="ESET Telebots Dec 2016">^{<a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data. <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton">^{<a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1490">T1490</a> </td> <td> <a href="/versions/v16/techniques/T1490">Inhibit System Recovery</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> uses <a href="/versions/v16/software/S1058">Prestige</a> to delete the backup catalog from the target system using: <code>C:\Windows\System32\wbadmin.exe delete catalog -quiet</code> and to delete volume shadow copies using: <code>C:\Windows\System32\vssadmin.exe delete shadows /all /quiet</code>. <span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="MSTIC. (2022, October 14). New "Prestige" ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023."data-reference="Microsoft Prestige ransomware October 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span> </p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1056">T1056</a> </td> <td> <a href="/versions/v16/techniques/T1056/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1056">Input Capture</a>: <a href="/versions/v16/techniques/T1056/001">Keylogging</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used a keylogger to capture keystrokes by using the SetWindowsHookEx function.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."data-reference="ESET Telebots Dec 2016">^{<a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> gathered account credentials via a <a href="/versions/v16/software/S0089">BlackEnergy</a> keylogger plugin. <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton">^{<a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018."data-reference="Ukraine15 - EISAC - 201603">^{<a href="https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1570">T1570</a> </td> <td> <a href="/versions/v16/techniques/T1570">Lateral Tool Transfer</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used <code>move</code> to transfer files to a network share and has copied payloads--such as <a href="/versions/v16/software/S1058">Prestige</a> ransomware--to an Active Directory Domain Controller and distributed via the Default Domain Group Policy Object.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="MSTIC. (2022, October 14). New "Prestige" ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023."data-reference="Microsoft Prestige ransomware October 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span> Additionally, <a href="/versions/v16/groups/G0034">Sandworm Team</a> has transferred an ISO file into the OT network to gain initial access.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024."data-reference="Mandiant-Sandworm-Ukraine-2022">^{<a href="https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> moved their tools laterally within the corporate network and between the ICS and corporate network. <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton">^{<a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p><p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used <code>move</code> to transfer files to a network share.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p><p>During the <a href="https://attack.mitre.org/campaigns/C0034">2022 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used a Group Policy Object (GPO) to copy <a href="/versions/v16/software/S0693">CaddyWiper</a>'s executable <code>msserver.exe</code> from a staging server to a local hard drive before deployment.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024."data-reference="Mandiant-Sandworm-Ukraine-2022">^{<a href="https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1036">T1036</a> </td> <td> <a href="/versions/v16/techniques/T1036">Masquerading</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> masqueraded malicious installers as Windows update packages to evade defense and entice users to execute binaries.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024."data-reference="Leonard TAG 2023">^{<a href="https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1036/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1036/004">Masquerade Task or Service</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0034">2022 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> leveraged Systemd service units to masquerade GOGETTER malware as legitimate or seemingly legitimate services.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024."data-reference="Mandiant-Sandworm-Ukraine-2022">^{<a href="https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1036/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1036/005">Match Legitimate Name or Location</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has avoided detection by naming a malicious binary explorer.exe.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."data-reference="ESET Telebots Dec 2016">^{<a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2017">^{<a href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span></p></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1036/008">.008</a> </td> <td> <a href="/versions/v16/techniques/T1036/008">Masquerade File Type</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> masqueraded executables as <code>.txt</code> files.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1036/010">.010</a> </td> <td> <a href="/versions/v16/techniques/T1036/010">Masquerade Account Name</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> created two new accounts, "admin" and "система" (System).<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1112">T1112</a> </td> <td> <a href="/versions/v16/techniques/T1112">Modify Registry</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> modified in-registry Internet settings to lower internet security before launching <code>rundll32.exe</code>, which in-turn launches the malware and communicates with C2 servers over the Internet. <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton">^{<a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span>.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1106">T1106</a> </td> <td> <a href="/versions/v16/techniques/T1106">Native API</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> uses <a href="/versions/v16/software/S1058">Prestige</a> to disable and restore file system redirection by using the following functions: <code>Wow64DisableWow64FsRedirection()</code> and <code>Wow64RevertWow64FsRedirection()</code>.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="MSTIC. (2022, October 14). New "Prestige" ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023."data-reference="Microsoft Prestige ransomware October 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1040">T1040</a> </td> <td> <a href="/versions/v16/techniques/T1040">Network Sniffing</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used intercepter-NG to sniff passwords in network traffic.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."data-reference="ESET Telebots Dec 2016">^{<a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used <a href="/versions/v16/software/S0089">BlackEnergy</a>’s network sniffer module to discover user credentials being sent over the network between the local LAN and the power grid’s industrial control systems. <span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="Charles McLellan. (2016, March 4). How hackers attacked Ukraine's power grid: Implications for Industrial IoT security. Retrieved September 27, 2023."data-reference="Charles McLellan March 2016">^{<a href="https://www.zdnet.com/article/how-hackers-attacked-ukraines-power-grid-implications-for-industrial-iot-security/" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a>}</span></p></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1095">T1095</a> </td> <td> <a href="/versions/v16/techniques/T1095">Non-Application Layer Protocol</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0034">2022 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> proxied C2 communications within a TLS-based tunnel.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024."data-reference="Mandiant-Sandworm-Ukraine-2022">^{<a href="https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1571">T1571</a> </td> <td> <a href="/versions/v16/techniques/T1571">Non-Standard Port</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used port 6789 to accept connections on the group's SSH server.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020."data-reference="ESET BlackEnergy Jan 2016">^{<a href="https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1027">T1027</a> </td> <td> <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used Base64 encoding within malware variants.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Ward, S.. (2014, October 14). iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign. Retrieved June 10, 2020."data-reference="iSight Sandworm Oct 2014">^{<a href="https://web.archive.org/web/20160503234007/https://www.isightpartners.com/2014/10/cve-2014-4114/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used heavily obfuscated code with <a href="/versions/v16/software/S0604">Industroyer</a> in its Windows Notepad backdoor.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1027/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1027/002">Software Packing</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used UPX to pack a copy of <a href="/versions/v16/software/S0002">Mimikatz</a>.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1027/010">.010</a> </td> <td> <a href="/versions/v16/techniques/T1027/010">Command Obfuscation</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used ROT13 encoding, AES encryption and compression with the zlib library for their Python-based backdoor.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."data-reference="ESET Telebots Dec 2016">^{<a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1588">T1588</a> </td> <td> <a href="/versions/v16/techniques/T1588/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1588">Obtain Capabilities</a>: <a href="/versions/v16/techniques/T1588/002">Tool</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has acquired open-source tools for their operations, including <a href="/versions/v16/software/S0231">Invoke-PSImage</a>, which was used to establish an encrypted channel from a compromised host to <a href="/versions/v16/groups/G0034">Sandworm Team</a>'s C2 server in preparation for the 2018 Winter Olympics attack, as well as <a href="/versions/v16/software/S0357">Impacket</a> and RemoteExec, which were used in their 2022 <a href="/versions/v16/software/S1058">Prestige</a> operations.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="MSTIC. (2022, October 14). New "Prestige" ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023."data-reference="Microsoft Prestige ransomware October 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span> Additionally, <a href="/versions/v16/groups/G0034">Sandworm Team</a> has used <a href="/versions/v16/software/S0363">Empire</a>, <a href="/versions/v16/software/S0154">Cobalt Strike</a> and <a href="/versions/v16/software/S0378">PoshC2</a>.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024."data-reference="mandiant_apt44_unearthing_sandworm">^{<a href="https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1588/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1588">Obtain Capabilities</a>: <a href="/versions/v16/techniques/T1588/006">Vulnerabilities</a> </td> <td> <p>In 2017, <a href="/versions/v16/groups/G0034">Sandworm Team</a> conducted technical research related to vulnerabilities associated with websites used by the Korean Sport and Olympic Committee, a Korean power company, and a Korean airport.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1003">T1003</a> </td> <td> <a href="/versions/v16/techniques/T1003/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v16/techniques/T1003/001">LSASS Memory</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used its plainpwd tool, a modified version of <a href="/versions/v16/software/S0002">Mimikatz</a>, and comsvcs.dll to dump Windows credentials from system memory.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."data-reference="ESET Telebots Dec 2016">^{<a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020."data-reference="ESET Telebots June 2017">^{<a href="https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="MSTIC. (2022, October 14). New "Prestige" ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023."data-reference="Microsoft Prestige ransomware October 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span> <p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used <a href="/versions/v16/software/S0002">Mimikatz</a> to capture and use legitimate credentials.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1003/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v16/techniques/T1003/003">NTDS</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used <code>ntdsutil.exe</code> to back up the Active Directory database, likely for credential access.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="MSTIC. (2022, October 14). New "Prestige" ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023."data-reference="Microsoft Prestige ransomware October 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1566">T1566</a> </td> <td> <a href="/versions/v16/techniques/T1566/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1566">Phishing</a>: <a href="/versions/v16/techniques/T1566/001">Spearphishing Attachment</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has delivered malicious Microsoft Office and ZIP file attachments via spearphishing emails.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Ward, S.. (2014, October 14). iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign. Retrieved June 10, 2020."data-reference="iSight Sandworm Oct 2014">^{<a href="https://web.archive.org/web/20160503234007/https://www.isightpartners.com/2014/10/cve-2014-4114/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span><span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="US-CERT. (2016, February 25). ICS Alert (IR-ALERT-H-16-056-01) Cyber-Attack Against Ukrainian Critical Infrastructure. Retrieved June 10, 2020."data-reference="US-CERT Ukraine Feb 2016">^{<a href="https://www.us-cert.gov/ics/alerts/IR-ALERT-H-16-056-01" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."data-reference="ESET Telebots Dec 2016">^{<a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="Morgan, K. (2023, October 18). Government-backed actors exploiting WinRAR vulnerability. Retrieved July 19, 2024."data-reference="Google_WinRAR_vuln_2023">^{<a href="https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024."data-reference="mandiant_apt44_unearthing_sandworm">^{<a href="https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> obtained their initial foothold into many IT systems using Microsoft Office attachments delivered through phishing emails. <span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018."data-reference="Ukraine15 - EISAC - 201603">^{<a href="https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1566/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1566">Phishing</a>: <a href="/versions/v16/techniques/T1566/002">Spearphishing Link</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has crafted phishing emails containing malicious hyperlinks.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1598">T1598</a> </td> <td> <a href="/versions/v16/techniques/T1598/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1598">Phishing for Information</a>: <a href="/versions/v16/techniques/T1598/003">Spearphishing Link</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has crafted spearphishing emails with hyperlinks designed to trick unwitting recipients into revealing their account credentials.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1055">T1055</a> </td> <td> <a href="/versions/v16/techniques/T1055">Process Injection</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> loaded <a href="/versions/v16/software/S0089">BlackEnergy</a> into svchost.exe, which then launched iexplore.exe for their C2. <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton">^{<a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1572">T1572</a> </td> <td> <a href="/versions/v16/techniques/T1572">Protocol Tunneling</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0034">2022 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> deployed the GOGETTER tunneler software to establish a "Yamux" TLS-based C2 channel with an external server(s).<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024."data-reference="Mandiant-Sandworm-Ukraine-2022">^{<a href="https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1090">T1090</a> </td> <td> <a href="/versions/v16/techniques/T1090">Proxy</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a>'s BCS-server tool can create an internal proxy server to redirect traffic from the adversary-controlled C2 to internal servers which may not be connected to the internet, but are interconnected locally.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."data-reference="ESET Telebots Dec 2016">^{<a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span> </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1219">T1219</a> </td> <td> <a href="/versions/v16/techniques/T1219">Remote Access Software</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used remote administration tools or remote industrial control system client software for execution and to maliciously release electricity breakers.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="US-CERT. (2016, February 25). ICS Alert (IR-ALERT-H-16-056-01) Cyber-Attack Against Ukrainian Critical Infrastructure. Retrieved June 10, 2020."data-reference="US-CERT Ukraine Feb 2016">^{<a href="https://www.us-cert.gov/ics/alerts/IR-ALERT-H-16-056-01" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="MSTIC. (2022, October 14). New "Prestige" ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023."data-reference="Microsoft Prestige ransomware October 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1021">T1021</a> </td> <td> <a href="/versions/v16/techniques/T1021/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1021">Remote Services</a>: <a href="/versions/v16/techniques/T1021/002">SMB/Windows Admin Shares</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has copied payloads to the <code>ADMIN$</code> share of remote systems and run <code>net use</code> to connect to network shares.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="MSTIC. (2022, October 14). New "Prestige" ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023."data-reference="Microsoft Prestige ransomware October 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> utilized <code>net use</code> to connect to network shares.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1018">T1018</a> </td> <td> <a href="/versions/v16/techniques/T1018">Remote System Discovery</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used a tool to query Active Directory using LDAP, discovering information about computers listed in AD.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."data-reference="ESET Telebots Dec 2016">^{<a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> remotely discovered systems over LAN connections. OT systems were visible from the IT network as well, giving adversaries the ability to discover operational assets. <span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="Charles McLellan. (2016, March 4). How hackers attacked Ukraine's power grid: Implications for Industrial IoT security. Retrieved September 27, 2023."data-reference="Charles McLellan March 2016">^{<a href="https://www.zdnet.com/article/how-hackers-attacked-ukraines-power-grid-implications-for-industrial-iot-security/" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a>}</span></p><p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> checked for connectivity to resources within the network and used LDAP to query Active Directory, discovering information about computers listed in AD.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1053">T1053</a> </td> <td> <a href="/versions/v16/techniques/T1053/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v16/techniques/T1053/005">Scheduled Task</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> leveraged SHARPIVORY, a .NET dropper that writes embedded payload to disk and uses scheduled tasks to persist on victim machines.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024."data-reference="mandiant_apt44_unearthing_sandworm">^{<a href="https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0034">2022 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute <a href="/versions/v16/software/S0693">CaddyWiper</a> at a predetermined time.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024."data-reference="Mandiant-Sandworm-Ukraine-2022">^{<a href="https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1593">T1593</a> </td> <td> <a href="/versions/v16/techniques/T1593">Search Open Websites/Domains</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> researched Ukraine's unique legal entity identifier (called an "EDRPOU" number), including running queries on the EDRPOU website, in preparation for the <a href="/versions/v16/software/S0368">NotPetya</a> attack. <a href="/versions/v16/groups/G0034">Sandworm Team</a> has also researched third-party websites to help it craft credible spearphishing emails.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1594">T1594</a> </td> <td> <a href="/versions/v16/techniques/T1594">Search Victim-Owned Websites</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has conducted research against potential victim websites as part of its operational planning.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1505">T1505</a> </td> <td> <a href="/versions/v16/techniques/T1505/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1505">Server Software Component</a>: <a href="/versions/v16/techniques/T1505/001">SQL Stored Procedures</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used various MS-SQL stored procedures.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1505/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1505">Server Software Component</a>: <a href="/versions/v16/techniques/T1505/003">Web Shell</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used webshells including <a href="/versions/v16/software/S0598">P.A.S. Webshell</a> to maintain access to victim networks.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021."data-reference="ANSSI Sandworm January 2021">^{<a href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0034">2022 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> deployed the Neo-REGEORG webshell on an internet-facing server.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024."data-reference="Mandiant-Sandworm-Ukraine-2022">^{<a href="https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1489">T1489</a> </td> <td> <a href="/versions/v16/techniques/T1489">Service Stop</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> attempts to stop the MSSQL Windows service to ensure successful encryption of locked files.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="MSTIC. (2022, October 14). New "Prestige" ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023."data-reference="Microsoft Prestige ransomware October 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span> </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1072">T1072</a> </td> <td> <a href="/versions/v16/techniques/T1072">Software Deployment Tools</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used the commercially available tool RemoteExec for agentless remote code execution.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="MSTIC. (2022, October 14). New "Prestige" ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023."data-reference="Microsoft Prestige ransomware October 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1608">T1608</a> </td> <td> <a href="/versions/v16/techniques/T1608/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1608">Stage Capabilities</a>: <a href="/versions/v16/techniques/T1608/001">Upload Malware</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> staged compromised versions of legitimate software installers in forums to enable initial access to executing user.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024."data-reference="mandiant_apt44_unearthing_sandworm">^{<a href="https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1539">T1539</a> </td> <td> <a href="/versions/v16/techniques/T1539">Steal Web Session Cookie</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> used information stealer malware to collect browser session cookies.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024."data-reference="Leonard TAG 2023">^{<a href="https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1195">T1195</a> </td> <td> <a href="/versions/v16/techniques/T1195">Supply Chain Compromise</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> staged compromised versions of legitimate software installers on forums to achieve initial, untargetetd access in victim environments.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024."data-reference="mandiant_apt44_unearthing_sandworm">^{<a href="https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span> </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1195/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1195/002">Compromise Software Supply Chain</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has distributed <a href="/versions/v16/software/S0368">NotPetya</a> by compromising the legitimate Ukrainian accounting software M.E.Doc and replacing a legitimate software update with a malicious one.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Counter Threat Research Team. (2017, June 28). NotPetya Campaign: What We Know About the Latest Global Ransomware Attack. Retrieved June 11, 2020."data-reference="Secureworks NotPetya June 2017">^{<a href="https://www.secureworks.com/blog/notpetya-campaign-what-we-know-about-the-latest-global-ransomware-attack" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span><span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020."data-reference="ESET Telebots June 2017">^{<a href="https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1218">T1218</a> </td> <td> <a href="/versions/v16/techniques/T1218/011">.011</a> </td> <td> <a href="/versions/v16/techniques/T1218">System Binary Proxy Execution</a>: <a href="/versions/v16/techniques/T1218/011">Rundll32</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> used a backdoor which could execute a supplied DLL using rundll32.exe.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020."data-reference="ESET Telebots July 2017">^{<a href="https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used a backdoor which could execute a supplied DLL using <code>rundll32.exe</code>. <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton">^{<a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1082">T1082</a> </td> <td> <a href="/versions/v16/techniques/T1082">System Information Discovery</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> used a backdoor to enumerate information about the infected system's operating system.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020."data-reference="ESET Telebots July 2017">^{<a href="https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span> </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1049">T1049</a> </td> <td> <a href="/versions/v16/techniques/T1049">System Network Connections Discovery</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> had gathered user, IP address, and server data related to RDP sessions on a compromised host. It has also accessed network diagram files useful for understanding how a host's network was configured.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span> </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1033">T1033</a> </td> <td> <a href="/versions/v16/techniques/T1033">System Owner/User Discovery</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has collected the username from a compromised host.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1199">T1199</a> </td> <td> <a href="/versions/v16/techniques/T1199">Trusted Relationship</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used dedicated network connections from one victim organization to gain unauthorized access to a separate organization.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span> Additionally, <a href="/versions/v16/groups/G0034">Sandworm Team</a> has accessed Internet service providers and telecommunication entities that provide mobile connectivity.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024."data-reference="mandiant_apt44_unearthing_sandworm">^{<a href="https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span> </p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1204">T1204</a> </td> <td> <a href="/versions/v16/techniques/T1204/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1204">User Execution</a>: <a href="/versions/v16/techniques/T1204/001">Malicious Link</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1204/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1204">User Execution</a>: <a href="/versions/v16/techniques/T1204/002">Malicious File</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has tricked unwitting recipients into clicking on spearphishing attachments and enabling malicious macros embedded within files.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."data-reference="ESET Telebots Dec 2016">^{<a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them. <span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018."data-reference="Ukraine15 - EISAC - 201603">^{<a href="https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1078">T1078</a> </td> <td> <a href="/versions/v16/techniques/T1078">Valid Accounts</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> have used previously acquired legitimate credentials prior to attacks.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="US-CERT. (2016, February 25). ICS Alert (IR-ALERT-H-16-056-01) Cyber-Attack Against Ukrainian Critical Infrastructure. Retrieved June 10, 2020."data-reference="US-CERT Ukraine Feb 2016">^{<a href="https://www.us-cert.gov/ics/alerts/IR-ALERT-H-16-056-01" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used valid accounts on the corporate network to escalate privileges, move laterally, and establish persistence within the corporate network. <span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018."data-reference="Ukraine15 - EISAC - 201603">^{<a href="https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1078/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1078/002">Domain Accounts</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used stolen credentials to access administrative accounts within the domain.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="MSTIC. (2022, October 14). New "Prestige" ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023."data-reference="Microsoft Prestige ransomware October 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1102">T1102</a> </td> <td> <a href="/versions/v16/techniques/T1102/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1102">Web Service</a>: <a href="/versions/v16/techniques/T1102/002">Bidirectional Communication</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used the Telegram Bot API from Telegram Messenger to send and receive commands to its Python backdoor. <a href="/versions/v16/groups/G0034">Sandworm Team</a> also used legitimate M.E.Doc software update check requests for sending and receiving commands and hosted malicious payloads on putdrive.com.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."data-reference="ESET Telebots Dec 2016">^{<a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020."data-reference="ESET Telebots June 2017">^{<a href="https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1047">T1047</a> </td> <td> <a href="/versions/v16/techniques/T1047">Windows Management Instrumentation</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used <a href="/versions/v16/software/S0357">Impacket</a>’s WMIexec module for remote code execution and VBScript to run WMI queries.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="MSTIC. (2022, October 14). New "Prestige" ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023."data-reference="Microsoft Prestige ransomware October 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, WMI in scripts were used for remote execution and system surveys. <span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p></p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/versions/v16/techniques/T1660">T1660</a> </td> <td> <a href="/versions/v16/techniques/T1660">Phishing</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> used SMS-based phishing to target victims with malicious links.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024."data-reference="Leonard TAG 2023">^{<a href="https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/versions/v16/techniques/T1409">T1409</a> </td> <td> <a href="/versions/v16/techniques/T1409">Stored Application Data</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> can collect encrypted Telegram and Signal communications.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024."data-reference="mandiant_apt44_unearthing_sandworm">^{<a href="https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0895">T0895</a> </td> <td> <a href="/versions/v16/techniques/T0895">Autorun Image</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0034">2022 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used existing hypervisor access to map an ISO image named <code>a.iso</code> to a virtual machine running a SCADA server. The SCADA server’s operating system was configured to autorun CD-ROM images, and as a result, a malicious VBS script on the ISO image was automatically executed.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024."data-reference="Mandiant-Sandworm-Ukraine-2022">^{<a href="https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0803">T0803</a> </td> <td> <a href="/versions/v16/techniques/T0803">Block Command Message</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> blocked command messages by using malicious firmware to render serial-to-ethernet converters inoperable. <span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018."data-reference="Ukraine15 - EISAC - 201603">^{<a href="https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0804">T0804</a> </td> <td> <a href="/versions/v16/techniques/T0804">Block Reporting Message</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> blocked reporting messages by using malicious firmware to render serial-to-ethernet converters inoperable. <span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018."data-reference="Ukraine15 - EISAC - 201603">^{<a href="https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0805">T0805</a> </td> <td> <a href="/versions/v16/techniques/T0805">Block Serial COM</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> overwrote the serial-to-ethernet converter firmware, rendering the devices not operational. This meant that communication to the downstream serial devices was either not possible or more difficult. <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton">^{<a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0807">T0807</a> </td> <td> <a href="/versions/v16/techniques/T0807">Command-Line Interface</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> uses the MS-SQL server xp_cmdshell command, and PowerShell to execute commands. <span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 "data-reference="Dragos October 2018">^{<a href="https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> supplied the name of the payload DLL to <a href="/versions/v16/software/S0604">Industroyer</a> via a command line parameter.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p><p>During the <a href="https://attack.mitre.org/campaigns/C0034">2022 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> leveraged the SCIL-API on the MicroSCADA platform to execute commands through the <code>scilc.exe</code> binary.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024."data-reference="Mandiant-Sandworm-Ukraine-2022">^{<a href="https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0885">T0885</a> </td> <td> <a href="/versions/v16/techniques/T0885">Commonly Used Port</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used port 443 to communicate with their C2 servers. <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton">^{<a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0884">T0884</a> </td> <td> <a href="/versions/v16/techniques/T0884">Connection Proxy</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> establishes an internal proxy prior to the installation of backdoors within the network. <span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 "data-reference="Dragos Inc. June 2017">^{<a href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> established an internal proxy prior to the installation of backdoors within the network. <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton">^{<a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0813">T0813</a> </td> <td> <a href="/versions/v16/techniques/T0813">Denial of Control</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/software/S0607">KillDisk</a> rendered devices that were necessary for remote recovery unusable, including at least one RTU. Additionally, <a href="/versions/v16/groups/G0034">Sandworm Team</a> overwrote the firmware for serial-to-ethernet converters, denying operators control of the downstream devices. <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton">^{<a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018."data-reference="Ukraine15 - EISAC - 201603">^{<a href="https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0814">T0814</a> </td> <td> <a href="/versions/v16/techniques/T0814">Denial of Service</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, power company phone line operators were hit with a denial of service attack so that they couldn’t field customers’ calls about outages. Operators were also denied service to their downstream devices when their serial-to-ethernet converters had their firmware overwritten, which bricked the devices. <span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018."data-reference="Ukraine15 - EISAC - 201603">^{<a href="https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0816">T0816</a> </td> <td> <a href="/versions/v16/techniques/T0816">Device Restart/Shutdown</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> scheduled the uninterruptable power supplies (UPS) to shutdown data and telephone servers via the UPS management interface. <span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018."data-reference="Ukraine15 - EISAC - 201603">^{<a href="https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton">^{<a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0819">T0819</a> </td> <td> <a href="/versions/v16/techniques/T0819">Exploit Public-Facing Application</a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet. <span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="ICS-CERT 2014, December 10 ICS Alert (ICS-ALERT-14-281-01E) Ongoing Sophisticated Malware Campaign Compromising ICS (Update E) Retrieved. 2019/10/11 "data-reference="ICS-CERT December 2014">^{<a href="https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span> <span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="ICS CERT 2018, September 06 Advantech/Broadwin WebAccess RPC Vulnerability (Update B) Retrieved. 2019/12/05 "data-reference="ICS CERT September 2018">^{<a href="https://www.us-cert.gov/ics/advisories/ICSA-11-094-02B" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0822">T0822</a> </td> <td> <a href="/versions/v16/techniques/T0822">External Remote Services</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used Valid Accounts taken from the Windows Domain Controller to access the control system Virtual Private Network (VPN) used by grid operators. <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton">^{<a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0823">T0823</a> </td> <td> <a href="/versions/v16/techniques/T0823">Graphical User Interface</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> utilized HMI GUIs in the SCADA environment to open breakers. <span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018."data-reference="Ukraine15 - EISAC - 201603">^{<a href="https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0867">T0867</a> </td> <td> <a href="/versions/v16/techniques/T0867">Lateral Tool Transfer</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> moved their tools laterally within the ICS network. <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton">^{<a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used a VBS script to facilitate lateral tool transfer. The VBS script was used to copy ICS-specific payloads with the following command: <code>cscript C:\Backinfo\ufn.vbs C:\Backinfo\101.dll C:\Delta\101.dll</code><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0826">T0826</a> </td> <td> <a href="/versions/v16/techniques/T0826">Loss of Availability</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> opened the breakers at the infected sites, shutting the power off for thousands of businesses and households for around 6 hours. <span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018."data-reference="Ukraine15 - EISAC - 201603">^{<a href="https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton">^{<a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0827">T0827</a> </td> <td> <a href="/versions/v16/techniques/T0827">Loss of Control</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, operators were shut out of their equipment either through the denial of peripheral use or the degradation of equipment. Operators were therefore unable to recover from the incident through their traditional means. Much of the power was restored manually. <span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018."data-reference="Ukraine15 - EISAC - 201603">^{<a href="https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0828">T0828</a> </td> <td> <a href="/versions/v16/techniques/T0828">Loss of Productivity and Revenue</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, power breakers were opened which caused the operating companies to be unable to deliver power, and left thousands of businesses and households without power for around 6 hours. <span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018."data-reference="Ukraine15 - EISAC - 201603">^{<a href="https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton">^{<a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0831">T0831</a> </td> <td> <a href="/versions/v16/techniques/T0831">Manipulation of Control</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> opened live breakers via remote commands to the HMI, causing blackouts. <span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018."data-reference="Ukraine15 - EISAC - 201603">^{<a href="https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0849">T0849</a> </td> <td> <a href="/versions/v16/techniques/T0849">Masquerading</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> transferred executable files as .txt and then renamed them to .exe, likely to avoid detection through extension tracking.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0886">T0886</a> </td> <td> <a href="/versions/v16/techniques/T0886">Remote Services</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used an IT helpdesk software to move the mouse on ICS control devices to maliciously release electricity breakers. <span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Andy Greenberg. (2017, June 28). How an Entire Nation Became Russia's Test Lab for Cyberwar. Retrieved September 27, 2023."data-reference="Andy Greenberg June 2017">^{<a href="https://www.wired.com/story/russian-hackers-attack-ukraine/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used MS-SQL access to a pivot machine, allowing code execution throughout the ICS network.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0846">T0846</a> </td> <td> <a href="/versions/v16/techniques/T0846">Remote System Discovery</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> remotely discovered operational assets once on the OT network. <span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="Charles McLellan. (2016, March 4). How hackers attacked Ukraine's power grid: Implications for Industrial IoT security. Retrieved September 27, 2023."data-reference="Charles McLellan March 2016">^{<a href="https://www.zdnet.com/article/how-hackers-attacked-ukraines-power-grid-implications-for-industrial-iot-security/" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a>}</span> <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton">^{<a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0853">T0853</a> </td> <td> <a href="/versions/v16/techniques/T0853">Scripting</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> utilized VBS and batch scripts for file movement and as wrappers for PowerShell execution.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0034">2022 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> utilizes a Visual Basic script <code>lun.vbs</code> to execute <code>n.bat</code> which then executed the MicroSCADA <code>scilc.exe</code> command.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024."data-reference="Mandiant-Sandworm-Ukraine-2022">^{<a href="https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0894">T0894</a> </td> <td> <a href="/versions/v16/techniques/T0894">System Binary Proxy Execution</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0034">2022 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> executed a MicroSCADA application binary <code>scilc.exe</code> to send a predefined list of SCADA instructions specified in a file defined by the adversary, <code>s1.txt</code>. The executed command <code>C:\sc\prog\exec\scilc.exe -do pack\scil\s1.txt</code> leverages the SCADA software to send unauthorized command messages to remote substations.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024."data-reference="Mandiant-Sandworm-Ukraine-2022">^{<a href="https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0857">T0857</a> </td> <td> <a href="/versions/v16/techniques/T0857">System Firmware</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> overwrote the serial-to-ethernet gateways with custom firmware to make systems either disabled, shutdown, and/or unrecoverable. <span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018."data-reference="Ukraine15 - EISAC - 201603">^{<a href="https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0855">T0855</a> </td> <td> <a href="/versions/v16/techniques/T0855">Unauthorized Command Message</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> issued unauthorized commands to substation breaks after gaining control of operator workstations and accessing a distribution management system (DMS) application. <span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018."data-reference="Ukraine15 - EISAC - 201603">^{<a href="https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0034">2022 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used the MicroSCADA SCIL-API to specify a set of SCADA instructions, including the sending of unauthorized commands to substation devices.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024."data-reference="Mandiant-Sandworm-Ukraine-2022">^{<a href="https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0859">T0859</a> </td> <td> <a href="/versions/v16/techniques/T0859">Valid Accounts</a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used valid accounts to laterally move through VPN connections and dual-homed systems. Sandworm Team used the credentials of valid accounts to interact with client applications and access employee workstations hosting HMI applications. <span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018."data-reference="Ukraine15 - EISAC - 201603">^{<a href="https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton">^{<a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used valid accounts to laterally move through VPN connections and dual-homed systems.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="software">Software</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">References</th> <th scope="col">Techniques</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v16/software/S1125">S1125</a> </td> <td> <a href="/versions/v16/software/S1125">AcidRain</a> </td> <td> <a href="/versions/v16/groups/G0034">Sandworm Team</a> is linked to <a href="/versions/v16/software/S1125">AcidRain</a> deployment during the ViaSat KA-SAT incident in 2022.<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="A.J. Vincens, CyberScoop. (2024, March 18). Researchers spot updated version of malware that hit Viasat. Retrieved March 25, 2024."data-reference="Vincens AcidPour 2024">^{<a href="https://cyberscoop.com/viasat-malware-wiper-acidrain/" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a>}</span><span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Juan Andres Guerrero-Saade and Max van Amerongen, SentinelOne. (2022, March 31). AcidRain | A Modem Wiper Rains Down on Europe. Retrieved March 25, 2024."data-reference="AcidRain JAGS 2022">^{<a href="https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1485">Data Destruction</a>, <a href="/versions/v16/techniques/T1561">Disk Wipe</a>: <a href="/versions/v16/techniques/T1561/001">Disk Content Wipe</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1529">System Shutdown/Reboot</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0606">S0606</a> </td> <td> <a href="/versions/v16/software/S0606">Bad Rabbit</a> </td> <td> <span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020."data-reference="Secureworks IRON VIKING ">^{<a href="https://www.secureworks.com/research/threat-profiles/iron-viking" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1548">Abuse Elevation Control Mechanism</a>: <a href="/versions/v16/techniques/T1548/002">Bypass User Account Control</a>, <a href="/versions/v16/techniques/T1110">Brute Force</a>: <a href="/versions/v16/techniques/T1110/003">Password Spraying</a>, <a href="/versions/v16/techniques/T1486">Data Encrypted for Impact</a>, <a href="/versions/v16/techniques/T1189">Drive-by Compromise</a>, <a href="/versions/v16/techniques/T0817">Drive-by Compromise</a>, <a href="/versions/v16/techniques/T1210">Exploitation of Remote Services</a>, <a href="/versions/v16/techniques/T0866">Exploitation of Remote Services</a>, <a href="/versions/v16/techniques/T1495">Firmware Corruption</a>, <a href="/versions/v16/techniques/T0867">Lateral Tool Transfer</a>, <a href="/versions/v16/techniques/T0828">Loss of Productivity and Revenue</a>, <a href="/versions/v16/techniques/T1036">Masquerading</a>: <a href="/versions/v16/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/versions/v16/techniques/T1106">Native API</a>, <a href="/versions/v16/techniques/T1135">Network Share Discovery</a>, <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v16/techniques/T1003/001">LSASS Memory</a>, <a href="/versions/v16/techniques/T1057">Process Discovery</a>, <a href="/versions/v16/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v16/techniques/T1053/005">Scheduled Task</a>, <a href="/versions/v16/techniques/T1218">System Binary Proxy Execution</a>: <a href="/versions/v16/techniques/T1218/011">Rundll32</a>, <a href="/versions/v16/techniques/T1569">System Services</a>: <a href="/versions/v16/techniques/T1569/002">Service Execution</a>, <a href="/versions/v16/techniques/T1204">User Execution</a>: <a href="/versions/v16/techniques/T1204/002">Malicious File</a>, <a href="/versions/v16/techniques/T0863">User Execution</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0089">S0089</a> </td> <td> <a href="/versions/v16/software/S0089">BlackEnergy</a> </td> <td> <span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017."data-reference="iSIGHT Sandworm 2014">^{<a href="https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016."data-reference="F-Secure BlackEnergy 2014">^{<a href="https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020."data-reference="UK NCSC Olympic Attacks October 2020">^{<a href="https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020."data-reference="Secureworks IRON VIKING ">^{<a href="https://www.secureworks.com/research/threat-profiles/iron-viking" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1548">Abuse Elevation Control Mechanism</a>: <a href="/versions/v16/techniques/T1548/002">Bypass User Account Control</a>, <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/009">Shortcut Modification</a>, <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v16/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v16/techniques/T1543/003">Windows Service</a>, <a href="/versions/v16/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v16/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v16/techniques/T1485">Data Destruction</a>, <a href="/versions/v16/techniques/T1008">Fallback Channels</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1574">Hijack Execution Flow</a>: <a href="/versions/v16/techniques/T1574/010">Services File Permissions Weakness</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/001">Clear Windows Event Logs</a>, <a href="/versions/v16/techniques/T1056">Input Capture</a>: <a href="/versions/v16/techniques/T1056/001">Keylogging</a>, <a href="/versions/v16/techniques/T1046">Network Service Discovery</a>, <a href="/versions/v16/techniques/T1120">Peripheral Device Discovery</a>, <a href="/versions/v16/techniques/T1057">Process Discovery</a>, <a href="/versions/v16/techniques/T1055">Process Injection</a>: <a href="/versions/v16/techniques/T1055/001">Dynamic-link Library Injection</a>, <a href="/versions/v16/techniques/T1021">Remote Services</a>: <a href="/versions/v16/techniques/T1021/002">SMB/Windows Admin Shares</a>, <a href="/versions/v16/techniques/T1113">Screen Capture</a>, <a href="/versions/v16/techniques/T0865">Spearphishing Attachment</a>, <a href="/versions/v16/techniques/T0869">Standard Application Layer Protocol</a>, <a href="/versions/v16/techniques/T1553">Subvert Trust Controls</a>: <a href="/versions/v16/techniques/T1553/006">Code Signing Policy Modification</a>, <a href="/versions/v16/techniques/T1082">System Information Discovery</a>, <a href="/versions/v16/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v16/techniques/T1049">System Network Connections Discovery</a>, <a href="/versions/v16/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v16/techniques/T1552/001">Credentials In Files</a>, <a href="/versions/v16/techniques/T0859">Valid Accounts</a>, <a href="/versions/v16/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0693">S0693</a> </td> <td> <a href="/versions/v16/software/S0693">CaddyWiper</a> </td> <td> <span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024."data-reference="Mandiant-Sandworm-Ukraine-2022">^{<a href="https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1485">Data Destruction</a>, <a href="/versions/v16/techniques/T1561">Disk Wipe</a>: <a href="/versions/v16/techniques/T1561/002">Disk Structure Wipe</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1222">File and Directory Permissions Modification</a>: <a href="/versions/v16/techniques/T1222/001">Windows File and Directory Permissions Modification</a>, <a href="/versions/v16/techniques/T1106">Native API</a>, <a href="/versions/v16/techniques/T1057">Process Discovery</a>, <a href="/versions/v16/techniques/T1082">System Information Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0555">S0555</a> </td> <td> <a href="/versions/v16/software/S0555">CHEMISTGAMES</a> </td> <td> <span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020."data-reference="CYBERWARCON CHEMISTGAMES">^{<a href="https://www.youtube.com/watch?v=xoNSbm1aX_w" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1437">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1437/001">Web Protocols</a>, <a href="/versions/v16/techniques/T1623">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1623/001">Unix Shell</a>, <a href="/versions/v16/techniques/T1533">Data from Local System</a>, <a href="/versions/v16/techniques/T1407">Download New Code at Runtime</a>, <a href="/versions/v16/techniques/T1521">Encrypted Channel</a>: <a href="/versions/v16/techniques/T1521/002">Asymmetric Cryptography</a>, <a href="/versions/v16/techniques/T1430">Location Tracking</a>, <a href="/versions/v16/techniques/T1655">Masquerading</a>: <a href="/versions/v16/techniques/T1655/001">Match Legitimate Name or Location</a>, <a href="/versions/v16/techniques/T1575">Native API</a>, <a href="/versions/v16/techniques/T1406">Obfuscated Files or Information</a>, <a href="/versions/v16/techniques/T1474">Supply Chain Compromise</a>: <a href="/versions/v16/techniques/T1474/003">Compromise Software Supply Chain</a>, <a href="/versions/v16/techniques/T1426">System Information Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0154">S0154</a> </td> <td> <a href="/versions/v16/software/S0154">Cobalt Strike</a> </td> <td> <a href="/versions/v16/groups/G0034">Sandworm Team</a> has used multiple publicly available tools during operations, such as Cobalt Strike.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024."data-reference="mandiant_apt44_unearthing_sandworm">^{<a href="https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1548">Abuse Elevation Control Mechanism</a>: <a href="/versions/v16/techniques/T1548/003">Sudo and Sudo Caching</a>, <a href="/versions/v16/techniques/T1548">Abuse Elevation Control Mechanism</a>: <a href="/versions/v16/techniques/T1548/002">Bypass User Account Control</a>, <a href="/versions/v16/techniques/T1134">Access Token Manipulation</a>: <a href="/versions/v16/techniques/T1134/004">Parent PID Spoofing</a>, <a href="/versions/v16/techniques/T1134">Access Token Manipulation</a>: <a href="/versions/v16/techniques/T1134/001">Token Impersonation/Theft</a>, <a href="/versions/v16/techniques/T1134">Access Token Manipulation</a>: <a href="/versions/v16/techniques/T1134/003">Make and Impersonate Token</a>, <a href="/versions/v16/techniques/T1087">Account Discovery</a>: <a href="/versions/v16/techniques/T1087/002">Domain Account</a>, <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/004">DNS</a>, <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/002">File Transfer Protocols</a>, <a href="/versions/v16/techniques/T1197">BITS Jobs</a>, <a href="/versions/v16/techniques/T1185">Browser Session Hijacking</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/007">JavaScript</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/005">Visual Basic</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/001">PowerShell</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/006">Python</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v16/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v16/techniques/T1543/003">Windows Service</a>, <a href="/versions/v16/techniques/T1132">Data Encoding</a>: <a href="/versions/v16/techniques/T1132/001">Standard Encoding</a>, <a href="/versions/v16/techniques/T1005">Data from Local System</a>, <a href="/versions/v16/techniques/T1001">Data Obfuscation</a>: <a href="/versions/v16/techniques/T1001/003">Protocol or Service Impersonation</a>, <a href="/versions/v16/techniques/T1030">Data Transfer Size Limits</a>, <a href="/versions/v16/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/versions/v16/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v16/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/versions/v16/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v16/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/versions/v16/techniques/T1203">Exploitation for Client Execution</a>, <a href="/versions/v16/techniques/T1068">Exploitation for Privilege Escalation</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1564">Hide Artifacts</a>: <a href="/versions/v16/techniques/T1564/010">Process Argument Spoofing</a>, <a href="/versions/v16/techniques/T1562">Impair Defenses</a>: <a href="/versions/v16/techniques/T1562/001">Disable or Modify Tools</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/006">Timestomp</a>, <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v16/techniques/T1056">Input Capture</a>: <a href="/versions/v16/techniques/T1056/001">Keylogging</a>, <a href="/versions/v16/techniques/T1112">Modify Registry</a>, <a href="/versions/v16/techniques/T1106">Native API</a>, <a href="/versions/v16/techniques/T1046">Network Service Discovery</a>, <a href="/versions/v16/techniques/T1135">Network Share Discovery</a>, <a href="/versions/v16/techniques/T1095">Non-Application Layer Protocol</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v16/techniques/T1027/005">Indicator Removal from Tools</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v16/techniques/T1137">Office Application Startup</a>: <a href="/versions/v16/techniques/T1137/001">Office Template Macros</a>, <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v16/techniques/T1003/001">LSASS Memory</a>, <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v16/techniques/T1003/002">Security Account Manager</a>, <a href="/versions/v16/techniques/T1069">Permission Groups Discovery</a>: <a href="/versions/v16/techniques/T1069/002">Domain Groups</a>, <a href="/versions/v16/techniques/T1069">Permission Groups Discovery</a>: <a href="/versions/v16/techniques/T1069/001">Local Groups</a>, <a href="/versions/v16/techniques/T1057">Process Discovery</a>, <a href="/versions/v16/techniques/T1055">Process Injection</a>: <a href="/versions/v16/techniques/T1055/001">Dynamic-link Library Injection</a>, <a href="/versions/v16/techniques/T1055">Process Injection</a>: <a href="/versions/v16/techniques/T1055/012">Process Hollowing</a>, <a href="/versions/v16/techniques/T1055">Process Injection</a>, <a href="/versions/v16/techniques/T1572">Protocol Tunneling</a>, <a href="/versions/v16/techniques/T1090">Proxy</a>: <a href="/versions/v16/techniques/T1090/004">Domain Fronting</a>, <a href="/versions/v16/techniques/T1090">Proxy</a>: <a href="/versions/v16/techniques/T1090/001">Internal Proxy</a>, <a href="/versions/v16/techniques/T1012">Query Registry</a>, <a href="/versions/v16/techniques/T1620">Reflective Code Loading</a>, <a href="/versions/v16/techniques/T1021">Remote Services</a>: <a href="/versions/v16/techniques/T1021/001">Remote Desktop Protocol</a>, <a href="/versions/v16/techniques/T1021">Remote Services</a>: <a href="/versions/v16/techniques/T1021/004">SSH</a>, <a href="/versions/v16/techniques/T1021">Remote Services</a>: <a href="/versions/v16/techniques/T1021/006">Windows Remote Management</a>, <a href="/versions/v16/techniques/T1021">Remote Services</a>: <a href="/versions/v16/techniques/T1021/002">SMB/Windows Admin Shares</a>, <a href="/versions/v16/techniques/T1021">Remote Services</a>: <a href="/versions/v16/techniques/T1021/003">Distributed Component Object Model</a>, <a href="/versions/v16/techniques/T1018">Remote System Discovery</a>, <a href="/versions/v16/techniques/T1029">Scheduled Transfer</a>, <a href="/versions/v16/techniques/T1113">Screen Capture</a>, <a href="/versions/v16/techniques/T1518">Software Discovery</a>, <a href="/versions/v16/techniques/T1553">Subvert Trust Controls</a>: <a href="/versions/v16/techniques/T1553/002">Code Signing</a>, <a href="/versions/v16/techniques/T1218">System Binary Proxy Execution</a>: <a href="/versions/v16/techniques/T1218/011">Rundll32</a>, <a href="/versions/v16/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v16/techniques/T1049">System Network Connections Discovery</a>, <a href="/versions/v16/techniques/T1007">System Service Discovery</a>, <a href="/versions/v16/techniques/T1569">System Services</a>: <a href="/versions/v16/techniques/T1569/002">Service Execution</a>, <a href="/versions/v16/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v16/techniques/T1550/002">Pass the Hash</a>, <a href="/versions/v16/techniques/T1078">Valid Accounts</a>: <a href="/versions/v16/techniques/T1078/002">Domain Accounts</a>, <a href="/versions/v16/techniques/T1078">Valid Accounts</a>: <a href="/versions/v16/techniques/T1078/003">Local Accounts</a>, <a href="/versions/v16/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0687">S0687</a> </td> <td> <a href="/versions/v16/software/S0687">Cyclops Blink</a> </td> <td> <span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="NCSC, CISA, FBI, NSA. (2022, February 23). New Sandworm malware Cyclops Blink replaces VPNFilter. Retrieved March 3, 2022."data-reference="NCSC CISA Cyclops Blink Advisory February 2022">^{<a href="https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a>}</span><span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022."data-reference="Trend Micro Cyclops Blink March 2022">^{<a href="https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v16/techniques/T1037">Boot or Logon Initialization Scripts</a>: <a href="/versions/v16/techniques/T1037/004">RC Scripts</a>, <a href="/versions/v16/techniques/T1132">Data Encoding</a>: <a href="/versions/v16/techniques/T1132/002">Non-Standard Encoding</a>, <a href="/versions/v16/techniques/T1005">Data from Local System</a>, <a href="/versions/v16/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/versions/v16/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v16/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/versions/v16/techniques/T1041">Exfiltration Over C2 Channel</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1562">Impair Defenses</a>: <a href="/versions/v16/techniques/T1562/004">Disable or Modify System Firewall</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/006">Timestomp</a>, <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v16/techniques/T1559">Inter-Process Communication</a>, <a href="/versions/v16/techniques/T1036">Masquerading</a>: <a href="/versions/v16/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/versions/v16/techniques/T1106">Native API</a>, <a href="/versions/v16/techniques/T1571">Non-Standard Port</a>, <a href="/versions/v16/techniques/T1542">Pre-OS Boot</a>: <a href="/versions/v16/techniques/T1542/002">Component Firmware</a>, <a href="/versions/v16/techniques/T1057">Process Discovery</a>, <a href="/versions/v16/techniques/T1572">Protocol Tunneling</a>, <a href="/versions/v16/techniques/T1090">Proxy</a>: <a href="/versions/v16/techniques/T1090/003">Multi-hop Proxy</a>, <a href="/versions/v16/techniques/T1082">System Information Discovery</a>, <a href="/versions/v16/techniques/T1016">System Network Configuration Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0363">S0363</a> </td> <td> <a href="/versions/v16/software/S0363">Empire</a> </td> <td> <a href="/versions/v16/groups/G0034">Sandworm Team</a> has used multiple publicly available tools during operations, such as Empire.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024."data-reference="mandiant_apt44_unearthing_sandworm">^{<a href="https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1548">Abuse Elevation Control Mechanism</a>: <a href="/versions/v16/techniques/T1548/002">Bypass User Account Control</a>, <a href="/versions/v16/techniques/T1134">Access Token Manipulation</a>: <a href="/versions/v16/techniques/T1134/005">SID-History Injection</a>, <a href="/versions/v16/techniques/T1134">Access Token Manipulation</a>, <a href="/versions/v16/techniques/T1134">Access Token Manipulation</a>: <a href="/versions/v16/techniques/T1134/002">Create Process with Token</a>, <a href="/versions/v16/techniques/T1087">Account Discovery</a>: <a href="/versions/v16/techniques/T1087/002">Domain Account</a>, <a href="/versions/v16/techniques/T1087">Account Discovery</a>: <a href="/versions/v16/techniques/T1087/001">Local Account</a>, <a href="/versions/v16/techniques/T1557">Adversary-in-the-Middle</a>: <a href="/versions/v16/techniques/T1557/001">LLMNR/NBT-NS Poisoning and SMB Relay</a>, <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v16/techniques/T1560">Archive Collected Data</a>, <a href="/versions/v16/techniques/T1119">Automated Collection</a>, <a href="/versions/v16/techniques/T1020">Automated Exfiltration</a>, <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/005">Security Support Provider</a>, <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/009">Shortcut Modification</a>, <a href="/versions/v16/techniques/T1217">Browser Information Discovery</a>, <a href="/versions/v16/techniques/T1115">Clipboard Data</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/001">PowerShell</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>, <a href="/versions/v16/techniques/T1136">Create Account</a>: <a href="/versions/v16/techniques/T1136/001">Local Account</a>, <a href="/versions/v16/techniques/T1136">Create Account</a>: <a href="/versions/v16/techniques/T1136/002">Domain Account</a>, <a href="/versions/v16/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v16/techniques/T1543/003">Windows Service</a>, <a href="/versions/v16/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v16/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v16/techniques/T1484">Domain or Tenant Policy Modification</a>: <a href="/versions/v16/techniques/T1484/001">Group Policy Modification</a>, <a href="/versions/v16/techniques/T1482">Domain Trust Discovery</a>, <a href="/versions/v16/techniques/T1114">Email Collection</a>: <a href="/versions/v16/techniques/T1114/001">Local Email Collection</a>, <a href="/versions/v16/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v16/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/versions/v16/techniques/T1546">Event Triggered Execution</a>: <a href="/versions/v16/techniques/T1546/008">Accessibility Features</a>, <a href="/versions/v16/techniques/T1041">Exfiltration Over C2 Channel</a>, <a href="/versions/v16/techniques/T1567">Exfiltration Over Web Service</a>: <a href="/versions/v16/techniques/T1567/001">Exfiltration to Code Repository</a>, <a href="/versions/v16/techniques/T1567">Exfiltration Over Web Service</a>: <a href="/versions/v16/techniques/T1567/002">Exfiltration to Cloud Storage</a>, <a href="/versions/v16/techniques/T1068">Exploitation for Privilege Escalation</a>, <a href="/versions/v16/techniques/T1210">Exploitation of Remote Services</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1615">Group Policy Discovery</a>, <a href="/versions/v16/techniques/T1574">Hijack Execution Flow</a>: <a href="/versions/v16/techniques/T1574/009">Path Interception by Unquoted Path</a>, <a href="/versions/v16/techniques/T1574">Hijack Execution Flow</a>: <a href="/versions/v16/techniques/T1574/008">Path Interception by Search Order Hijacking</a>, <a href="/versions/v16/techniques/T1574">Hijack Execution Flow</a>: <a href="/versions/v16/techniques/T1574/007">Path Interception by PATH Environment Variable</a>, <a href="/versions/v16/techniques/T1574">Hijack Execution Flow</a>: <a href="/versions/v16/techniques/T1574/004">Dylib Hijacking</a>, <a href="/versions/v16/techniques/T1574">Hijack Execution Flow</a>: <a href="/versions/v16/techniques/T1574/001">DLL Search Order Hijacking</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/006">Timestomp</a>, <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v16/techniques/T1056">Input Capture</a>: <a href="/versions/v16/techniques/T1056/001">Keylogging</a>, <a href="/versions/v16/techniques/T1056">Input Capture</a>: <a href="/versions/v16/techniques/T1056/004">Credential API Hooking</a>, <a href="/versions/v16/techniques/T1106">Native API</a>, <a href="/versions/v16/techniques/T1046">Network Service Discovery</a>, <a href="/versions/v16/techniques/T1135">Network Share Discovery</a>, <a href="/versions/v16/techniques/T1040">Network Sniffing</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v16/techniques/T1027/010">Command Obfuscation</a>, <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v16/techniques/T1003/001">LSASS Memory</a>, <a href="/versions/v16/techniques/T1057">Process Discovery</a>, <a href="/versions/v16/techniques/T1055">Process Injection</a>, <a href="/versions/v16/techniques/T1021">Remote Services</a>: <a href="/versions/v16/techniques/T1021/003">Distributed Component Object Model</a>, <a href="/versions/v16/techniques/T1021">Remote Services</a>: <a href="/versions/v16/techniques/T1021/004">SSH</a>, <a href="/versions/v16/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v16/techniques/T1053/005">Scheduled Task</a>, <a href="/versions/v16/techniques/T1113">Screen Capture</a>, <a href="/versions/v16/techniques/T1518">Software Discovery</a>: <a href="/versions/v16/techniques/T1518/001">Security Software Discovery</a>, <a href="/versions/v16/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v16/techniques/T1558/003">Kerberoasting</a>, <a href="/versions/v16/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v16/techniques/T1558/001">Golden Ticket</a>, <a href="/versions/v16/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v16/techniques/T1558/002">Silver Ticket</a>, <a href="/versions/v16/techniques/T1082">System Information Discovery</a>, <a href="/versions/v16/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v16/techniques/T1049">System Network Connections Discovery</a>, <a href="/versions/v16/techniques/T1033">System Owner/User Discovery</a>, <a href="/versions/v16/techniques/T1569">System Services</a>: <a href="/versions/v16/techniques/T1569/002">Service Execution</a>, <a href="/versions/v16/techniques/T1127">Trusted Developer Utilities Proxy Execution</a>: <a href="/versions/v16/techniques/T1127/001">MSBuild</a>, <a href="/versions/v16/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v16/techniques/T1552/001">Credentials In Files</a>, <a href="/versions/v16/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v16/techniques/T1552/004">Private Keys</a>, <a href="/versions/v16/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v16/techniques/T1550/002">Pass the Hash</a>, <a href="/versions/v16/techniques/T1125">Video Capture</a>, <a href="/versions/v16/techniques/T1102">Web Service</a>: <a href="/versions/v16/techniques/T1102/002">Bidirectional Communication</a>, <a href="/versions/v16/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0401">S0401</a> </td> <td> <a href="/versions/v16/software/S0401">Exaramel for Linux</a> </td> <td> <span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018."data-reference="ESET TeleBots Oct 2018">^{<a href="https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span><span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021."data-reference="ANSSI Sandworm January 2021">^{<a href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1548">Abuse Elevation Control Mechanism</a>: <a href="/versions/v16/techniques/T1548/001">Setuid and Setgid</a>, <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/004">Unix Shell</a>, <a href="/versions/v16/techniques/T1543">Create or Modify System Process</a>, <a href="/versions/v16/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v16/techniques/T1543/002">Systemd Service</a>, <a href="/versions/v16/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/versions/v16/techniques/T1008">Fallback Channels</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/004">File Deletion</a>, <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v16/techniques/T1027/013">Encrypted/Encoded File</a>, <a href="/versions/v16/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v16/techniques/T1053/003">Cron</a>, <a href="/versions/v16/techniques/T1033">System Owner/User Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0343">S0343</a> </td> <td> <a href="/versions/v16/software/S0343">Exaramel for Windows</a> </td> <td> <span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018."data-reference="ESET TeleBots Oct 2018">^{<a href="https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1560">Archive Collected Data</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/005">Visual Basic</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v16/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v16/techniques/T1543/003">Windows Service</a>, <a href="/versions/v16/techniques/T1074">Data Staged</a>: <a href="/versions/v16/techniques/T1074/001">Local Data Staging</a>, <a href="/versions/v16/techniques/T1036">Masquerading</a>: <a href="/versions/v16/techniques/T1036/004">Masquerade Task or Service</a>, <a href="/versions/v16/techniques/T1112">Modify Registry</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v16/techniques/T1027/011">Fileless Storage</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0342">S0342</a> </td> <td> <a href="/versions/v16/software/S0342">GreyEnergy</a> </td> <td> <span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020."data-reference="Secureworks IRON VIKING ">^{<a href="https://www.secureworks.com/research/threat-profiles/iron-viking" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v16/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v16/techniques/T1543/003">Windows Service</a>, <a href="/versions/v16/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v16/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/versions/v16/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v16/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/004">File Deletion</a>, <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v16/techniques/T1056">Input Capture</a>: <a href="/versions/v16/techniques/T1056/001">Keylogging</a>, <a href="/versions/v16/techniques/T1112">Modify Registry</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v16/techniques/T1027/002">Software Packing</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v16/techniques/T1027/013">Encrypted/Encoded File</a>, <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v16/techniques/T1003/001">LSASS Memory</a>, <a href="/versions/v16/techniques/T1055">Process Injection</a>: <a href="/versions/v16/techniques/T1055/002">Portable Executable Injection</a>, <a href="/versions/v16/techniques/T1090">Proxy</a>: <a href="/versions/v16/techniques/T1090/003">Multi-hop Proxy</a>, <a href="/versions/v16/techniques/T1553">Subvert Trust Controls</a>: <a href="/versions/v16/techniques/T1553/002">Code Signing</a>, <a href="/versions/v16/techniques/T1218">System Binary Proxy Execution</a>: <a href="/versions/v16/techniques/T1218/011">Rundll32</a>, <a href="/versions/v16/techniques/T1007">System Service Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0357">S0357</a> </td> <td> <a href="/versions/v16/software/S0357">Impacket</a> </td> <td> <span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="MSTIC. (2022, October 14). New "Prestige" ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023."data-reference="Microsoft Prestige ransomware October 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1557">Adversary-in-the-Middle</a>: <a href="/versions/v16/techniques/T1557/001">LLMNR/NBT-NS Poisoning and SMB Relay</a>, <a href="/versions/v16/techniques/T1040">Network Sniffing</a>, <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v16/techniques/T1003/003">NTDS</a>, <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v16/techniques/T1003/001">LSASS Memory</a>, <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v16/techniques/T1003/002">Security Account Manager</a>, <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v16/techniques/T1003/004">LSA Secrets</a>, <a href="/versions/v16/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v16/techniques/T1558/003">Kerberoasting</a>, <a href="/versions/v16/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v16/techniques/T1558/005">Ccache Files</a>, <a href="/versions/v16/techniques/T1569">System Services</a>: <a href="/versions/v16/techniques/T1569/002">Service Execution</a>, <a href="/versions/v16/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0604">S0604</a> </td> <td> <a href="/versions/v16/software/S0604">Industroyer</a> </td> <td> <span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2017">^{<a href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020."data-reference="Secureworks IRON VIKING">^{<a href="https://www.secureworks.com/research/threat-profiles/iron-viking" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024."data-reference="mandiant_apt44_unearthing_sandworm">^{<a href="https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T0800">Activate Firmware Update Mode</a>, <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v16/techniques/T0802">Automated Collection</a>, <a href="/versions/v16/techniques/T0803">Block Command Message</a>, <a href="/versions/v16/techniques/T0804">Block Reporting Message</a>, <a href="/versions/v16/techniques/T0805">Block Serial COM</a>, <a href="/versions/v16/techniques/T0806">Brute Force I/O</a>, <a href="/versions/v16/techniques/T0807">Command-Line Interface</a>, <a href="/versions/v16/techniques/T1554">Compromise Host Software Binary</a>, <a href="/versions/v16/techniques/T0884">Connection Proxy</a>, <a href="/versions/v16/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v16/techniques/T1543/003">Windows Service</a>, <a href="/versions/v16/techniques/T1485">Data Destruction</a>, <a href="/versions/v16/techniques/T0809">Data Destruction</a>, <a href="/versions/v16/techniques/T0813">Denial of Control</a>, <a href="/versions/v16/techniques/T0814">Denial of Service</a>, <a href="/versions/v16/techniques/T0815">Denial of View</a>, <a href="/versions/v16/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/versions/v16/techniques/T0816">Device Restart/Shutdown</a>, <a href="/versions/v16/techniques/T1499">Endpoint Denial of Service</a>: <a href="/versions/v16/techniques/T1499/004">Application or System Exploitation</a>, <a href="/versions/v16/techniques/T1041">Exfiltration Over C2 Channel</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v16/techniques/T0827">Loss of Control</a>, <a href="/versions/v16/techniques/T0837">Loss of Protection</a>, <a href="/versions/v16/techniques/T0829">Loss of View</a>, <a href="/versions/v16/techniques/T0831">Manipulation of Control</a>, <a href="/versions/v16/techniques/T0832">Manipulation of View</a>, <a href="/versions/v16/techniques/T0801">Monitor Process State</a>, <a href="/versions/v16/techniques/T0840">Network Connection Enumeration</a>, <a href="/versions/v16/techniques/T1046">Network Service Discovery</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v16/techniques/T1572">Protocol Tunneling</a>, <a href="/versions/v16/techniques/T1090">Proxy</a>: <a href="/versions/v16/techniques/T1090/003">Multi-hop Proxy</a>, <a href="/versions/v16/techniques/T1012">Query Registry</a>, <a href="/versions/v16/techniques/T1018">Remote System Discovery</a>, <a href="/versions/v16/techniques/T0846">Remote System Discovery</a>, <a href="/versions/v16/techniques/T0888">Remote System Information Discovery</a>, <a href="/versions/v16/techniques/T1489">Service Stop</a>, <a href="/versions/v16/techniques/T0881">Service Stop</a>, <a href="/versions/v16/techniques/T1082">System Information Discovery</a>, <a href="/versions/v16/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v16/techniques/T0855">Unauthorized Command Message</a>, <a href="/versions/v16/techniques/T1078">Valid Accounts</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1072">S1072</a> </td> <td> <a href="/versions/v16/software/S1072">Industroyer2</a> </td> <td> <span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="ESET. (2022, April 12). Industroyer2: Industroyer reloaded. Retrieved March 30, 2023."data-reference="Industroyer2 ESET April 2022">^{<a href="https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024."data-reference="mandiant_apt44_unearthing_sandworm">^{<a href="https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T0802">Automated Collection</a>, <a href="/versions/v16/techniques/T0806">Brute Force I/O</a>, <a href="/versions/v16/techniques/T0836">Modify Parameter</a>, <a href="/versions/v16/techniques/T0801">Monitor Process State</a>, <a href="/versions/v16/techniques/T1057">Process Discovery</a>, <a href="/versions/v16/techniques/T0888">Remote System Information Discovery</a>, <a href="/versions/v16/techniques/T0881">Service Stop</a>, <a href="/versions/v16/techniques/T0855">Unauthorized Command Message</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0231">S0231</a> </td> <td> <a href="/versions/v16/software/S0231">Invoke-PSImage</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v16/techniques/T1027/003">Steganography</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v16/techniques/T1027/009">Embedded Payloads</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0607">S0607</a> </td> <td> <a href="/versions/v16/software/S0607">KillDisk</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020."data-reference="Secureworks IRON VIKING ">^{<a href="https://www.secureworks.com/research/threat-profiles/iron-viking" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1134">Access Token Manipulation</a>, <a href="/versions/v16/techniques/T1485">Data Destruction</a>, <a href="/versions/v16/techniques/T0809">Data Destruction</a>, <a href="/versions/v16/techniques/T1486">Data Encrypted for Impact</a>, <a href="/versions/v16/techniques/T1561">Disk Wipe</a>: <a href="/versions/v16/techniques/T1561/002">Disk Structure Wipe</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/001">Clear Windows Event Logs</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/004">File Deletion</a>, <a href="/versions/v16/techniques/T0872">Indicator Removal on Host</a>, <a href="/versions/v16/techniques/T0829">Loss of View</a>, <a href="/versions/v16/techniques/T1036">Masquerading</a>: <a href="/versions/v16/techniques/T1036/004">Masquerade Task or Service</a>, <a href="/versions/v16/techniques/T1106">Native API</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v16/techniques/T1057">Process Discovery</a>, <a href="/versions/v16/techniques/T1489">Service Stop</a>, <a href="/versions/v16/techniques/T0881">Service Stop</a>, <a href="/versions/v16/techniques/T1129">Shared Modules</a>, <a href="/versions/v16/techniques/T1082">System Information Discovery</a>, <a href="/versions/v16/techniques/T1529">System Shutdown/Reboot</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0002">S0002</a> </td> <td> <a href="/versions/v16/software/S0002">Mimikatz</a> </td> <td> <span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1134">Access Token Manipulation</a>: <a href="/versions/v16/techniques/T1134/005">SID-History Injection</a>, <a href="/versions/v16/techniques/T1098">Account Manipulation</a>, <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/005">Security Support Provider</a>, <a href="/versions/v16/techniques/T1555">Credentials from Password Stores</a>, <a href="/versions/v16/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v16/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v16/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v16/techniques/T1555/004">Windows Credential Manager</a>, <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v16/techniques/T1003/006">DCSync</a>, <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v16/techniques/T1003/002">Security Account Manager</a>, <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v16/techniques/T1003/001">LSASS Memory</a>, <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v16/techniques/T1003/004">LSA Secrets</a>, <a href="/versions/v16/techniques/T1207">Rogue Domain Controller</a>, <a href="/versions/v16/techniques/T1649">Steal or Forge Authentication Certificates</a>, <a href="/versions/v16/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v16/techniques/T1558/001">Golden Ticket</a>, <a href="/versions/v16/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v16/techniques/T1558/002">Silver Ticket</a>, <a href="/versions/v16/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v16/techniques/T1552/004">Private Keys</a>, <a href="/versions/v16/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v16/techniques/T1550/002">Pass the Hash</a>, <a href="/versions/v16/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v16/techniques/T1550/003">Pass the Ticket</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0039">S0039</a> </td> <td> <a href="/versions/v16/software/S0039">Net</a> </td> <td> <span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1087">Account Discovery</a>: <a href="/versions/v16/techniques/T1087/002">Domain Account</a>, <a href="/versions/v16/techniques/T1087">Account Discovery</a>: <a href="/versions/v16/techniques/T1087/001">Local Account</a>, <a href="/versions/v16/techniques/T1098">Account Manipulation</a>: <a href="/versions/v16/techniques/T1098/007">Additional Local or Domain Groups</a>, <a href="/versions/v16/techniques/T1136">Create Account</a>: <a href="/versions/v16/techniques/T1136/001">Local Account</a>, <a href="/versions/v16/techniques/T1136">Create Account</a>: <a href="/versions/v16/techniques/T1136/002">Domain Account</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/005">Network Share Connection Removal</a>, <a href="/versions/v16/techniques/T1135">Network Share Discovery</a>, <a href="/versions/v16/techniques/T1201">Password Policy Discovery</a>, <a href="/versions/v16/techniques/T1069">Permission Groups Discovery</a>: <a href="/versions/v16/techniques/T1069/002">Domain Groups</a>, <a href="/versions/v16/techniques/T1069">Permission Groups Discovery</a>: <a href="/versions/v16/techniques/T1069/001">Local Groups</a>, <a href="/versions/v16/techniques/T1021">Remote Services</a>: <a href="/versions/v16/techniques/T1021/002">SMB/Windows Admin Shares</a>, <a href="/versions/v16/techniques/T1018">Remote System Discovery</a>, <a href="/versions/v16/techniques/T1049">System Network Connections Discovery</a>, <a href="/versions/v16/techniques/T1007">System Service Discovery</a>, <a href="/versions/v16/techniques/T1569">System Services</a>: <a href="/versions/v16/techniques/T1569/002">Service Execution</a>, <a href="/versions/v16/techniques/T1124">System Time Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0368">S0368</a> </td> <td> <a href="/versions/v16/software/S0368">NotPetya</a> </td> <td> <span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020."data-reference="NCSC Sandworm Feb 2020">^{<a href="https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020."data-reference="UK NCSC Olympic Attacks October 2020">^{<a href="https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020."data-reference="Secureworks IRON VIKING ">^{<a href="https://www.secureworks.com/research/threat-profiles/iron-viking" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span><span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022."data-reference="Trend Micro Cyclops Blink March 2022">^{<a href="https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024."data-reference="mandiant_apt44_unearthing_sandworm">^{<a href="https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1486">Data Encrypted for Impact</a>, <a href="/versions/v16/techniques/T1210">Exploitation of Remote Services</a>, <a href="/versions/v16/techniques/T0866">Exploitation of Remote Services</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/001">Clear Windows Event Logs</a>, <a href="/versions/v16/techniques/T0867">Lateral Tool Transfer</a>, <a href="/versions/v16/techniques/T0828">Loss of Productivity and Revenue</a>, <a href="/versions/v16/techniques/T1036">Masquerading</a>, <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v16/techniques/T1003/001">LSASS Memory</a>, <a href="/versions/v16/techniques/T1021">Remote Services</a>: <a href="/versions/v16/techniques/T1021/002">SMB/Windows Admin Shares</a>, <a href="/versions/v16/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v16/techniques/T1053/005">Scheduled Task</a>, <a href="/versions/v16/techniques/T1518">Software Discovery</a>: <a href="/versions/v16/techniques/T1518/001">Security Software Discovery</a>, <a href="/versions/v16/techniques/T1218">System Binary Proxy Execution</a>: <a href="/versions/v16/techniques/T1218/011">Rundll32</a>, <a href="/versions/v16/techniques/T1569">System Services</a>: <a href="/versions/v16/techniques/T1569/002">Service Execution</a>, <a href="/versions/v16/techniques/T1529">System Shutdown/Reboot</a>, <a href="/versions/v16/techniques/T1078">Valid Accounts</a>: <a href="/versions/v16/techniques/T1078/003">Local Accounts</a>, <a href="/versions/v16/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0365">S0365</a> </td> <td> <a href="/versions/v16/software/S0365">Olympic Destroyer</a> </td> <td> <span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="CrowdStrike. (2019, January). 2019 Global Threat Report. Retrieved June 10, 2020."data-reference="CrowdStrike GTR 2019">^{<a href="https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2019GlobalThreatReport.pdf" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a>}</span><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020."data-reference="Secureworks IRON VIKING ">^{<a href="https://www.secureworks.com/research/threat-profiles/iron-viking" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020."data-reference="UK NCSC Olympic Attacks October 2020">^{<a href="https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span><span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022."data-reference="Trend Micro Cyclops Blink March 2022">^{<a href="https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024."data-reference="mandiant_apt44_unearthing_sandworm">^{<a href="https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v16/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v16/techniques/T1485">Data Destruction</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/001">Clear Windows Event Logs</a>, <a href="/versions/v16/techniques/T1490">Inhibit System Recovery</a>, <a href="/versions/v16/techniques/T1570">Lateral Tool Transfer</a>, <a href="/versions/v16/techniques/T1135">Network Share Discovery</a>, <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v16/techniques/T1003/001">LSASS Memory</a>, <a href="/versions/v16/techniques/T1021">Remote Services</a>: <a href="/versions/v16/techniques/T1021/002">SMB/Windows Admin Shares</a>, <a href="/versions/v16/techniques/T1018">Remote System Discovery</a>, <a href="/versions/v16/techniques/T1489">Service Stop</a>, <a href="/versions/v16/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v16/techniques/T1569">System Services</a>: <a href="/versions/v16/techniques/T1569/002">Service Execution</a>, <a href="/versions/v16/techniques/T1529">System Shutdown/Reboot</a>, <a href="/versions/v16/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0598">S0598</a> </td> <td> <a href="/versions/v16/software/S0598">P.A.S. Webshell</a> </td> <td> <span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021."data-reference="ANSSI Sandworm January 2021">^{<a href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1087">Account Discovery</a>: <a href="/versions/v16/techniques/T1087/001">Local Account</a>, <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v16/techniques/T1110">Brute Force</a>: <a href="/versions/v16/techniques/T1110/001">Password Guessing</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>, <a href="/versions/v16/techniques/T1213">Data from Information Repositories</a>, <a href="/versions/v16/techniques/T1005">Data from Local System</a>, <a href="/versions/v16/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1222">File and Directory Permissions Modification</a>: <a href="/versions/v16/techniques/T1222/002">Linux and Mac File and Directory Permissions Modification</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/004">File Deletion</a>, <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v16/techniques/T1046">Network Service Discovery</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v16/techniques/T1505">Server Software Component</a>: <a href="/versions/v16/techniques/T1505/003">Web Shell</a>, <a href="/versions/v16/techniques/T1518">Software Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0378">S0378</a> </td> <td> <a href="/versions/v16/software/S0378">PoshC2</a> </td> <td> <a href="/versions/v16/groups/G0034">Sandworm Team</a> has used multiple publicly available tools during operations, such as PoshC2.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024."data-reference="mandiant_apt44_unearthing_sandworm">^{<a href="https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1548">Abuse Elevation Control Mechanism</a>: <a href="/versions/v16/techniques/T1548/002">Bypass User Account Control</a>, <a href="/versions/v16/techniques/T1134">Access Token Manipulation</a>: <a href="/versions/v16/techniques/T1134/002">Create Process with Token</a>, <a href="/versions/v16/techniques/T1134">Access Token Manipulation</a>, <a href="/versions/v16/techniques/T1087">Account Discovery</a>: <a href="/versions/v16/techniques/T1087/001">Local Account</a>, <a href="/versions/v16/techniques/T1087">Account Discovery</a>: <a href="/versions/v16/techniques/T1087/002">Domain Account</a>, <a href="/versions/v16/techniques/T1557">Adversary-in-the-Middle</a>: <a href="/versions/v16/techniques/T1557/001">LLMNR/NBT-NS Poisoning and SMB Relay</a>, <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v16/techniques/T1560">Archive Collected Data</a>: <a href="/versions/v16/techniques/T1560/001">Archive via Utility</a>, <a href="/versions/v16/techniques/T1119">Automated Collection</a>, <a href="/versions/v16/techniques/T1110">Brute Force</a>, <a href="/versions/v16/techniques/T1555">Credentials from Password Stores</a>, <a href="/versions/v16/techniques/T1482">Domain Trust Discovery</a>, <a href="/versions/v16/techniques/T1546">Event Triggered Execution</a>: <a href="/versions/v16/techniques/T1546/003">Windows Management Instrumentation Event Subscription</a>, <a href="/versions/v16/techniques/T1068">Exploitation for Privilege Escalation</a>, <a href="/versions/v16/techniques/T1210">Exploitation of Remote Services</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1056">Input Capture</a>: <a href="/versions/v16/techniques/T1056/001">Keylogging</a>, <a href="/versions/v16/techniques/T1046">Network Service Discovery</a>, <a href="/versions/v16/techniques/T1040">Network Sniffing</a>, <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v16/techniques/T1003/001">LSASS Memory</a>, <a href="/versions/v16/techniques/T1201">Password Policy Discovery</a>, <a href="/versions/v16/techniques/T1069">Permission Groups Discovery</a>: <a href="/versions/v16/techniques/T1069/001">Local Groups</a>, <a href="/versions/v16/techniques/T1055">Process Injection</a>, <a href="/versions/v16/techniques/T1090">Proxy</a>, <a href="/versions/v16/techniques/T1082">System Information Discovery</a>, <a href="/versions/v16/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v16/techniques/T1049">System Network Connections Discovery</a>, <a href="/versions/v16/techniques/T1007">System Service Discovery</a>, <a href="/versions/v16/techniques/T1569">System Services</a>: <a href="/versions/v16/techniques/T1569/002">Service Execution</a>, <a href="/versions/v16/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v16/techniques/T1552/001">Credentials In Files</a>, <a href="/versions/v16/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v16/techniques/T1550/002">Pass the Hash</a>, <a href="/versions/v16/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1058">S1058</a> </td> <td> <a href="/versions/v16/software/S1058">Prestige</a> </td> <td> <span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="MSTIC. (2022, October 14). New "Prestige" ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023."data-reference="Microsoft Prestige ransomware October 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024."data-reference="mandiant_apt44_unearthing_sandworm">^{<a href="https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/001">PowerShell</a>, <a href="/versions/v16/techniques/T1486">Data Encrypted for Impact</a>, <a href="/versions/v16/techniques/T1484">Domain or Tenant Policy Modification</a>: <a href="/versions/v16/techniques/T1484/001">Group Policy Modification</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1490">Inhibit System Recovery</a>, <a href="/versions/v16/techniques/T1112">Modify Registry</a>, <a href="/versions/v16/techniques/T1106">Native API</a>, <a href="/versions/v16/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v16/techniques/T1053/005">Scheduled Task</a>, <a href="/versions/v16/techniques/T1489">Service Stop</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0029">S0029</a> </td> <td> <a href="/versions/v16/software/S0029">PsExec</a> </td> <td> <span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1136">Create Account</a>: <a href="/versions/v16/techniques/T1136/002">Domain Account</a>, <a href="/versions/v16/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v16/techniques/T1543/003">Windows Service</a>, <a href="/versions/v16/techniques/T1570">Lateral Tool Transfer</a>, <a href="/versions/v16/techniques/T1021">Remote Services</a>: <a href="/versions/v16/techniques/T1021/002">SMB/Windows Admin Shares</a>, <a href="/versions/v16/techniques/T1569">System Services</a>: <a href="/versions/v16/techniques/T1569/002">Service Execution</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0195">S0195</a> </td> <td> <a href="/versions/v16/software/S0195">SDelete</a> </td> <td> <a href="/versions/v16/groups/G0034">Sandworm Team</a> has used <a href="/versions/v16/software/S0195">SDelete</a> for wartime operations in 2022-2023.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024."data-reference="mandiant_apt44_unearthing_sandworm">^{<a href="https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T1485">Data Destruction</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/004">File Deletion</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1010">S1010</a> </td> <td> <a href="/versions/v16/software/S1010">VPNFilter</a> </td> <td> <a href="/versions/v16/software/S1010">VPNFilter</a> is associated with <a href="/versions/v16/groups/G0034">Sandworm Team</a> operations based on reporting on <a href="/versions/v16/software/S1010">VPNFilter</a> replacement software, <a href="/versions/v16/software/S0687">Cyclops Blink</a>.<span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="NCSC, CISA, FBI, NSA. (2022, February 23). New Sandworm malware Cyclops Blink replaces VPNFilter. Retrieved March 3, 2022."data-reference="NCSC CISA Cyclops Blink Advisory February 2022">^{<a href="https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a>}</span> </td> <td> <a href="/versions/v16/techniques/T0830">Adversary-in-the-Middle</a>, <a href="/versions/v16/techniques/T1561">Disk Wipe</a>: <a href="/versions/v16/techniques/T1561/001">Disk Content Wipe</a>, <a href="/versions/v16/techniques/T0842">Network Sniffing</a> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank"> Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games" target="_blank"> UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html" target="_blank"> Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/" target="_blank"> Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia/index.html" target="_blank"> Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved September 12, 2024. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory" target="_blank"> NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank"> Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://www.dragos.com/resource/electrum/" target="_blank"> Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://www.secureworks.com/research/threat-profiles/iron-viking" target="_blank"> Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" target="_blank"> F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank"> MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" target="_blank"> Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/" target="_blank"> Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" target="_blank"> Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank"> Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://www.wired.com/story/russian-hackers-attack-ukraine/" target="_blank"> Andy Greenberg. (2017, June 28). How an Entire Nation Became Russia's Test Lab for Cyberwar. Retrieved September 27, 2023. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank"> Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank"> Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf" target="_blank"> Joe Slowik 2019, August 15 CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack Retrieved. 2019/10/22 </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" target="_blank"> Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://www.dragos.com/blog/new-details-electrum-ukraine-electric-sector-compromise-2022/" target="_blank"> Dragos, Inc.. (2023, December 11). ELECTRUM Targeted Ukrainian Electric Entity Using Custom Tools and CaddyWiper Malware, October 2022. Retrieved March 28, 2024. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank"> Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/" target="_blank"> Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm/" target="_blank"> Joseph Slowik, DomainTools. (2021, March 3). Centreon to Exim and Back: On the Trail of Sandworm. Retrieved April 6, 2024. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" target="_blank"> Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/" target="_blank"> Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="27.0"> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf" target="_blank"> National Security Agency. (2020, March 28). Sandworm Actors Exploiting Vulnerability In EXIM Mail Transfer Agent. Retrieved March 1, 2024. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf" target="_blank"> NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" target="_blank"> Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://www.us-cert.gov/ics/alerts/IR-ALERT-H-16-056-01" target="_blank"> US-CERT. (2016, February 25). ICS Alert (IR-ALERT-H-16-056-01) Cyber-Attack Against Ukrainian Critical Infrastructure. Retrieved June 10, 2020. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="https://web.archive.org/web/20160503234007/https://www.isightpartners.com/2014/10/cve-2014-4114/" target="_blank"> Ward, S.. (2014, October 14). iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign. Retrieved June 10, 2020. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-windows-zero-day-vulnerability-cve-2014-4114-aka-sandworm/" target="_blank"> Wu, W. (2014, October 14). An Analysis of Windows Zero-day Vulnerability ‘CVE-2014-4114’ aka “Sandworm”. Retrieved June 18, 2020. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2" target="_blank"> Li, H. (2013, November 5). McAfee Labs Detects Zero-Day Exploit Targeting Microsoft Office. Retrieved June 18, 2020. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" target="_blank"> ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" target="_blank"> Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://www.zdnet.com/article/how-hackers-attacked-ukraines-power-grid-implications-for-industrial-iot-security/" target="_blank"> Charles McLellan. (2016, March 4). How hackers attacked Ukraine's power grid: Implications for Industrial IoT security. Retrieved September 27, 2023. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/" target="_blank"> Morgan, K. (2023, October 18). Government-backed actors exploiting WinRAR vulnerability. Retrieved July 19, 2024. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="https://www.secureworks.com/blog/notpetya-campaign-what-we-know-about-the-latest-global-ransomware-attack" target="_blank"> Counter Threat Research Team. (2017, June 28). NotPetya Campaign: What We Know About the Latest Global Ransomware Attack. Retrieved June 11, 2020. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank"> Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 </a> </span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" target="_blank"> Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B" target="_blank"> ICS-CERT 2014, December 10 ICS Alert (ICS-ALERT-14-281-01E) Ongoing Sophisticated Malware Campaign Compromising ICS (Update E) Retrieved. 2019/10/11 </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="https://www.us-cert.gov/ics/advisories/ICSA-11-094-02B" target="_blank"> ICS CERT 2018, September 06 Advantech/Broadwin WebAccess RPC Vulnerability (Update B) Retrieved. 2019/12/05 </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://cyberscoop.com/viasat-malware-wiper-acidrain/" target="_blank"> A.J. Vincens, CyberScoop. (2024, March 18). Researchers spot updated version of malware that hit Viasat. Retrieved March 25, 2024. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/" target="_blank"> Juan Andres Guerrero-Saade and Max van Amerongen, SentinelOne. (2022, March 31). AcidRain | A Modem Wiper Rains Down on Europe. Retrieved March 25, 2024. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://www.youtube.com/watch?v=xoNSbm1aX_w" target="_blank"> B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter" target="_blank"> NCSC, CISA, FBI, NSA. (2022, February 23). New Sandworm malware Cyclops Blink replaces VPNFilter. Retrieved March 3, 2022. </a> </span> </span> </li> <li> <span id="scite-47" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-47" href="https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html" target="_blank"> Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022. </a> </span> </span> </li> <li> <span id="scite-48" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-48" href="https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" target="_blank"> Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018. </a> </span> </span> </li> <li> <span id="scite-49" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-49" href="https://www.secureworks.com/research/threat-profiles/iron-viking" target="_blank"> Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020. </a> </span> </span> </li> <li> <span id="scite-50" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-50" href="https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/" target="_blank"> ESET. (2022, April 12). Industroyer2: Industroyer reloaded. Retrieved March 30, 2023. </a> </span> </span> </li> <li> <span id="scite-51" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-51" href="https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2019GlobalThreatReport.pdf" target="_blank"> CrowdStrike. (2019, January). 2019 Global Threat Report. Retrieved June 10, 2020. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v16/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/versions/v16/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v16.1&#013;Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v16/theme/scripts/popper.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap-select.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v16/theme/scripts/site.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/sidebar-load-all.js"></script> <script src="/versions/v16/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/tour/tour-relationships.js"></script> </body> </html>