Sandworm  (Back to overview)

aka: Sandworm Team, Black Energy, BlackEnergy, Quedagh, Voodoo Bear, TEMP.Noble

This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Some believe that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia. Believed to be responsible for the 2008 DDoS attacks in Georgia and the 2015 Ukraine power grid outage


References
http://www.isightpartners.com/2014/10/cve-2014-4114/
http://www.isightpartners.com/2016/01/ukraine-and-sandworm-team/
https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
https://www.us-cert.gov/ncas/alerts/TA17-163A
https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid
https://www.cfr.org/interactive/cyber-operations/black-energy

Families
win.blackenergy
win.eternal_petya
win.faketc
win.killdisk
win.telebot
win.teledoor

Credits: MISP Project