BRANDEFENSE BRANDEFENSE
  • Platform
    How It Works?
    Platform Overview
    Cyber Intelligence
    Brand & Reputation Protection
    Exposure Management
    By Use Case
    Preventing Data Leakage
    Phishing Monitoring
    Account Takeover Detection
    Stolen Credit Cards
    Dark Web Monitoring
    Remediation and Takedown
    Q1 | 2023
    Explore the Ransomware Attacks
  • Solutions
    Threat Intelligence Service
    Brand Protection
    Vulnerability Management
    Attack Surface Management
    Fraud Protection
    VIP Security
    Vulnerability Intelligence
  • Resources
    Blog
    Infographics
    Datasheets
    Security News
    Threat Intelligence Researches
    Digital Risk Protection – FAQ
    Cybersecurity Glossary
    Events
  • Partners
    About the Partner Program
    Become a Partner
    Partner Portal
  • Company
    About Us
    Join Us!
    We in the Press
    Privacy Policy
    Terms of Use
    Contact Us
Request a Demo
Login

BRANDEFENSE

  • Platform
    How It Works?
    Platform Overview
    Cyber Intelligence
    Brand & Reputation Protection
    Exposure Management
    By Use Case
    Preventing Data Leakage
    Phishing Monitoring
    Account Takeover Detection
    Stolen Credit Cards
    Dark Web Monitoring
    Remediation and Takedown
    Q1 | 2023
    Explore the Ransomware Attacks
  • Solutions
    Threat Intelligence Service
    Brand Protection
    Vulnerability Management
    Attack Surface Management
    Fraud Protection
    VIP Security
    Vulnerability Intelligence
  • Resources
    Blog
    Infographics
    Datasheets
    Security News
    Threat Intelligence Researches
    Digital Risk Protection – FAQ
    Cybersecurity Glossary
    Events
  • Partners
    About the Partner Program
    Become a Partner
    Partner Portal
  • Company
    About Us
    Join Us!
    We in the Press
    Privacy Policy
    Terms of Use
    Contact Us
SandWorm APT Group Cyber Intelligence Report

SandWorm APT Group Cyber Intelligence Report

BRANDEFENSE
APT Groups
19/10/2022

This blog post comes from the “SandWorm APT Group Cyber Intelligence Report” by the Brandefense CTI Analyst Team. For more details about the analysis, download the report.

Table of Contents

  • Execution Summary
  • Sandworm APT Group Overview
    • Motivation

Execution Summary

The Russian state–supported Sandworm APT group is discussed in this report prepared by the Brandefense threat intelligence team. APT’s objectives, motivations, past cyberattacks, which started in 2009, group’s Tactics, Techniques, and Procedures (TTPs), malware, open–source tools, IoC findings, and YARA rules are explained in this report.

Cyber attack methods and malware investigations in this report will create cyber security awareness. In addition, TTP findings and IoC data used by threat actors will contribute by feeding cybersecurity teams and products. Correct understanding of Tactics, Techniques, and Procedures used by the threat group and their utilities/malware and its capabilities will provide a proactive approach for future attacks and will enable the necessary steps to be taken to take early action.

Considering the report’s general scope and content, it aims to nurture rule–based security solutions together with network and machine–based security solutions and to be illuminating in terms of raising security awareness against targeted cyber attacks.

Download the SandWorm APT Group Cyber Intelligence Report

Sandworm APT Group Overview

Reference Names Sandworm Team (Trend Micro)

Iron Viking (SecureWorks)

CTG-7263 (SecureWorks)

Voodoo Bear (CrowdStrike)

Quedagh (F-Secure)

TEMP.Noble (FireEye)

ATK 14 (Thales)

BE2 (Kaspersky)

Country Russia
Sponsor State-sponsored, GRU Unit 74455
First Seen 2009
Motivation Sabotage && Espionage
Method Zero-days, Malware, Spearphishing
Targeted Industries Education, Energy, Government, Telecommunications

Sandworm Team, also known as Unit 74455, is a Russian cyberespionage group operating since 2009. The group is allegedly affiliated with the cyber military unit of the Main Intelligence Service (GRU), which is working for Russian military intelligence.

Sandworm Team mainly targets Ukrainian organizations associated with energy, industrial control systems, SCADA, government, and the media sector.

Sandworm Team was directly linked to the Ukrainian energy sector attack in late 2015.

Motivation

The GRU or GU (General Staff of the Armed Forces of the Russian Federation) is a military foreign intelligence agency. Sandworm APT operates within this intelligence agency; It has advanced and disruptive capabilities to conduct global disinformation, propaganda, espionage, and cyber operations.

GRU, had previous cyber operations against Estonia in 2007 and Georgia in 2008, has become more visible with the recent cyber operations. Western intelligence agencies attributed the last significant attacks to this agency. While it is difficult to assess whether the GRU is taking a leading role among other special services in conducting operations in cyberspace, it has serious activities.

GRU has capabilities focused on improving both technical and psychological capabilities. For example, the 85th Special Service Center (Unit 26165) and Special Technologies Headquarters (Unit 26165), traditionally responsible for signal intelligence and cryptography, have been responsible for computer-based operations. The 72nd Special Service Center (Unit 54777), which forms the core of the GRU’s psychological warfare team, has been working closely with ‘technical’ units and carrying out cyberattacks through frontline organizations since at least 2014.

Unit 74455 (Sandworm) is credited with creating and distributing malware used for spoofing operations during the 2016 US Presidential election, the NotPetya malware, and Ukraine’s electrical infrastructure attacks.

Russia’s security agencies are in competition with each other and often carry out similar operations on the same targets. Therefore, it becomes difficult to make specific attribution and motivational assessments. However, in some cases, attacks can also be carried out jointly. For example, some of the Sandworm APT group’s attacks were carried out with the help of GRU Unit 26165, the Russian GRU cyber military unit that is part of Fancy Bear (APT28).

On the next page, the special services of Russia involved in cyber operations and the threat groups connected to these services were shared.

sandworm apt group
Download the IoCs and YARA Rules

This blog post comes from the “SandWorm APT Group Cyber Intelligence Report” by the Brandefense CTI Analyst Team. For more details about the analysis, download the report.

Share on Facebook Share on X
Search
Categories
APT GroupsBlogDark WebDRPSFraudRansomwareSector AnalysisSecurity NewsVIP SecurityWe in the PressWeekly Newsletter
Recent Posts
  • The Impact of Machine Learning on Enhancing Threat Detection
    The Impact of Machine Learning on Enhancing Threat Detection
  • The Future of AI in Cybersecurity: Benefits and Risks
    The Future of AI in Cybersecurity: Benefits and Risks
  • Brandefense Shares Bridge Partner Program and Brandefense 2.0 with Its Business Partners
    Brandefense Shares Bridge Partner Program and Brandefense 2.0 with Its Business Partners
  • What is Supply Chain Security?
    What is Supply Chain Security?
Ransomware Trends Report | Q2 2023
Ransomware Attack Trends in the Second Quarter of 2023
Report

Ransomware Attack Trends in the Second Quarter of 2023

Download Report
Follow us!

Continue Reading

Previous post

Security News – Week 42

cyber security news weekly
most common ransomware attack vectors
Next post

Most Common Attack Vectors & Ransomware Threat Relation

We know what hackers know about you

Our cyber threat intelligence and security research team is ready to help you.
image link

Brandefense is solving SOC’s complex challenges. We are here to help Brandefense customers to protect their brands and reputations against cyber threats.

United States:

300 Delaware Ave. Ste 210 #328 Wilmington, DE 19801 / USA

Republic of Turkey:

Üniversiteler, 1605 Cd. Cyberpark Vakıf Binası Kat: -1 No: B25, 06800 Çankaya/Ankara

© 2022 Brandefense. All rights reserved.

Solutions
Threat IntelligenceBrand ProtectionVulnerability ManagementFraud ProtectionVIP SecurityAttack Surface ManagementVulnerability Intelligence
Use Case
Data LeakagePhishing MonitoringAccount Takeover DetectionStolen Credit CardsDark Web MonitoringRemediation / Takedown
Partners
About the Partner ProgramBecome a Partner
Company
AboutCareerPrivacy PolicyTerms Of UseContact
Close
Search

Hit enter to search or ESC to close

cookie By using this website, you agree to our cookie policy. Close