EXPLORE
← Back to Actors

Sandworm Team

Sandworm TeamELECTRUMTelebotsIRON VIKINGBlackEnergy (Group)QuedaghVoodoo BearIRIDIUMSeashell BlizzardFROZENBARENTSAPT44

[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020) In October 2020, the US indicted six GRU Unit 74455 officers ...

79
Techniques
67
Covered
12
Gaps
85%
Coverage
Coverage67/79

COVERED (67)

T1003.001LSASS Memory111 det.T1003.003NTDS36 det.T1005Data from Local System47 det.T1018Remote System Discovery51 det.T1021.002SMB/Windows Admin Shares74 det.T1027Obfuscated Files or Information606 det.T1027.010Command Obfuscation38 det.T1033System Owner/User Discovery61 det.T1036Masquerading572 det.T1036.005Match Legitimate Resource Name or Location45 det.T1040Network Sniffing15 det.T1041Exfiltration Over C2 Channel32 det.T1047Windows Management Instrumentation88 det.T1049System Network Connections Discovery22 det.T1053.005Scheduled Task100 det.T1056.001Keylogging4 det.T1059.001PowerShell372 det.T1059.005Visual Basic69 det.T1070.004File Deletion43 det.T1071.001Web Protocols81 det.T1072Software Deployment Tools13 det.T1078Valid Accounts297 det.T1078.002Domain Accounts28 det.T1082System Information Discovery86 det.T1083File and Directory Discovery48 det.T1087.002Domain Account57 det.T1090Proxy48 det.T1102.002Bidirectional Communication16 det.T1105Ingress Tool Transfer184 det.T1106Native API29 det.T1132.001Standard Encoding5 det.T1133External Remote Services74 det.T1140Deobfuscate/Decode Files or Information58 det.T1190Exploit Public-Facing Application227 det.T1195Supply Chain Compromise40 det.T1195.002Compromise Software Supply Chain23 det.T1199Trusted Relationship6 det.T1203Exploitation for Client Execution79 det.T1204.001Malicious Link11 det.T1204.002Malicious File441 det.T1213.006Databases2 det.T1218.011Rundll3275 det.T1219Remote Access Tools42 det.T1485Data Destruction94 det.T1486Data Encrypted for Impact374 det.T1489Service Stop58 det.T1490Inhibit System Recovery62 det.T1491.002External Defacement1 det.T1499Endpoint Denial of Service10 det.T1505.003Web Shell65 det.T1539Steal Web Session Cookie16 det.T1555.003Credentials from Web Browsers16 det.T1561.002Disk Structure Wipe3 det.T1566.001Spearphishing Attachment979 det.T1566.002Spearphishing Link1005 det.T1570Lateral Tool Transfer23 det.T1571Non-Standard Port17 det.T1583Acquire Infrastructure1 det.T1583.001Domains62 det.T1587.001Malware10 det.T1588.002Tool13 det.T1589.002Email Addresses2 det.T1590.001Domain Properties2 det.T1592.002Software1 det.T1595.002Vulnerability Scanning13 det.T1598.003Spearphishing Link312 det.T1608.001Upload Malware3 det.