SYMBOLCOMMON_NAMEaka. SYNONYMS

Sandworm  (Back to overview)

aka: Quedagh, VOODOO BEAR, TEMP.Noble, IRON VIKING, G0034, ELECTRUM, TeleBots, IRIDIUM, Blue Echidna

This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Some believe that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia. Believed to be responsible for the 2008 DDoS attacks in Georgia and the 2015 Ukraine power grid outage

Associated Families
elf.exaramel win.blackenergy win.credraptor win.eternal_petya win.exaramel win.grey_energy win.industroyer win.industroyer2 win.killdisk win.telebot win.teledoor win.arguepatch
References
2022-09-23MandiantMandiant Intelligence
@online{intelligence:20220923:gru:511ea47, author = {Mandiant Intelligence}, title = {{GRU: Rise of the (Telegram) MinIOns}}, date = {2022-09-23}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/gru-rise-telegram-minions}, language = {English}, urldate = {2022-09-26} } GRU: Rise of the (Telegram) MinIOns
ArguePatch CaddyWiper
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:bf3eca2, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/}, language = {English}, urldate = {2022-08-28} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:a12950c, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war}, language = {English}, urldate = {2022-08-22} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220812:anatomy:b13ce32, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 1: Common Techniques}}, date = {2022-08-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/}, language = {English}, urldate = {2022-08-15} } The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-07-19GoogleBilly Leonard
@online{leonard:20220719:continued:2a97da1, author = {Billy Leonard}, title = {{Continued cyber activity in Eastern Europe observed by TAG}}, date = {2022-07-19}, organization = {Google}, url = {https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag}, language = {English}, urldate = {2022-08-05} } Continued cyber activity in Eastern Europe observed by TAG
CyberAzov APT28 Callisto Ghostwriter Sandworm Turla
2022-06-23splunkSplunk Threat Research Team
@online{team:20220623:threat:c75f097, author = {Splunk Threat Research Team}, title = {{Threat Update: Industroyer2}}, date = {2022-06-23}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html}, language = {English}, urldate = {2022-08-22} } Threat Update: Industroyer2
INDUSTROYER2
2022-05-31NOZOMI Network LabsGiannis Tsaraias, Ivan Speziale
@techreport{tsaraias:20220531:industroyer:67799a0, author = {Giannis Tsaraias and Ivan Speziale}, title = {{Industroyer vs. Industroyer2: Evolution of the IEC 104 Component}}, date = {2022-05-31}, institution = {NOZOMI Network Labs}, url = {https://www.nozominetworks.com/downloads/US/Nozomi-Networks-WP-Industroyer2.pdf}, language = {English}, urldate = {2022-09-06} } Industroyer vs. Industroyer2: Evolution of the IEC 104 Component
INDUSTROYER2
2022-05-18ntopntop
@online{ntop:20220518:how:b94772c, author = {ntop}, title = {{How ntopng monitors IEC 60870-5-104 traffic}}, date = {2022-05-18}, organization = {ntop}, url = {https://www.ntop.org/cybersecurity/how-ntopng-monitors-iec-60870-5-104-traffic/}, language = {English}, urldate = {2022-05-25} } How ntopng monitors IEC 60870-5-104 traffic
INDUSTROYER2
2022-05-12BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220512:threat:c711afc, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: Malware Rebooted - How Industroyer2 Takes Aim at Ukraine Infrastructure}}, date = {2022-05-12}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/05/threat-thursday-malware-rebooted-how-industroyer2-takes-aim-at-ukraine-infrastructure}, language = {English}, urldate = {2022-05-17} } Threat Thursday: Malware Rebooted - How Industroyer2 Takes Aim at Ukraine Infrastructure
INDUSTROYER2
2022-05-02AT&TFernando Martinez
@online{martinez:20220502:analysis:e5d626b, author = {Fernando Martinez}, title = {{Analysis on recent wiper attacks: examples and how wiper malware works}}, date = {2022-05-02}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works}, language = {English}, urldate = {2022-05-04} } Analysis on recent wiper attacks: examples and how wiper malware works
AcidRain CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper
2022-04-28FortinetGergely Revay
@online{revay:20220428:overview:0ac963f, author = {Gergely Revay}, title = {{An Overview of the Increasing Wiper Malware Threat}}, date = {2022-04-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat}, language = {English}, urldate = {2022-04-29} } An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2022-04-27Nozomi NetworksNozomi Networks Labs
@online{labs:20220427:industroyer2:a037c0d, author = {Nozomi Networks Labs}, title = {{Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload}}, date = {2022-04-27}, organization = {Nozomi Networks}, url = {https://www.nozominetworks.com/blog/industroyer2-nozomi-networks-labs-analyzes-the-iec-104-payload/}, language = {English}, urldate = {2022-04-29} } Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload
INDUSTROYER2
2022-04-27MicrosoftMicrosoft Digital Security Unit (DSU)
@online{dsu:20220427:special:f1a2031, author = {Microsoft Digital Security Unit (DSU)}, title = {{Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine}}, date = {2022-04-27}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd}, language = {English}, urldate = {2022-05-03} } Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine
CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate
2022-04-25MandiantDaniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker
@online{zafra:20220425:industroyerv2:5548d98, author = {Daniel Kapellmann Zafra and Raymond Leong and Chris Sistrunk and Ken Proska and Corey Hildebrandt and Keith Lunden and Nathan Brubaker}, title = {{INDUSTROYER.V2: Old Malware Learns New Tricks}}, date = {2022-04-25}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/industroyer-v2-old-malware-new-tricks}, language = {English}, urldate = {2022-04-29} } INDUSTROYER.V2: Old Malware Learns New Tricks
INDUSTROYER2
2022-04-25NetresecErik Hjelmvik
@online{hjelmvik:20220425:industroyer2:ed9e211, author = {Erik Hjelmvik}, title = {{Industroyer2 IEC-104 Analysis}}, date = {2022-04-25}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2022-04&post=Industroyer2-IEC-104-Analysis}, language = {English}, urldate = {2022-04-29} } Industroyer2 IEC-104 Analysis
INDUSTROYER2
2022-04-23Stranded on Pylos BlogJoe Slowik
@online{slowik:20220423:industroyer2:c8064df, author = {Joe Slowik}, title = {{Industroyer2 in Perspective}}, date = {2022-04-23}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2022/04/23/industroyer2-in-perspective/}, language = {English}, urldate = {2022-04-25} } Industroyer2 in Perspective
INDUSTROYER2
2022-04-20CISACISA
@online{cisa:20220420:alert:529e28c, author = {CISA}, title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a}, language = {English}, urldate = {2022-04-25} } Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2022-04-20CISACISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA)
@techreport{cisa:20220420:aa22110a:4fde5d6, author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)}, title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf}, language = {English}, urldate = {2022-04-25} } AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-04-14SCADAfenceMaayan Fishelov
@online{fishelov:20220414:industroyer2:31408b6, author = {Maayan Fishelov}, title = {{Industroyer2: ICS Networks need to heighten vigilance - SCADAfence}}, date = {2022-04-14}, organization = {SCADAfence}, url = {https://blog.scadafence.com/industroyer2-attack}, language = {English}, urldate = {2022-05-25} } Industroyer2: ICS Networks need to heighten vigilance - SCADAfence
INDUSTROYER2
2022-04-12ESET ResearchESET Research
@online{research:20220412:industroyer2:4d6c5f8, author = {ESET Research}, title = {{Industroyer2: Industroyer reloaded}}, date = {2022-04-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/}, language = {English}, urldate = {2022-04-13} } Industroyer2: Industroyer reloaded
ArguePatch CaddyWiper Industroyer INDUSTROYER2
2022-04-12Twitter (@silascutler)Silas Cutler
@online{cutler:20220412:analysis:561c2a2, author = {Silas Cutler}, title = {{Tweet on analysis of CADDYWIPER used alongside with INDUSTROYER2}}, date = {2022-04-12}, organization = {Twitter (@silascutler)}, url = {https://twitter.com/silascutler/status/1513870210398363651}, language = {English}, urldate = {2022-05-25} } Tweet on analysis of CADDYWIPER used alongside with INDUSTROYER2
CaddyWiper INDUSTROYER2
2022-04-12ESET ResearchESET Ireland
@online{ireland:20220412:industroyer2:aa61be3, author = {ESET Ireland}, title = {{Industroyer2: Industroyer reloaded}}, date = {2022-04-12}, organization = {ESET Research}, url = {https://blog.eset.ie/2022/04/12/industroyer2-industroyer-reloaded/}, language = {English}, urldate = {2022-05-04} } Industroyer2: Industroyer reloaded
CaddyWiper INDUSTROYER2
2022-04-12Cert-UACert-UA
@online{certua:20220412:cyberattack:5f28c75, author = {Cert-UA}, title = {{Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)}}, date = {2022-04-12}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39518}, language = {Ukrainian}, urldate = {2022-05-25} } Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)
CaddyWiper Industroyer INDUSTROYER2
2022-03-01Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20220301:diskkillhermeticwiper:e543742, author = {Marco Ramilli}, title = {{DiskKill/HermeticWiper and NotPetya (Dis)similarities}}, date = {2022-03-01}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2022/03/01/diskkill-hermeticwiper-and-notpetya-dissimilarities/}, language = {English}, urldate = {2022-03-02} } DiskKill/HermeticWiper and NotPetya (Dis)similarities
EternalPetya HermeticWiper
2022-02-28MicrosoftMSRC Team
@online{team:20220228:cyber:69efe8b, author = {MSRC Team}, title = {{Cyber threat activity in Ukraine: analysis and resources}}, date = {2022-02-28}, organization = {Microsoft}, url = {https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/}, language = {English}, urldate = {2022-07-25} } Cyber threat activity in Ukraine: analysis and resources
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate DEV-0586
2022-02-25CyberPeace Institute
@online{institute:20220225:ukraine:eb66e34, author = {CyberPeace Institute}, title = {{UKRAINE: Timeline of Cyberattacks}}, date = {2022-02-25}, url = {https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks}, language = {English}, urldate = {2022-03-01} } UKRAINE: Timeline of Cyberattacks
VPNFilter EternalPetya HermeticWiper WhisperGate
2022-02-24TalosMitch Neff
@online{neff:20220224:threat:93f498c, author = {Mitch Neff}, title = {{Threat Advisory: Current executive guidance for ongoing cyberattacks in Ukraine}}, date = {2022-02-24}, organization = {Talos}, url = {https://blog.talosintelligence.com/2022/02/current-executive-guidance-for-ongoing.html}, language = {English}, urldate = {2022-03-01} } Threat Advisory: Current executive guidance for ongoing cyberattacks in Ukraine
VPNFilter EternalPetya
2022-02-24nvisoMichel Coene
@online{coene:20220224:threat:f0dba09, author = {Michel Coene}, title = {{Threat Update – Ukraine & Russia conflict}}, date = {2022-02-24}, organization = {nviso}, url = {https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/}, language = {English}, urldate = {2022-03-01} } Threat Update – Ukraine & Russia conflict
EternalPetya GreyEnergy HermeticWiper Industroyer KillDisk WhisperGate
2022-02-24TesorionTESORION
@techreport{tesorion:20220224:report:e2f2082, author = {TESORION}, title = {{Report OSINT: Russia/ Ukraine Conflict Cyberaspect}}, date = {2022-02-24}, institution = {Tesorion}, url = {https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf}, language = {English}, urldate = {2022-03-01} } Report OSINT: Russia/ Ukraine Conflict Cyberaspect
Mirai VPNFilter BlackEnergy EternalPetya HermeticWiper Industroyer WhisperGate
2022-02-23ISTARIManuel Hepfer
@online{hepfer:20220223:recap:48c7c69, author = {Manuel Hepfer}, title = {{Re-cap: The Untold Story of NotPetya, The Most Devastating Cyberattack in History}}, date = {2022-02-23}, organization = {ISTARI}, url = {https://istari-global.com/spotlight/the-untold-story-of-notpetya/}, language = {English}, urldate = {2022-03-01} } Re-cap: The Untold Story of NotPetya, The Most Devastating Cyberattack in History
EternalPetya
2021-09-09Recorded FutureInsikt Group
@techreport{group:20210909:dark:cd6bb6a, author = {Insikt Group}, title = {{Dark Covenant: Connections Between the Russian State and Criminal Actors}}, date = {2021-09-09}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf}, language = {English}, urldate = {2021-09-10} } Dark Covenant: Connections Between the Russian State and Criminal Actors
BlackEnergy EternalPetya Gameover P2P Zeus
2021-08-05SymantecThreat Hunter Team
@techreport{team:20210805:attacks:c2d7348, author = {Threat Hunter Team}, title = {{Attacks Against Critical Infrastructure: A Global Concern}}, date = {2021-08-05}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf}, language = {English}, urldate = {2021-08-06} } Attacks Against Critical Infrastructure: A Global Concern
BlackEnergy DarkSide DistTrack Stuxnet
2021-07-27BlackberryBlackBerry Research & Intelligence Team
@techreport{team:20210727:old:3060d53, author = {BlackBerry Research & Intelligence Team}, title = {{Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages}}, date = {2021-07-27}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf}, language = {English}, urldate = {2021-07-27} } Old Dogs New Tricks: Attackers Adopt Exotic Programming Languages
elf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy
2021-04-29The Institute for Security and TechnologyThe Institute for Security and Technology
@techreport{technology:20210429:combating:0d7c48e, author = {The Institute for Security and Technology}, title = {{Combating Ransomware A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force}}, date = {2021-04-29}, institution = {The Institute for Security and Technology}, url = {https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf}, language = {English}, urldate = {2021-05-03} } Combating Ransomware A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force
Conti EternalPetya
2021-04-29ESET ResearchRobert Lipovsky, Matthieu Faou, Tony Anscombe, Andy Garth, Daniel Chromek
@techreport{lipovsky:20210429:eset:ff67b6c, author = {Robert Lipovsky and Matthieu Faou and Tony Anscombe and Andy Garth and Daniel Chromek}, title = {{ESET Industry Report on Government: Targeted but not alone}}, date = {2021-04-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf}, language = {English}, urldate = {2021-05-03} } ESET Industry Report on Government: Targeted but not alone
Exaramel Crutch Exaramel HyperBro HyperSSL InvisiMole XDSpy
2021-03-03DomainToolsJoe Slowik
@online{slowik:20210303:centreon:f590f6e, author = {Joe Slowik}, title = {{Centreon to Exim and Back: On the Trail of Sandworm}}, date = {2021-03-03}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm}, language = {English}, urldate = {2021-03-06} } Centreon to Exim and Back: On the Trail of Sandworm
Exaramel PAS
2021-02-16Twitter (@craiu)Costin Raiu
@online{raiu:20210216:twitter:97496ec, author = {Costin Raiu}, title = {{Twitter thread on Exaramel Linux backdoor used by Russian Group Sandworm}}, date = {2021-02-16}, organization = {Twitter (@craiu)}, url = {https://twitter.com/craiu/status/1361581668092493824}, language = {English}, urldate = {2021-02-20} } Twitter thread on Exaramel Linux backdoor used by Russian Group Sandworm
Exaramel
2021-02-15WiredAndy Greenberg
@online{greenberg:20210215:france:b543876, author = {Andy Greenberg}, title = {{France Ties Russia's Sandworm to a Multiyear Hacking Spree}}, date = {2021-02-15}, organization = {Wired}, url = {https://www.wired.com/story/sandworm-centreon-russia-hack/}, language = {English}, urldate = {2021-02-20} } France Ties Russia's Sandworm to a Multiyear Hacking Spree
Exaramel Exaramel
2021-02-11DomainToolsJoe Slowik
@online{slowik:20210211:visibility:5d2f96e, author = {Joe Slowik}, title = {{Visibility, Monitoring, and Critical Infrastructure Security}}, date = {2021-02-11}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security}, language = {English}, urldate = {2021-02-20} } Visibility, Monitoring, and Critical Infrastructure Security
Industroyer Stuxnet Triton
2021-01-27CERT-FRCERT-FR
@techreport{certfr:20210127:sandword:7f2e586, author = {CERT-FR}, title = {{Sandword Intrusion Set: Campaign Targeting Centreon Ssystems}}, date = {2021-01-27}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf}, language = {English}, urldate = {2021-03-02} } Sandword Intrusion Set: Campaign Targeting Centreon Ssystems
Exaramel PAS Exaramel
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
@online{hlavek:20201221:russian:804662f, author = {Adam Hlavek and Kimberly Ortiz}, title = {{Russian cyber attack campaigns and actors}}, date = {2020-12-21}, organization = {IronNet}, url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors}, language = {English}, urldate = {2021-01-05} } Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-11-12DragosDragos
@techreport{dragos:20201112:cyber:cf5b4fd, author = {Dragos}, title = {{Cyber Threat Perspective MANUFACTURING SECTOR}}, date = {2020-11-12}, institution = {Dragos}, url = {https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf}, language = {English}, urldate = {2020-11-18} } Cyber Threat Perspective MANUFACTURING SECTOR
Industroyer Snake
2020-11-04Stranded on Pylos BlogJoe Slowik
@online{slowik:20201104:enigmatic:c2d7b4e, author = {Joe Slowik}, title = {{The Enigmatic Energetic Bear}}, date = {2020-11-04}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/}, language = {English}, urldate = {2020-11-06} } The Enigmatic Energetic Bear
EternalPetya Havex RAT
2020-10-19UK GovernmentForeignCommonwealth & Development Office, Dominic Raab
@online{office:20201019:uk:7ead390, author = {ForeignCommonwealth & Development Office and Dominic Raab}, title = {{UK exposes series of Russian cyber attacks against Olympic and Paralympic Games}}, date = {2020-10-19}, organization = {UK Government}, url = {https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games}, language = {English}, urldate = {2020-10-23} } UK exposes series of Russian cyber attacks against Olympic and Paralympic Games
VPNFilter BlackEnergy EternalPetya Industroyer
2020-10-19Riskint BlogCurtis
@online{curtis:20201019:revisited:df05745, author = {Curtis}, title = {{Revisited: Fancy Bear's New Faces...and Sandworms' too}}, date = {2020-10-19}, organization = {Riskint Blog}, url = {https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too}, language = {English}, urldate = {2020-10-23} } Revisited: Fancy Bear's New Faces...and Sandworms' too
BlackEnergy EternalPetya Industroyer Olympic Destroyer
2020-10-19WiredAndy Greenberg
@online{greenberg:20201019:us:89aec2c, author = {Andy Greenberg}, title = {{US Indicts Sandworm, Russia's Most Destructive Cyberwar Unit}}, date = {2020-10-19}, organization = {Wired}, url = {https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/}, language = {English}, urldate = {2020-10-19} } US Indicts Sandworm, Russia's Most Destructive Cyberwar Unit
EternalPetya Olympic Destroyer
2020-10-19CyberScoopTim Starks
@online{starks:20201019:us:d77b8f8, author = {Tim Starks}, title = {{US charges Russian GRU officers for NotPetya, other major hacks}}, date = {2020-10-19}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/russian-hackers-notpetya-charges-gru/}, language = {English}, urldate = {2020-10-19} } US charges Russian GRU officers for NotPetya, other major hacks
EternalPetya
2020-08-29AguinetAdrien Guinet
@online{guinet:20200829:emulating:45c0c16, author = {Adrien Guinet}, title = {{Emulating NotPetya bootloader with Miasm}}, date = {2020-08-29}, organization = {Aguinet}, url = {https://aguinet.github.io//blog/2020/08/29/miasm-bootloader.html}, language = {English}, urldate = {2020-09-04} } Emulating NotPetya bootloader with Miasm
EternalPetya
2020-07-29Atlantic CouncilTrey Herr, June Lee, William Loomis, Stewart Scott
@techreport{herr:20200729:breaking:d37db04, author = {Trey Herr and June Lee and William Loomis and Stewart Scott}, title = {{BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain}}, date = {2020-07-29}, institution = {Atlantic Council}, url = {https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf}, language = {English}, urldate = {2020-08-05} } BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain
EternalPetya GoldenSpy Kwampirs Stuxnet
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-06-21GVNSHTNGavin Ashton
@online{ashton:20200621:maersk:5121522, author = {Gavin Ashton}, title = {{Maersk, me & notPetya}}, date = {2020-06-21}, organization = {GVNSHTN}, url = {https://gvnshtn.com/maersk-me-notpetya/}, language = {English}, urldate = {2020-08-18} } Maersk, me & notPetya
EternalPetya
2020-06-09Kaspersky LabsCostin Raiu
@online{raiu:20200609:looking:3038dce, author = {Costin Raiu}, title = {{Looking at Big Threats Using Code Similarity. Part 1}}, date = {2020-06-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/big-threats-using-code-similarity-part-1/97239/}, language = {English}, urldate = {2020-08-18} } Looking at Big Threats Using Code Similarity. Part 1
Penquin Turla CCleaner Backdoor EternalPetya Regin WannaCryptor XTunnel
2020-05-31WiredAndy Greenberg
@online{greenberg:20200531:hacker:8874190, author = {Andy Greenberg}, title = {{Hacker Lexicon: What Is a Supply Chain Attack?}}, date = {2020-05-31}, organization = {Wired}, url = {https://www.wired.com/story/hacker-lexicon-what-is-a-supply-chain-attack/}, language = {English}, urldate = {2021-06-09} } Hacker Lexicon: What Is a Supply Chain Attack?
EternalPetya SUNBURST
2020-05-21PICUS SecuritySüleyman Özarslan
@online{zarslan:20200521:t1055:4400f98, author = {Süleyman Özarslan}, title = {{T1055 Process Injection}}, date = {2020-05-21}, organization = {PICUS Security}, url = {https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection}, language = {English}, urldate = {2020-06-03} } T1055 Process Injection
BlackEnergy Cardinal RAT Downdelph Emotet Kazuar RokRAT SOUNDBITE
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA
2020-01-31Virus BulletinMichal Poslušný, Peter Kálnai
@online{poslun:20200131:rich:c25f156, author = {Michal Poslušný and Peter Kálnai}, title = {{Rich Headers: leveraging this mysterious artifact of the PE format}}, date = {2020-01-31}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/}, language = {English}, urldate = {2020-02-03} } Rich Headers: leveraging this mysterious artifact of the PE format
Dridex Exaramel Industroyer Neutrino RCS Sathurbot
2020SecureworksSecureWorks
@online{secureworks:2020:iron:3c939bc, author = {SecureWorks}, title = {{IRON VIKING}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-viking}, language = {English}, urldate = {2020-05-23} } IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor
2020-01DragosJoe Slowik
@techreport{slowik:202001:threat:d891011, author = {Joe Slowik}, title = {{Threat Intelligence and the Limits of Malware Analysis}}, date = {2020-01}, institution = {Dragos}, url = {https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf}, language = {English}, urldate = {2020-06-10} } Threat Intelligence and the Limits of Malware Analysis
Exaramel Exaramel Industroyer Lookback NjRAT PlugX
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy
2019-05-08Verizon Communications Inc.Verizon Communications Inc.
@techreport{inc:20190508:2019:3c20a3b, author = {Verizon Communications Inc.}, title = {{2019 Data Breach Investigations Report}}, date = {2019-05-08}, institution = {Verizon Communications Inc.}, url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf}, language = {English}, urldate = {2020-05-10} } 2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam
2019-02-12Nozomi NetworksAlessandro Di Pinto
@online{pinto:20190212:greyenergy:1acfcdf, author = {Alessandro Di Pinto}, title = {{GreyEnergy Malware Research Paper: Maldoc to Backdoor}}, date = {2019-02-12}, organization = {Nozomi Networks}, url = {https://www.nozominetworks.com/2019/02/12/blog/greyenergy-malware-research-paper-maldoc-to-backdoor/}, language = {English}, urldate = {2020-01-10} } GreyEnergy Malware Research Paper: Maldoc to Backdoor
GreyEnergy
2019-01-25Github (NozomiNetworks)NozomiNetworks
@online{nozominetworks:20190125:toolkit:c87f77f, author = {NozomiNetworks}, title = {{Toolkit collection developed to help malware analysts dissecting and detecting the packer used by GreyEnergy samples.}}, date = {2019-01-25}, organization = {Github (NozomiNetworks)}, url = {https://github.com/NozomiNetworks/greyenergy-unpacker}, language = {English}, urldate = {2020-01-09} } Toolkit collection developed to help malware analysts dissecting and detecting the packer used by GreyEnergy samples.
GreyEnergy
2019-01-24Kaspersky LabsKaspersky Lab ICS CERT
@online{cert:20190124:greyenergys:523e803, author = {Kaspersky Lab ICS CERT}, title = {{GreyEnergy’s overlap with Zebrocy}}, date = {2019-01-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/greyenergys-overlap-with-zebrocy/89506/}, language = {English}, urldate = {2019-12-20} } GreyEnergy’s overlap with Zebrocy
GreyEnergy Zebrocy
2019-01-18Mark Edmondson
@online{edmondson:20190118:black:e66dcec, author = {Mark Edmondson}, title = {{BLACK ENERGY – Analysis}}, date = {2019-01-18}, url = {https://marcusedmondson.com/2019/01/18/black-energy-analysis/}, language = {English}, urldate = {2020-01-08} } BLACK ENERGY – Analysis
BlackEnergy
2019MITREMITRE ATT&CK
@online{attck:2019:sandworm:2c635f5, author = {MITRE ATT&CK}, title = {{Group description: Sandworm Team}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0034/}, language = {English}, urldate = {2019-12-20} } Group description: Sandworm Team
Sandworm
2019DragosDragos
@online{dragos:2019:adversary:0237a20, author = {Dragos}, title = {{Adversary Reports}}, date = {2019}, organization = {Dragos}, url = {https://dragos.com/adversaries.html}, language = {English}, urldate = {2020-01-10} } Adversary Reports
ALLANITE APT33 CHRYSENE ENERGETIC BEAR Lazarus Group Sandworm XENOTIME
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:black:cea08bf, author = {Cyber Operations Tracker}, title = {{Black Energy}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/black-energy}, language = {English}, urldate = {2019-12-20} } Black Energy
Sandworm
2018-10-18ESET ResearchAnton Cherepanov
@techreport{cherepanov:20181018:greyenergy:9885d0c, author = {Anton Cherepanov}, title = {{GREYENERGY: A successor to BlackEnergy}}, date = {2018-10-18}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf}, language = {English}, urldate = {2020-01-09} } GREYENERGY: A successor to BlackEnergy
Felixroot GreyEnergy
2018-10-17ESET ResearchAnton Cherepanov, Robert Lipovsky
@online{cherepanov:20181017:eset:c34687b, author = {Anton Cherepanov and Robert Lipovsky}, title = {{ESET unmasks ‘GREYENERGY’ cyber-espionage group}}, date = {2018-10-17}, organization = {ESET Research}, url = {https://www.eset.com/int/greyenergy-exposed/}, language = {English}, urldate = {2020-01-13} } ESET unmasks ‘GREYENERGY’ cyber-espionage group
GreyEnergy GreyEnergy
2018-10-11ESET ResearchAnton Cherepanov, Robert Lipovsky
@online{cherepanov:20181011:new:8e588c3, author = {Anton Cherepanov and Robert Lipovsky}, title = {{New TeleBots backdoor: First evidence linking Industroyer to NotPetya}}, date = {2018-10-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/}, language = {English}, urldate = {2019-11-14} } New TeleBots backdoor: First evidence linking Industroyer to NotPetya
Exaramel EternalPetya Exaramel Industroyer
2018-08-22WiredAndy Greenberg
@online{greenberg:20180822:untold:9dcac56, author = {Andy Greenberg}, title = {{The Untold Story of NotPetya, the Most Devastating Cyberattack in History}}, date = {2018-08-22}, organization = {Wired}, url = {https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/}, language = {English}, urldate = {2022-07-29} } The Untold Story of NotPetya, the Most Devastating Cyberattack in History
EternalPetya
2018-04-03ESET ResearchPeter Kálnai, Anton Cherepanov
@online{klnai:20180403:lazarus:14ff18c, author = {Peter Kálnai and Anton Cherepanov}, title = {{Lazarus KillDisks Central American casino}}, date = {2018-04-03}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/}, language = {English}, urldate = {2019-11-14} } Lazarus KillDisks Central American casino
KillDisk Lazarus Group
2018-03-01DragosDragos
@techreport{dragos:20180301:industrial:6e4e898, author = {Dragos}, title = {{INDUSTRIAL CONTROL SYSTEM THREATS}}, date = {2018-03-01}, institution = {Dragos}, url = {https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf}, language = {English}, urldate = {2020-01-08} } INDUSTRIAL CONTROL SYSTEM THREATS
APT33 CHRYSENE ENERGETIC BEAR Lazarus Group Sandworm
2018-01-15Trend MicroGilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira
@online{sison:20180115:new:15ece8f, author = {Gilbert Sison and Rheniel Ramos and Jay Yaneza and Alfredo Oliveira}, title = {{New KillDisk Variant Hits Financial Organizations in Latin America}}, date = {2018-01-15}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/}, language = {English}, urldate = {2020-01-06} } New KillDisk Variant Hits Financial Organizations in Latin America
KillDisk Lazarus Group
2018-01-13The Washington PostEllen Nakashima
@online{nakashima:20180113:russian:fce58a2, author = {Ellen Nakashima}, title = {{Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes}}, date = {2018-01-13}, organization = {The Washington Post}, url = {https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html}, language = {English}, urldate = {2020-01-06} } Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes
EternalPetya
2017-10-27F-SecureF-Secure Global
@online{global:20171027:big:916374a, author = {F-Secure Global}, title = {{The big difference with Bad Rabbit}}, date = {2017-10-27}, organization = {F-Secure}, url = {https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/}, language = {English}, urldate = {2020-01-07} } The big difference with Bad Rabbit
EternalPetya
2017-10-26Reversing LabsNone
@online{none:20171026:reversinglabs:d3543db, author = {None}, title = {{ReversingLabs' YARA rule detects BadRabbit encryption routine specifics}}, date = {2017-10-26}, organization = {Reversing Labs}, url = {https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html}, language = {English}, urldate = {2019-10-17} } ReversingLabs' YARA rule detects BadRabbit encryption routine specifics
EternalPetya
2017-10-26FireEyeBarry Vengerik, Ben Read, Brian Mordosky, Christopher Glyer, Ian Ahl, Matt Williams, Michael Matonis, Nick Carr
@online{vengerik:20171026:backswing:3aab9cf, author = {Barry Vengerik and Ben Read and Brian Mordosky and Christopher Glyer and Ian Ahl and Matt Williams and Michael Matonis and Nick Carr}, title = {{BACKSWING - Pulling a BADRABBIT Out of a Hat}}, date = {2017-10-26}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html}, language = {English}, urldate = {2019-12-20} } BACKSWING - Pulling a BADRABBIT Out of a Hat
EternalPetya
2017-10-25RiskIQYonathan Klijnsma
@online{klijnsma:20171025:down:8d41ef5, author = {Yonathan Klijnsma}, title = {{Down the Rabbit Hole: Tracking the BadRabbit Ransomware to a Long Ongoing Campaign of Target Selection}}, date = {2017-10-25}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/badrabbit/}, language = {English}, urldate = {2020-01-10} } Down the Rabbit Hole: Tracking the BadRabbit Ransomware to a Long Ongoing Campaign of Target Selection
EternalPetya
2017-10-24ESET ResearchEditor
@online{editor:20171024:kiev:b706a68, author = {Editor}, title = {{Kiev metro hit with a new variant of the infamous Diskcoder ransomware}}, date = {2017-10-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer}, language = {English}, urldate = {2019-11-14} } Kiev metro hit with a new variant of the infamous Diskcoder ransomware
EternalPetya
2017-10-24IntezerJay Rosenberg
@online{rosenberg:20171024:notpetya:7146657, author = {Jay Rosenberg}, title = {{NotPetya Returns as Bad Rabbit}}, date = {2017-10-24}, organization = {Intezer}, url = {http://www.intezer.com/notpetya-returns-bad-rabbit/}, language = {English}, urldate = {2020-01-05} } NotPetya Returns as Bad Rabbit
EternalPetya
2017-10-24Kaspersky LabsOrkhan Mamedov, Fedor Sinitsyn, Anton Ivanov
@online{mamedov:20171024:bad:3c21717, author = {Orkhan Mamedov and Fedor Sinitsyn and Anton Ivanov}, title = {{Bad Rabbit ransomware}}, date = {2017-10-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/bad-rabbit-ransomware/82851/}, language = {English}, urldate = {2019-12-20} } Bad Rabbit ransomware
EternalPetya
2017-10-24WiredAndy Greenberg
@online{greenberg:20171024:new:5359735, author = {Andy Greenberg}, title = {{New Ransomware Linked to NotPetya Sweeps Russia and Ukraine}}, date = {2017-10-24}, organization = {Wired}, url = {https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/}, language = {English}, urldate = {2020-01-06} } New Ransomware Linked to NotPetya Sweeps Russia and Ukraine
EternalPetya
2017-10-24Cisco TalosNick Biasini
@online{biasini:20171024:threat:7bd8515, author = {Nick Biasini}, title = {{Threat Spotlight: Follow the Bad Rabbit}}, date = {2017-10-24}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/10/bad-rabbit.html}, language = {English}, urldate = {2019-12-10} } Threat Spotlight: Follow the Bad Rabbit
EternalPetya
2017-10-24ESET ResearchMarc-Etienne M.Léveillé
@online{mlveill:20171024:bad:5653a57, author = {Marc-Etienne M.Léveillé}, title = {{Bad Rabbit: Not‑Petya is back with improved ransomware}}, date = {2017-10-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/}, language = {English}, urldate = {2019-07-11} } Bad Rabbit: Not‑Petya is back with improved ransomware
EternalPetya
2017-10-05Virus BulletinAnton Cherepanov, Robert Lipovsky
@online{cherepanov:20171005:industroyer:4406e62, author = {Anton Cherepanov and Robert Lipovsky}, title = {{Industroyer: Biggest threat to industrial control systems since Stuxnet}}, date = {2017-10-05}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/}, language = {English}, urldate = {2020-01-09} } Industroyer: Biggest threat to industrial control systems since Stuxnet
Industroyer
2017-09-19NCC GroupOllie Whitehouse
@online{whitehouse:20170919:eternalglue:c4348e0, author = {Ollie Whitehouse}, title = {{EternalGlue part one: Rebuilding NotPetya to assess real-world resilience}}, date = {2017-09-19}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/eternalglue-part-one-rebuilding-notpetya-to-assess-real-world-resilience/}, language = {English}, urldate = {2019-12-10} } EternalGlue part one: Rebuilding NotPetya to assess real-world resilience
EternalPetya
2017-09-18ThreatConnectPaul Vann
@online{vann:20170918:casting:87b63a9, author = {Paul Vann}, title = {{Casting a Light on BlackEnergy}}, date = {2017-09-18}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/casting-a-light-on-blackenergy/}, language = {English}, urldate = {2020-01-13} } Casting a Light on BlackEnergy
BlackEnergy
2017-08-24ESET ResearchMarc-Etienne M.Léveillé
@online{mlveill:20170824:bad:78b7a5e, author = {Marc-Etienne M.Léveillé}, title = {{Bad Rabbit: Not‑Petya is back with improved ransomware}}, date = {2017-08-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back}, language = {English}, urldate = {2022-08-25} } Bad Rabbit: Not‑Petya is back with improved ransomware
EternalPetya Sandworm
2017-08-11ThreatpostTom Spring
@online{spring:20170811:ukrainian:eb4451f, author = {Tom Spring}, title = {{Ukrainian Man Arrested, Charged in NotPetya Distribution}}, date = {2017-08-11}, organization = {Threatpost}, url = {https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/}, language = {English}, urldate = {2020-01-05} } Ukrainian Man Arrested, Charged in NotPetya Distribution
EternalPetya
2017-07-14MalwarebytesMalwarebytes Labs
@online{labs:20170714:keeping:0759a8b, author = {Malwarebytes Labs}, title = {{Keeping up with the Petyas: Demystifying the malware family}}, date = {2017-07-14}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/}, language = {English}, urldate = {2019-12-20} } Keeping up with the Petyas: Demystifying the malware family
EternalPetya GoldenEye PetrWrap Petya
2017-07-05Cisco TalosDavid Maynor, Aleksandar Nikolic, Matt Olney, Yves Younan
@online{maynor:20170705:medoc:58bcc4a, author = {David Maynor and Aleksandar Nikolic and Matt Olney and Yves Younan}, title = {{The MeDoc Connection}}, date = {2017-07-05}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/07/the-medoc-connection.html}, language = {English}, urldate = {2020-01-13} } The MeDoc Connection
TeleDoor
2017-07-04WikipediaVarious
@online{various:20170704:industroyer:54eba4d, author = {Various}, title = {{Industroyer}}, date = {2017-07-04}, organization = {Wikipedia}, url = {https://en.wikipedia.org/wiki/Industroyer}, language = {English}, urldate = {2020-01-08} } Industroyer
Industroyer
2017-07-04ESET ResearchAnton Cherepanov
@online{cherepanov:20170704:analysis:37c48b2, author = {Anton Cherepanov}, title = {{Analysis of TeleBots’ cunning backdoor}}, date = {2017-07-04}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/}, language = {English}, urldate = {2019-11-14} } Analysis of TeleBots’ cunning backdoor
TeleDoor
2017-07-03CrowdStrikeShaun Hurley, Karan Sood
@online{hurley:20170703:notpetya:1453645, author = {Shaun Hurley and Karan Sood}, title = {{NotPetya Technical Analysis Part II: Further Findings and Potential for MBR Recovery}}, date = {2017-07-03}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/}, language = {English}, urldate = {2019-12-20} } NotPetya Technical Analysis Part II: Further Findings and Potential for MBR Recovery
EternalPetya
2017-07-03The GuardianAlex Hern
@online{hern:20170703:notpetya:ba6bc6c, author = {Alex Hern}, title = {{'NotPetya' malware attacks could warrant retaliation, says Nato affiliated-researcher}}, date = {2017-07-03}, organization = {The Guardian}, url = {https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik}, language = {English}, urldate = {2019-07-11} } 'NotPetya' malware attacks could warrant retaliation, says Nato affiliated-researcher
EternalPetya
2017-07-03G DataG Data
@online{data:20170703:who:7b53706, author = {G Data}, title = {{Who is behind Petna?}}, date = {2017-07-03}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna}, language = {English}, urldate = {2020-01-08} } Who is behind Petna?
EternalPetya
2017-07-03ESET ResearchAnton Cherepanov, Robert Lipovsky
@techreport{cherepanov:20170703:blackenergy:2403feb, author = {Anton Cherepanov and Robert Lipovsky}, title = {{BlackEnergy – what we really know about the notorious cyber attacks}}, date = {2017-07-03}, institution = {ESET Research}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Cherepanov-Lipovsky.pdf}, language = {English}, urldate = {2019-10-14} } BlackEnergy – what we really know about the notorious cyber attacks
BlackEnergy
2017-06-30MalwarebytesMalwarebytes Labs
@online{labs:20170630:eternalpetya:122fb36, author = {Malwarebytes Labs}, title = {{EternalPetya – yet another stolen piece in the package?}}, date = {2017-06-30}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/}, language = {English}, urldate = {2019-12-20} } EternalPetya – yet another stolen piece in the package?
EternalPetya
2017-06-30ESET ResearchAnton Cherepanov
@online{cherepanov:20170630:telebots:84aa93d, author = {Anton Cherepanov}, title = {{TeleBots are back: Supply‑chain attacks against Ukraine}}, date = {2017-06-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/}, language = {English}, urldate = {2019-12-20} } TeleBots are back: Supply‑chain attacks against Ukraine
EternalPetya
2017-06-30ESET ResearchAnton Cherepanov
@online{cherepanov:20170630:telebots:7991503, author = {Anton Cherepanov}, title = {{TeleBots are back: Supply‑chain attacks against Ukraine}}, date = {2017-06-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine}, language = {English}, urldate = {2022-08-25} } TeleBots are back: Supply‑chain attacks against Ukraine
TeleBot Sandworm
2017-06-30Kaspersky LabsGReAT
@online{great:20170630:from:d91b457, author = {GReAT}, title = {{From BlackEnergy to ExPetr}}, date = {2017-06-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/from-blackenergy-to-expetr/78937/}, language = {English}, urldate = {2019-12-20} } From BlackEnergy to ExPetr
EternalPetya
2017-06-29Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20170629:ransomware:d2d7b40, author = {Catalin Cimpanu}, title = {{Ransomware Attacks Continue in Ukraine with Mysterious WannaCry Clone}}, date = {2017-06-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/}, language = {English}, urldate = {2019-12-20} } Ransomware Attacks Continue in Ukraine with Mysterious WannaCry Clone
EternalPetya
2017-06-29MalwarebytesMalwarebytes Labs
@online{labs:20170629:eternalpetya:bdd5896, author = {Malwarebytes Labs}, title = {{EternalPetya and the lost Salsa20 key}}, date = {2017-06-29}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/}, language = {English}, urldate = {2019-12-20} } EternalPetya and the lost Salsa20 key
EternalPetya
2017-06-29Robert Graham
@online{graham:20170629:nonpetya:c470dd8, author = {Robert Graham}, title = {{NonPetya: no evidence it was a "smokescreen"}}, date = {2017-06-29}, url = {http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html}, language = {English}, urldate = {2020-01-07} } NonPetya: no evidence it was a "smokescreen"
EternalPetya
2017-06-29MicrosoftMicrosoft Defender ATP Research Team
@online{team:20170629:windows:f957ff3, author = {Microsoft Defender ATP Research Team}, title = {{Windows 10 platform resilience against the Petya ransomware attack}}, date = {2017-06-29}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/}, language = {English}, urldate = {2020-01-07} } Windows 10 platform resilience against the Petya ransomware attack
EternalPetya
2017-06-28Kaspersky LabsAnton Ivanov, Orkhan Mamedov
@online{ivanov:20170628:expetrpetyanotpetya:903b1fc, author = {Anton Ivanov and Orkhan Mamedov}, title = {{ExPetr/Petya/NotPetya is a Wiper, Not Ransomware}}, date = {2017-06-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/}, language = {English}, urldate = {2019-12-20} } ExPetr/Petya/NotPetya is a Wiper, Not Ransomware
EternalPetya
2017-06-28hacks4pancakes
@online{hacks4pancakes:20170628:why:8053178, author = {hacks4pancakes}, title = {{Why NotPetya Kept Me Awake (& You Should Worry Too)}}, date = {2017-06-28}, url = {https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/}, language = {English}, urldate = {2020-01-09} } Why NotPetya Kept Me Awake (& You Should Worry Too)
EternalPetya
2017-06-28CrowdStrikeFalcon Intelligence Team
@online{team:20170628:crowdstrike:e933e49, author = {Falcon Intelligence Team}, title = {{CrowdStrike Protects Against NotPetya Attack}}, date = {2017-06-28}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/}, language = {English}, urldate = {2019-12-20} } CrowdStrike Protects Against NotPetya Attack
EternalPetya
2017-06-27Medium thegrugqthegrugq
@online{thegrugq:20170627:pnyetya:45771f2, author = {thegrugq}, title = {{Pnyetya: Yet Another Ransomware Outbreak}}, date = {2017-06-27}, organization = {Medium thegrugq}, url = {https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4}, language = {English}, urldate = {2020-01-13} } Pnyetya: Yet Another Ransomware Outbreak
EternalPetya
2017-06-27ESET ResearchEditor
@online{editor:20170627:new:4f7cbcd, author = {Editor}, title = {{New WannaCryptor‑like ransomware attack hits globally: All you need to know}}, date = {2017-06-27}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine}, language = {English}, urldate = {2022-08-25} } New WannaCryptor‑like ransomware attack hits globally: All you need to know
EternalPetya Sandworm
2017-06-27Kaspersky LabsGReAT
@online{great:20170627:schroedingers:43c7e28, author = {GReAT}, title = {{Schroedinger’s Pet(ya)}}, date = {2017-06-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/schroedingers-petya/78870/}, language = {English}, urldate = {2019-12-20} } Schroedinger’s Pet(ya)
EternalPetya
2017-06-27SANSBrad Duncan
@online{duncan:20170627:checking:23c2251, author = {Brad Duncan}, title = {{Checking out the new Petya variant}}, date = {2017-06-27}, organization = {SANS}, url = {https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/}, language = {English}, urldate = {2020-01-06} } Checking out the new Petya variant
EternalPetya
2017-06-13DragosDragos
@techreport{dragos:20170613:crashoverride:ee53f66, author = {Dragos}, title = {{CRASHOVERRIDE: Analysis of the Threatto Electric Grid Operations}}, date = {2017-06-13}, institution = {Dragos}, url = {https://dragos.com/blog/crashoverride/CrashOverride-01.pdf}, language = {English}, urldate = {2020-01-10} } CRASHOVERRIDE: Analysis of the Threatto Electric Grid Operations
Industroyer Sandworm
2017-06-12ESET ResearchAnton Cherepanov
@techreport{cherepanov:20170612:win32industroyer:060c0e6, author = {Anton Cherepanov}, title = {{WIN32/INDUSTROYER: A new threat for industrial control systems}}, date = {2017-06-12}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf}, language = {English}, urldate = {2020-01-13} } WIN32/INDUSTROYER: A new threat for industrial control systems
Industroyer Sandworm
2017-06-12ESET ResearchAnton Cherepanov, Robert Lipovsky
@online{cherepanov:20170612:industroyer:15f0bec, author = {Anton Cherepanov and Robert Lipovsky}, title = {{Industroyer: Biggest threat to industrial control systems since Stuxnet}}, date = {2017-06-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/}, language = {English}, urldate = {2019-11-14} } Industroyer: Biggest threat to industrial control systems since Stuxnet
Industroyer
2017-06-12CISACISA
@online{cisa:20170612:alert:7799e28, author = {CISA}, title = {{Alert (TA17-163A)}}, date = {2017-06-12}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/alerts/TA17-163A}, language = {English}, urldate = {2020-01-08} } Alert (TA17-163A)
Sandworm
2017-05-31MITREMITRE ATT&CK
@online{attck:20170531:sandworm:1a9a446, author = {MITRE ATT&CK}, title = {{Sandworm Team}}, date = {2017-05-31}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0034}, language = {English}, urldate = {2022-08-25} } Sandworm Team
CyclopsBlink Exaramel BlackEnergy EternalPetya Exaramel GreyEnergy KillDisk MimiKatz Olympic Destroyer Sandworm
2017-05-23ESET ResearchAnton Cherepanov
@online{cherepanov:20170523:xdata:22024fb, author = {Anton Cherepanov}, title = {{XData ransomware making rounds amid global WannaCryptor scare}}, date = {2017-05-23}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare}, language = {English}, urldate = {2022-08-25} } XData ransomware making rounds amid global WannaCryptor scare
Sandworm
2017-01-05ESET ResearchRobert Lipovsky, Peter Kálnai
@online{lipovsky:20170105:killdisk:5d49eac, author = {Robert Lipovsky and Peter Kálnai}, title = {{KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt}}, date = {2017-01-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt}, language = {English}, urldate = {2022-08-25} } KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt
KillDisk Sandworm
2016-12-13ESET ResearchAnton Cherepanov
@online{cherepanov:20161213:rise:057c5f4, author = {Anton Cherepanov}, title = {{The rise of TeleBots: Analyzing disruptive KillDisk attacks}}, date = {2016-12-13}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks}, language = {English}, urldate = {2022-08-25} } The rise of TeleBots: Analyzing disruptive KillDisk attacks
KillDisk TeleBot Sandworm
2016-12-13ESET ResearchAnton Cherepanov
@online{cherepanov:20161213:rise:d6ee3c1, author = {Anton Cherepanov}, title = {{The rise of TeleBots: Analyzing disruptive KillDisk attacks}}, date = {2016-12-13}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/}, language = {English}, urldate = {2019-12-20} } The rise of TeleBots: Analyzing disruptive KillDisk attacks
Credraptor KillDisk TeleBot
2016-01-28Kaspersky LabsGReAT
@online{great:20160128:blackenergy:3c2a914, author = {GReAT}, title = {{BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents}}, date = {2016-01-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/}, language = {English}, urldate = {2019-12-20} } BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents
BlackEnergy
2016-01-09Industrial Control SystemsRobert M. Lee
@online{lee:20160109:confirmation:a5aeb08, author = {Robert M. Lee}, title = {{Confirmation of a Coordinated Attack on the Ukrainian Power Grid}}, date = {2016-01-09}, organization = {Industrial Control Systems}, url = {https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid}, language = {English}, urldate = {2020-01-07} } Confirmation of a Coordinated Attack on the Ukrainian Power Grid
Sandworm
2015-12-30SANSMichael J. Assante
@online{assante:20151230:current:342c55e, author = {Michael J. Assante}, title = {{Current Reporting on the Cyber Attack in Ukraine Resulting in Power Outage}}, date = {2015-12-30}, organization = {SANS}, url = {https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage}, language = {English}, urldate = {2019-12-17} } Current Reporting on the Cyber Attack in Ukraine Resulting in Power Outage
Sandworm
2015-02-17Kaspersky LabsKurt Baumgartner, Maria Garnaeva
@online{baumgartner:20150217:be2:f7ce288, author = {Kurt Baumgartner and Maria Garnaeva}, title = {{BE2 extraordinary plugins, Siemens targeting, dev fails}}, date = {2015-02-17}, organization = {Kaspersky Labs}, url = {https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/}, language = {English}, urldate = {2019-12-20} } BE2 extraordinary plugins, Siemens targeting, dev fails
BlackEnergy
2014-11-10Trend MicroWilliam Gamazo Sanchez
@online{sanchez:20141110:timeline:fd77607, author = {William Gamazo Sanchez}, title = {{Timeline of Sandworm Attacks}}, date = {2014-11-10}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/}, language = {English}, urldate = {2020-01-09} } Timeline of Sandworm Attacks
Sandworm
2014-11-03Kaspersky LabsKurt Baumgartner, Maria Garnaeva
@online{baumgartner:20141103:be2:ea8544a, author = {Kurt Baumgartner and Maria Garnaeva}, title = {{BE2 custom plugins, router abuse, and target profiles}}, date = {2014-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/}, language = {English}, urldate = {2019-12-20} } BE2 custom plugins, router abuse, and target profiles
BlackEnergy
2014-10-14SymantecSymantec Security Response
@online{response:20141014:sandworm:c129395, author = {Symantec Security Response}, title = {{Sandworm Windows zero-day vulnerability being actively exploited in targeted attacks}}, date = {2014-10-14}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks}, language = {English}, urldate = {2020-01-08} } Sandworm Windows zero-day vulnerability being actively exploited in targeted attacks
Sandworm
2014-10-14ESET ResearchRobert Lipovsky
@online{lipovsky:20141014:cve20144114:49123f0, author = {Robert Lipovsky}, title = {{CVE‑2014‑4114: Details on August BlackEnergy PowerPoint Campaigns}}, date = {2014-10-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/}, language = {English}, urldate = {2019-11-14} } CVE‑2014‑4114: Details on August BlackEnergy PowerPoint Campaigns
BlackEnergy
2014-10-14SymantecSymantec Security Response
@online{response:20141014:sandworm:3f6e951, author = {Symantec Security Response}, title = {{Sandworm Windows zero-day vulnerability being actively exploited in targeted attacks}}, date = {2014-10-14}, organization = {Symantec}, url = {https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks}, language = {English}, urldate = {2020-04-21} } Sandworm Windows zero-day vulnerability being actively exploited in targeted attacks
Sandworm
2010-07-15Kaspersky LabsDmitry Tarakanov
@online{tarakanov:20100715:black:e6d41f9, author = {Dmitry Tarakanov}, title = {{Black DDoS}}, date = {2010-07-15}, organization = {Kaspersky Labs}, url = {https://securelist.com/black-ddos/36309/}, language = {English}, urldate = {2019-12-20} } Black DDoS
BlackEnergy
2010-03-03SecureworksJoe Stewart
@online{stewart:20100303:blackenergy:d3aa259, author = {Joe Stewart}, title = {{BlackEnergy Version 2 Threat Analysis}}, date = {2010-03-03}, organization = {Secureworks}, url = {https://www.secureworks.com/research/blackenergy2}, language = {English}, urldate = {2019-10-15} } BlackEnergy Version 2 Threat Analysis
BlackEnergy
2010-03-03FireEyeJulia Wolf
@online{wolf:20100303:black:6ee657a, author = {Julia Wolf}, title = {{Black Energy Crypto}}, date = {2010-03-03}, organization = {FireEye}, url = {https://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html}, language = {English}, urldate = {2020-02-27} } Black Energy Crypto
BlackEnergy
2007-10Arbor NetworksJose Nazario
@techreport{nazario:200710:blackenergy:f414256, author = {Jose Nazario}, title = {{BlackEnergy DDoS Bot Analysis}}, date = {2007-10}, institution = {Arbor Networks}, url = {http://pds15.egloos.com/pds/201001/01/66/BlackEnergy_DDoS_Bot_Analysis.pdf}, language = {English}, urldate = {2022-04-25} } BlackEnergy DDoS Bot Analysis
BlackEnergy
Credits: MISP Project