APT Spotlight: Sandworm

APT Spotlight: Sandworm

Editor’s note: This blog was written by our teammates at Digital Shadows.

This blog is a deeper dive into advanced persistent threat (APT) groups. We aim to demystify APT groups around the world, including their motives, dynamics, and some of their tactics, techniques, and procedures (TTPs).

What does APT stand for in cybersecurity? The “A” stands for advanced technical sophistication, the “P” for persistent access to—or attempts to access—systems, and “T” for the significant threat posed to nation-states, companies, and/or individuals. How do these groups nail this three-pronged advantage?

They’re usually linked to national governments, which may funnel them resources, turn a blind eye to their criminal activity, or even direct the groups’ operations. The so-called big four of APT threat supporters are Russia, China, Iran, and North Korea. Other APT groups might be supported by Turkey, Israel, Pakistan, India, South Korea, the United States, or other nation-states.

Today, we point the interrogation light at the Russian government-backed APT group “Sandworm” (aka Voodoo Bear, Telebots, Iron Viking, IRIDIUM) and its recent attacks on Ukraine. We’ve deemed this highly competent threat group as posing a high threat to a range of critical industries, particularly in light of the Russia-Ukraine war.

Sandworm Group: A GRUsome APT

Sandworm stands out as a destructive, politically motivated cyber-threat group. The group seems to have been in action since at least 2009, and potentially even earlier, with some speculating that they operated in the shadows of the 2008 Russo-Georgian war.

In October 2020, the United States published an indictment linking Sandworm to Russia’s military intelligence agency, the GRU. The indictment charged six members of Unit 74455 of the GRU for participating in and developing malware used in Sandworm’s attacks.

The group’s rap sheet was extensive: losses of over $1 billion caused by the “NotPetya” malware, destructive campaigns against Ukraine’s energy sector and the 2018 Pyeongchang Winter Olympics, and spearphishing, whose targets ran the gamut from the 2016 French presidential elections and the Salisbury Novichok poisoning investigations to the Georgian government.

The group’s attacks haven’t been random. We can attribute most Sandworm activity, with high confidence, to the Russian government. Sandworm stands accused, according to the US indictment, of conspiring to “deploy destructive malware and take other disruptive actions, for the strategic benefit of Russia.” The UK government in turn drew a firm line from Sandworm to Russian intelligence entities in 2018. Although we would be remiss not to mention that Sandworm members have dabbled in cybercrime (what APT group hasn’t considered it?), such as spearphishing to deploy and profit from cryptocurrency miners.

Most APT groups—even within the Russian sphere—focus on cyber espionage, gathering intelligence, and subtly evading detection of their long-term access to targets. (Probably a smart move if a country wants to avoid quid-pro-quo responses and escalating cyber-warfare between rival nation-states.) But Sandworm’s destructive, politically motivated history makes it stand out from the crowd of state-backed groups.

Sandworm’s appetite for destruction in Ukraine may be explained by Russia’s institutionalized view that Ukraine is not a rival state, but just an easily disrupted, inferior province. Following Russia’s invasion of Crimea in 2014—just prior to Sandworm’s 2015 attacks on Ukraine’s power grid—84 percent of Russians supported shrinking Ukraine’s territory, and the overwhelming majority viewed Ukraine’s government as illegitimate.

A box plot showing the results of a Russian survey on Ukrainian leadership.

A 2014 study led by the University of Oslo (Source: NEORUSS)

In this light, we could view Sandworm as a Russian cyber weapon, not just an intelligence-gathering machine. As the pace of Russian cyber activity picks up in the Russia-Ukraine war, more Sandworm attacks over the next few months would not be a surprise.

ICS Beginning to Look a Lot Like Christmas

The consequences of the Russia–Ukraine war are growing, worldwide, and so are concerns about cyber threats to critical infrastructure, such as utilities, energy, healthcare, and telecommunications. It’s true that few cyber attacks linked to the war have caused any destruction; it’s much easier to blow up a power station than craft custom malware to disrupt it. But as colder weather arrives in Europe and physical engagement gets trickier, cyber threats by Russian groups such as Sandworm are likely to speed up.

Critical infrastructure is particularly vulnerable to any attacks on industrial control systems (ICS). These cyber events translate into physical impact by targeting the digital devices used in industrial processes. Anyone remember the infamous 2010 “Stuxnet” malware? Its operators targeted programmable logic controllers (PLCs) to cause Iran’s nuclear centrifuges to speed up and destroy themselves.

Sandworm has a long history of attacks on ICS. The group is affiliated with two of the first four types of known ICS-targeting malware, “BlackEnergy” and “Industroyer” (aka CrashOverride). Both targeted Ukrainian critical infrastructure.

Most recently, the group has been deploying “Industroyer2” against the Ukrainian energy industry. This ICS-targeting malware was very likely built with the source code of Industroyer, which was used to shut down Kyiv’s power grid in 2016. The 2016 attack was largely considered a test of Russia’s ICS-targeting functions. This is especially owing to the malware’s notoriety as the first known framework designed to target power grids.

With both Industroyer and Industroyer2, functions include turning off key alarms and flipping breakers in power stations to cause disruption. Industroyer2 has also been accompanied by various wiper malware types, including “CaddyWiper,” “ORCSHRED,” “SOLOSHRED,” and “AWFULSHRED.” (CaddyWiper was probably set to hinder recovery processes, and the other three are wipers used to destroy full disks on Linux and Solaris machines.)

Industroyer2 can be custom-configured to a target. Although it’s only been spotted in operation once, in April 2022, more attacks using this and the other malware types can be expected over the next few months.

Script excerpts from the Industroyer2 campaign (Source: CERT-UA)

Script excerpts from the Industroyer2 campaign (Source: CERT-UA)

Although the April 2022 Industroyer2 attack was thwarted, you don’t need an overactive imagination to picture what might have been: disabled power stations interrupting the flow of communication, transportation, electricity, and other vital services. ICS attacks can also mean a loss of life if heating is disabled in cold weather. And destroyed data can lead to disruptions that spiral into losses of information and funds—not to mention logistical and administrative challenges. Organizations involved with critical infrastructure should take a hard look at their ICS protections, particularly in Ukraine and supporting countries.

The Russia–Ukraine Ransomwar(e)

Attacks on ICS are not Sandworm’s only modi operandi. Recently, the group has launched the “RansomBoggs” and “Prestige” ransomware against organizations in Ukraine and other countries.

RansomBoggs is .NET1 ransomware, first detected in November 2022. Researchers pointed a finger at Sandworm because of RansomBoggs’ PowerShell script: It’s nearly identical to that used to deploy Industroyer2. The same script, named POWERGAP, was also used to deliver CaddyWiper.

In October 2022, Prestige targeted Ukrainian and Polish transportation and logistics organizations. The malware isn’t like other known ransomware, but it was deployed similarly to CaddyWiper: a trail that led researchers to point to an overlap with Sandworm.

These attacks bear traces of resemblance to the “Petya” and NotPetya campaigns. In 2017, Sandworm distributed the NotPetya malware, a variant of Petya, by inserting a malicious update into Ukrainian tax preparation software. Although Petya was classic ransomware—the usual song and dance of encrypting data and demanding ransom for a decryption key—in NotPetya’s case, the malware was probably a wiper masquerading as ransomware. Victims who paid up couldn’t actually decrypt their files.

It’s possible RansomBoggs and Prestige were similarly designed: wipers on paper, with ransom payments an added bonus. For both, their use marks a shift from previous Sandworm activity, the reason for which is unclear. Even though its NotPetya activity suggested Sandworm wasn’t out for profit, Russia faces increasing pressure from international sanctions, so the group may be operating like North Korean APT groups. “Lazarus Group”, for example, wages financially motivated attacks in support of its country.

Regardless, hopefully neither RansomBoggs nor Prestige operates like NotPetya; although designed to target Ukrainian organizations, NotPetya proliferated indiscriminately to trusted networks around the world, causing over $10 billion in losses.

Enter General Winter

Much has been written about waging a winter war against the Russians (Clausewitz is worth a reread as Europe freezes over). Ukrainian counter-offensives are likely to slow as the muddy season sets in and kinetic warfare becomes more challenging, leaving Russia to bolster its defenses.

The North Atlantic Treaty Organization (NATO) has also alleged that Russia is using winter as a weapon in Ukraine, by putting pressure on critical infrastructure and civilian energy security to force an agreement. Add this to Russia’s need for victories to boost morale at home, and you end up with a likely increase in cyber attacks on critical industries. Look for Sandworm on the front lines on these attacks.

The ReliaQuest Photon Research team maintains a library of 500-plus threat profiles to help our clients navigate the quickly evolving threat landscape. Subscribe to the blog to stay informed about Sandworm and its activity.