Sandworm Team

Sandworm TeamELECTRUMTelebotsIRON VIKINGBlackEnergy (Group)QuedaghVoodoo BearIRIDIUMSeashell BlizzardFROZENBARENTSAPT44

[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020) In October 2020, the US indicted six GRU Unit 74455 officers ...

Techniques

Covered

Gaps

84%

Coverage

Coverage66/79

GAPS (13)

T1087.003Email Account T1583.004Server T1584.004Server T1584.005Botnet T1585.001Social Media Accounts T1585.002Email Accounts T1586.001Social Media Accounts T1588.006Vulnerabilities T1589.003Employee Names T1591.002Business Relationships T1592.002Software T1593Search Open Websites/Domains T1594Search Victim-Owned Websites

COVERED (66)

T1003.001LSASS Memory105 det.T1003.003NTDS34 det.T1005Data from Local System46 det.T1018Remote System Discovery46 det.T1021.002SMB/Windows Admin Shares67 det.T1027Obfuscated Files or Information525 det.T1027.010Command Obfuscation31 det.T1033System Owner/User Discovery59 det.T1036Masquerading493 det.T1036.005Match Legitimate Resource Name or Location44 det.T1040Network Sniffing15 det.T1041Exfiltration Over C2 Channel30 det.T1047Windows Management Instrumentation85 det.T1049System Network Connections Discovery21 det.T1053.005Scheduled Task82 det.T1056.001Keylogging4 det.T1059.001PowerShell338 det.T1059.005Visual Basic66 det.T1070.004File Deletion40 det.T1071.001Web Protocols74 det.T1072Software Deployment Tools13 det.T1078Valid Accounts252 det.T1078.002Domain Accounts26 det.T1082System Information Discovery80 det.T1083File and Directory Discovery48 det.T1087.002Domain Account55 det.T1090Proxy44 det.T1102.002Bidirectional Communication14 det.T1105Ingress Tool Transfer170 det.T1106Native API27 det.T1132.001Standard Encoding5 det.T1133External Remote Services72 det.T1140Deobfuscate/Decode Files or Information55 det.T1190Exploit Public-Facing Application208 det.T1195Supply Chain Compromise40 det.T1195.002Compromise Software Supply Chain23 det.T1199Trusted Relationship6 det.T1203Exploitation for Client Execution71 det.T1204.001Malicious Link9 det.T1204.002Malicious File397 det.T1213.006Databases2 det.T1218.011Rundll3273 det.T1219Remote Access Tools33 det.T1485Data Destruction90 det.T1486Data Encrypted for Impact339 det.T1489Service Stop54 det.T1490Inhibit System Recovery56 det.T1491.002External Defacement1 det.T1499Endpoint Denial of Service10 det.T1505.003Web Shell57 det.T1539Steal Web Session Cookie12 det.T1555.003Credentials from Web Browsers15 det.T1561.002Disk Structure Wipe3 det.T1566.001Spearphishing Attachment850 det.T1566.002Spearphishing Link837 det.T1570Lateral Tool Transfer20 det.T1571Non-Standard Port16 det.T1583Acquire Infrastructure1 det.T1583.001Domains61 det.T1587.001Malware9 det.T1588.002Tool13 det.T1589.002Email Addresses2 det.T1590.001Domain Properties2 det.T1595.002Vulnerability Scanning12 det.T1598.003Spearphishing Link271 det.T1608.001Upload Malware2 det.