G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
Analyst context for executives and security teams
Sandworm Team matters because ATT&CK records it as a destructive group associated with major public incidents, including Ukrainian electric power attacks, NotPetya, and Olympic Destroyer. For leaders, the decision value is not “track one actor,” but validate whether the organization can withstand destructive operations that combine credential theft, administrative tooling, backdoors, wipers, and—in power-sector contexts—SCADA disruption paths.
Executive priority
Prioritize this as a resilience and crisis-readiness reference case: confirm identity controls, privileged administration monitoring, backup/restore confidence, incident communications, and enterprise-to-ICS segmentation where relevant. The ATT&CK relationships show repeated links to electric power campaigns and destructive malware, so risk owners should ask whether continuity plans and audit evidence cover destructive Windows-centric events, legitimate admin tool abuse, and cyber-physical escalation paths.
Technical view
ATT&CK provides no official detection text and no tactics for this group object, so defenders should derive coverage validation from the related software and campaigns. Confirm monitoring for Windows credential dumping and administrative execution patterns associated with Mimikatz, PsExec, Net, Impacket, PowerShell-based frameworks, Cobalt Strike, Empire, PoshC2, backdoors such as GreyEnergy and Exaramel, and destructive tooling such as SDelete, Olympic Destroyer, NotPetya, CaddyWiper-related campaign context, BlackEnergy, and KillDisk-related campaign context. For utilities or OT-connected environments, validate visibility across enterprise systems, jump hosts, SCADA administration paths, and command activity that could affect substations.
Likely telemetry
- Windows security events for logon activity, privileged account use, service creation, remote execution, and account/group changes
- Endpoint process, command-line, PowerShell, script, and file deletion telemetry
- EDR or host logs for credential access tools, post-exploitation frameworks, backdoors, and wiper-like behavior
- Network telemetry for SMB/Windows administration, remote service execution, command-and-control indicators, and unusual protocol use from administrative hosts
- Identity telemetry for abnormal privileged access, lateral movement, and credential reuse
Detection direction
- Treat alias matching alone as weak; validate behavior-based detections mapped to the related tools and campaigns instead.
- Tune separately for legitimate administration tools such as PsExec, Net, SDelete, Impacket, PowerShell frameworks, and Cobalt Strike-like activity because false positives are likely in administrator workflows.
- Prioritize detection chains that combine credential access, remote execution, lateral movement, payload staging, and destructive file or disk activity.
- For electric utility or OT environments, test whether enterprise detections can be correlated with SCADA access paths and unauthorized command activity described in the related 2022 Ukraine Electric Power Attack context.
- Because ATT&CK provides no official detection field for this group, require local validation through purple-team tests, incident retrospectives, or control evidence rather than assuming vendor coverage.
Mitigation priorities
- Harden privileged identity first: reduce standing admin rights, monitor privileged sessions, and enforce strong authentication where applicable.
- Restrict and monitor remote administration paths, especially PsExec-like execution, SMB administration, PowerShell, and Python-based tooling that can be used across Windows, Linux, and macOS environments.
- Segment enterprise and ICS networks where relevant, with controlled jump paths and logging for SCADA administration.
- Maintain tested offline or protected backups and recovery procedures suitable for destructive malware scenarios.
- Build response playbooks for wiper/destructive events, including rapid isolation, credential reset sequencing, evidence preservation, and business continuity decision points.
Analyst notes and limits
The supplied ATT&CK object identifies Sandworm Team aliases, destructive public operations, GRU attribution from official descriptions, and relationships to campaigns and software. The strongest defensive value comes from the relationship context: electric power campaigns, Windows-heavy tooling, cross-platform post-exploitation frameworks, credential dumping, backdoors, legitimate admin tools, and destructive malware.
The group object does not specify platforms, tactics, or official detection guidance. Related software provides platform context, but local exposure, sector relevance, telemetry availability, and control effectiveness must be validated in the organization’s own environment. This take does not assert current activity or customer-specific targeting.
Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1608.001 | Upload Malware Sub-technique | Sandworm Team staged compromised versions of legitimate software installers in forums to enable initial access to executing user.Citationmandiant_apt44_unearthing_sandworm |
| Enterprise | T1588.006 | Vulnerabilities Sub-technique | In 2017, Sandworm Team conducted technical research related to vulnerabilities associated with websites used by the Korean Sport and Olympic Committee, a Korean power company, and a Korean airport.CitationUS District Court Indictment GRU Unit 74455 October 2020 |
| Enterprise | T1040 | Network Sniffing | Sandworm Team has used intercepter-NG to sniff passwords in network traffic.CitationESET Telebots Dec 2016 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | Sandworm Team has used ROT13 encoding, AES encryption and compression with the zlib library for their Python-based backdoor.CitationESET Telebots Dec 2016 |
| Enterprise | T1595.002 | Vulnerability Scanning Sub-technique | Sandworm Team has scanned network infrastructure for vulnerabilities as part of its operational planning.CitationUS District Court Indictment GRU Unit 74455 October 2020 |
| Enterprise | T1585.001 | Social Media Accounts Sub-technique | Sandworm Team has established social media accounts to disseminate victim internal-only documents and other sensitive data.CitationUS District Court Indictment GRU Unit 74455 October 2020 |
| Enterprise | T1586.001 | Social Media Accounts Sub-technique | Sandworm Team creates credential capture webpages to compromise existing, legitimate social media accounts.CitationSlowik Sandworm 2021 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Sandworm Team's BCS-server tool uses base64 encoding and HTML tags for the communication traffic between the C2 server.CitationESET Telebots Dec 2016 |
| Enterprise | T1213.006 | Databases Sub-technique | Sandworm Team exfiltrates data of interest from enterprise databases using Adminer.CitationLeonard TAG 2023 |
| Enterprise | T1539 | Steal Web Session Cookie | Sandworm Team used information stealer malware to collect browser session cookies.CitationLeonard TAG 2023 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Sandworm Team has used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.CitationUS District Court Indictment GRU Unit 74455 October 2020CitationDragos Crashoverride 2018 |
| Enterprise | T1090 | Proxy | Sandworm Team's BCS-server tool can create an internal proxy server to redirect traffic from the adversary-controlled C2 to internal servers which may not be connected to the internet, but are interconnected locally.CitationESET Telebots Dec 2016 |
| Enterprise | T1203 | Exploitation for Client Execution | Sandworm Team has exploited vulnerabilities in Microsoft PowerPoint via OLE objects (CVE-2014-4114) and Microsoft Word via crafted TIFF images (CVE-2013-3906).CitationiSight Sandworm Oct 2014CitationTrendMicro Sandworm October 2014CitationMcAfee Sandworm November 2013 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Sandworm Team has sent system information to its C2 server using HTTP.CitationESET Telebots Dec 2016 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Sandworm Team leveraged SHARPIVORY, a .NET dropper that writes embedded payload to disk and uses scheduled tasks to persist on victim machines.Citationmandiant_apt44_unearthing_sandworm |
| Enterprise | T1190 | Exploit Public-Facing Application | Sandworm Team exploits public-facing applications for initial access and to acquire infrastructure, such as exploitation of the EXIM mail transfer agent in Linux systems.CitationNSA Sandworm 2020CitationLeonard TAG 2023 |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | Sandworm Team has used stolen credentials to access administrative accounts within the domain.CitationUS District Court Indictment GRU Unit 74455 October 2020CitationMicrosoft Prestige ransomware October 2022 |
| Enterprise | T1003.003 | NTDS Sub-technique | Sandworm Team has used `ntdsutil.exe` to back up the Active Directory database, likely for credential access.CitationMicrosoft Prestige ransomware October 2022 |
| Enterprise | T1036 | Masquerading | Sandworm Team masqueraded malicious installers as Windows update packages to evade defense and entice users to execute binaries.CitationLeonard TAG 2023 |
| Enterprise | T1598.003 | Spearphishing Link Sub-technique | Sandworm Team has crafted spearphishing emails with hyperlinks designed to trick unwitting recipients into revealing their account credentials.CitationUS District Court Indictment GRU Unit 74455 October 2020 |
| Enterprise | T1133 | External Remote Services | Sandworm Team has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network. Sandworm Team has also used VPN tunnels established in legitimate software company infrastructure to gain access to internal networks of that software company's users.CitationESET BlackEnergy Jan 2016CitationESET Telebots June 2017CitationANSSI Sandworm January 2021Citationmandiant_apt44_unearthing_sandworm |
| Enterprise | T1587.001 | Malware Sub-technique | Sandworm Team has developed malware for its operations, including malicious mobile applications and destructive malware such as NotPetya and Olympic Destroyer.CitationUS District Court Indictment GRU Unit 74455 October 2020 |
| Enterprise | T1072 | Software Deployment Tools | Sandworm Team has used the commercially available tool RemoteExec for agentless remote code execution.CitationMicrosoft Prestige ransomware October 2022 |
| Enterprise | T1584.005 | Botnet Sub-technique | Sandworm Team has used a large-scale botnet to target Small Office/Home Office (SOHO) network devices.CitationNCSC Cyclops Blink February 2022 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Sandworm Team has crafted phishing emails containing malicious hyperlinks.CitationUS District Court Indictment GRU Unit 74455 October 2020 |
| Enterprise | T1018 | Remote System Discovery | Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about computers listed in AD.CitationESET Telebots Dec 2016CitationDragos Crashoverride 2018 |
| Enterprise | T1589.003 | Employee Names Sub-technique | Sandworm Team's research of potential victim organizations included the identification and collection of employee information.CitationUS District Court Indictment GRU Unit 74455 October 2020 |
| Enterprise | T1078 | Valid Accounts | Sandworm Team have used previously acquired legitimate credentials prior to attacks.CitationUS-CERT Ukraine Feb 2016 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Sandworm Team has delivered malicious Microsoft Office and ZIP file attachments via spearphishing emails.CitationiSight Sandworm Oct 2014CitationUS-CERT Ukraine Feb 2016CitationESET Telebots Dec 2016CitationUS District Court Indictment GRU Unit 74455 October 2020CitationGoogle_WinRAR_vuln_2023Citationmandiant_apt44_unearthing_sandworm |
| Enterprise | T1204.002 | Malicious File Sub-technique | Sandworm Team has tricked unwitting recipients into clicking on spearphishing attachments and enabling malicious macros embedded within files.CitationESET Telebots Dec 2016CitationUS District Court Indictment GRU Unit 74455 October 2020 |
| Enterprise | T1106 | Native API | Sandworm Team uses Prestige to disable and restore file system redirection by using the following functions: `Wow64DisableWow64FsRedirection()` and `Wow64RevertWow64FsRedirection()`.CitationMicrosoft Prestige ransomware October 2022 |
| Enterprise | T1588.002 | Tool Sub-technique | Sandworm Team has acquired open-source tools for their operations, including Invoke-PSImage, which was used to establish an encrypted channel from a compromised host to Sandworm Team's C2 server in preparation for the 2018 Winter Olympics attack, as well as Impacket and RemoteExec, which were used in their 2022 Prestige operations.CitationUS District Court Indictment GRU Unit 74455 October 2020CitationMicrosoft Prestige ransomware October 2022 Additionally, Sandworm Team has used Empire, Cobalt Strike and PoshC2.Citationmandiant_apt44_unearthing_sandworm |
| Enterprise | T1583.004 | Server Sub-technique | Sandworm Team has leased servers from resellers instead of leasing infrastructure directly from hosting companies to enable its operations.CitationUS District Court Indictment GRU Unit 74455 October 2020 |
| Enterprise | T1590.001 | Domain Properties Sub-technique | Sandworm Team conducted technical reconnaissance of the Parliament of Georgia's official internet domain prior to its 2019 attack.CitationUS District Court Indictment GRU Unit 74455 October 2020 |
| Enterprise | T1083 | File and Directory Discovery | Sandworm Team has enumerated files on a compromised host.CitationUS District Court Indictment GRU Unit 74455 October 2020CitationDragos Crashoverride 2018 |
| Enterprise | T1049 | System Network Connections Discovery | Sandworm Team had gathered user, IP address, and server data related to RDP sessions on a compromised host. It has also accessed network diagram files useful for understanding how a host's network was configured.CitationUS District Court Indictment GRU Unit 74455 October 2020CitationDragos Crashoverride 2018 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Sandworm Team's CredRaptor tool can collect saved passwords from various internet browsers.CitationESET Telebots Dec 2016 |
| Enterprise | T1489 | Service Stop | Sandworm Team attempts to stop the MSSQL Windows service to ensure successful encryption of locked files.CitationMicrosoft Prestige ransomware October 2022 |
| Enterprise | T1571 | Non-Standard Port | Sandworm Team has used port 6789 to accept connections on the group's SSH server.CitationESET BlackEnergy Jan 2016 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Sandworm Team has used backdoors that can delete files used in an attack from an infected system.CitationESET Telebots Dec 2016CitationESET Telebots July 2017CitationMandiant-Sandworm-Ukraine-2022 |
| Enterprise | T1047 | Windows Management Instrumentation | Sandworm Team has used Impacket’s WMIexec module for remote code execution and VBScript to run WMI queries.CitationDragos Crashoverride 2018CitationMicrosoft Prestige ransomware October 2022 |
| Enterprise | T1087.003 | Email Account Sub-technique | Sandworm Team used malware to enumerate email settings, including usernames and passwords, from the M.E.Doc application.CitationESET Telebots July 2017 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Sandworm Team has copied payloads to the `ADMIN$` share of remote systems and run |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Sandworm Team has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.CitationUS District Court Indictment GRU Unit 74455 October 2020 |
| Enterprise | T1505.003 | Web Shell Sub-technique | Sandworm Team has used webshells including P.A.S. Webshell to maintain access to victim networks.CitationANSSI Sandworm January 2021 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Sandworm Team used a backdoor which could execute a supplied DLL using rundll32.exe.CitationESET Telebots July 2017 |
| Enterprise | T1499 | Endpoint Denial of Service | Sandworm Team temporarily disrupted service to Georgian government, non-government, and private sector websites after compromising a Georgian web hosting provider in 2019.CitationUS District Court Indictment GRU Unit 74455 October 2020 |
| Enterprise | T1195.002 | Compromise Software Supply Chain Sub-technique | Sandworm Team has distributed NotPetya by compromising the legitimate Ukrainian accounting software M.E.Doc and replacing a legitimate software update with a malicious one.CitationSecureworks NotPetya June 2017CitationESET Telebots June 2017CitationUS District Court Indictment GRU Unit 74455 October 2020 |
| Enterprise | T1199 | Trusted Relationship | Sandworm Team has used dedicated network connections from one victim organization to gain unauthorized access to a separate organization.CitationUS District Court Indictment GRU Unit 74455 October 2020 Additionally, Sandworm Team has accessed Internet service providers and telecommunication entities that provide mobile connectivity.Citationmandiant_apt44_unearthing_sandworm |
| Enterprise | T1056.001 | Keylogging Sub-technique | Sandworm Team has used a keylogger to capture keystrokes by using the SetWindowsHookEx function.CitationESET Telebots Dec 2016 |
| Enterprise | T1561.002 | Disk Structure Wipe Sub-technique | Sandworm Team has used the BlackEnergy KillDisk component to corrupt the infected system's master boot record.CitationUS-CERT Ukraine Feb 2016CitationESET Telebots June 2017 |
| Enterprise | T1486 | Data Encrypted for Impact | Sandworm Team has used Prestige ransomware to encrypt data at targeted organizations in transportation and related logistics industries in Ukraine and Poland.CitationMicrosoft Prestige ransomware October 2022 |
| Enterprise | T1592.002 | Software Sub-technique | Sandworm Team has researched software code to enable supply-chain operations, most notably for the 2017 NotPetya attack. Sandworm Team also collected a list of computers using specific software as part of its targeting efforts.CitationUS District Court Indictment GRU Unit 74455 October 2020 |
| Enterprise | T1491.002 | External Defacement Sub-technique | Sandworm Team defaced approximately 15,000 websites belonging to Georgian government, non-government, and private sector organizations in 2019.CitationUS District Court Indictment GRU Unit 74455 October 2020CitationUK NCSC Olympic Attacks October 2020 |
| Enterprise | T1583 | Acquire Infrastructure | Sandworm Team used various third-party email campaign management services to deliver phishing emails.CitationLeonard TAG 2023 |
| Enterprise | T1219 | Remote Access Tools | Sandworm Team has used remote administration tools or remote industrial control system client software for execution and to maliciously release electricity breakers.CitationUS-CERT Ukraine Feb 2016CitationMicrosoft Prestige ransomware October 2022 |
| Enterprise | T1584.004 | Server Sub-technique | Sandworm Team compromised legitimate Linux servers running the EXIM mail transfer agent for use in subsequent campaigns.CitationNSA Sandworm 2020CitationLeonard TAG 2023 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Sandworm Team has used its plainpwd tool, a modified version of Mimikatz, and comsvcs.dll to dump Windows credentials from system memory.CitationESET Telebots Dec 2016CitationESET Telebots June 2017CitationMicrosoft Prestige ransomware October 2022 |
Groups, software, and campaigns
S0606: Bad Rabbit
Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. Bad Rabbit has also targeted organizations and consumers in Russia. [1][2][3]
S0002: Mimikatz
S0401: Exaramel for Linux
Exaramel for Linux is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under Exaramel for Windows.[1]
S0343: Exaramel for Windows
Exaramel for Windows is a backdoor used for targeting Windows systems. The Linux version is tracked separately under Exaramel for Linux.[1]
S0342: GreyEnergy
GreyEnergy is a backdoor written in C and compiled in Visual Studio. GreyEnergy shares similarities with the BlackEnergy malware and is thought to be the successor of it.[1]
S0029: PsExec
S1058: Prestige
Prestige ransomware has been used by Sandworm Team since at least March 2022, including against transportation and related logistics industries in Ukraine and Poland in October 2022.[1]
S0598: P.A.S. Webshell
P.A.S. Webshell is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.[1]
S1167: AcidPour
AcidPour is a variant of AcidRain designed to impact a wider range of x86 architecture Linux devices. AcidPour is an x86 ELF binary that expands on the targeted devices and locations in AcidRain by including items such as Unsorted Block Image (UBI), Deice Mapper (DM), and various flash memory references. Based on this expanded targeting, AcidPour can impact a variety of device types including IoT, networking, and ICS embedded device types.[1] AcidPour is a wiping payload associated with the Sandworm Team threat actor, and potentially linked to attacks against Ukrainian internet service providers (ISPs) in 2023.[2]
S1010: VPNFilter
VPNFilter is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. VPNFilter modules such as its packet sniffer ('ps') can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols. [1] [2] VPNFilter was assessed to be replaced by Sandworm Team with Cyclops Blink starting in 2019.[3]
S1189: Neo-reGeorg
Neo-reGeorg is an open-source web shell designed as a restructuring of reGeorg with improved usability, security, and fixes for exising reGeorg bugs.[1]
S0687: Cyclops Blink
Cyclops Blink is a modular malware that has been used in widespread campaigns by Sandworm Team since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus. Cyclops Blink is assessed to be a replacement for VPNFilter, a similar platform targeting network devices.[1][2][3]
C0028: 2015 Ukraine Electric Power Attack
2015 Ukraine Electric Power Attack was a Sandworm Team campaign during which they used BlackEnergy (specifically BlackEnergy3) and KillDisk to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.
C0025: 2016 Ukraine Electric Power Attack
2016 Ukraine Electric Power Attack was a Sandworm Team campaign during which they used Industroyer malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by Sandworm Team.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 4.2 | Current bundle | 781b69323a74… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
US District Court Indictment GRU Unit 74455 October 2020
Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
Open source URL -
[2]
UK NCSC Olympic Attacks October 2020
UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.
Open source URL -
[3]
iSIGHT Sandworm 2014
Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.
Open source URL -
[4]
CrowdStrike VOODOO BEAR
Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.
Open source URL -
[5]
USDOJ Sandworm Feb 2020
Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved September 12, 2024.
Open source URL -
[6]
NCSC Sandworm Feb 2020
NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.
Open source URL -
[7]
US District Court Indictment GRU Oct 2018
Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
Open source URL -
[8]
APT44
(Citation: mandiant_apt44_unearthing_sandworm)
-
[9]
BlackEnergy (Group)
(Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)
-
[10]
Dragos ELECTRUM
Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.
Open source URL -
[11]
ELECTRUM
(Citation: Dragos ELECTRUM)(Citation: UK NCSC Olympic Attacks October 2020)
-
[12]
F-Secure BlackEnergy 2014
F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
Open source URL -
[13]
FROZENBARENTS
(Citation: Leonard TAG 2023)
-
[14]
IRIDIUM
(Citation: Microsoft Prestige ransomware October 2022)
-
[15]
IRON VIKING
(Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)
-
[16]
InfoSecurity Sandworm Oct 2014
Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017.
Open source URL -
[17]
Leonard TAG 2023
Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.
Open source URL -
[18]
Microsoft Prestige ransomware October 2022
MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
Open source URL -
[19]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[20]
Quedagh
(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020)
-
[21]
Sandworm Team
(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)
-
[22]
Seashell Blizzard
(Citation: Microsoft Threat Actor Naming July 2023)
-
[23]
Secureworks IRON VIKING
Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.
Open source URL -
[24]
Telebots
(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)
-
[25]
Voodoo Bear
(Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)
-
[26]
mandiant_apt44_unearthing_sandworm
Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.
Open source URL -
[27]
mitre-attack G0034Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.