Sandworm (Threat Actor)

Sandworm (Back to overview)

aka: Sandworm Team, Black Energy, BlackEnergy, Quedagh, Voodoo Bear, TEMP.Noble

This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Some believe that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia. Believed to be responsible for the 2008 DDoS attacks in Georgia and the 2015 Ukraine power grid outage

References

http://www.isightpartners.com/2014/10/cve-2014-4114/

http://www.isightpartners.com/2016/01/ukraine-and-sandworm-team/

https://dragos.com/blog/crashoverride/CrashOverride-01.pdf

https://www.us-cert.gov/ncas/alerts/TA17-163A

https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid

https://www.cfr.org/interactive/cyber-operations/black-energy

Families

win.blackenergy

win.eternal_petya

win.faketc

win.killdisk

win.telebot

win.teledoor

Credits: MISP Project