Sandworm Team

Sandworm TeamELECTRUMTelebotsIRON VIKINGBlackEnergy (Group)QuedaghVoodoo BearIRIDIUMSeashell BlizzardFROZENBARENTSAPT44

[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020) In October 2020, the US indicted six GRU Unit 74455 officers ...

Techniques

Covered

Gaps

85%

Coverage

Coverage67/79

GAPS (12)

T1087.003Email Account T1583.004Server T1584.004Server T1584.005Botnet T1585.001Social Media Accounts T1585.002Email Accounts T1586.001Social Media Accounts T1588.006Vulnerabilities T1589.003Employee Names T1591.002Business Relationships T1593Search Open Websites/Domains T1594Search Victim-Owned Websites

COVERED (67)

T1003.001LSASS Memory111 det.T1003.003NTDS36 det.T1005Data from Local System47 det.T1018Remote System Discovery50 det.T1021.002SMB/Windows Admin Shares73 det.T1027Obfuscated Files or Information561 det.T1027.010Command Obfuscation38 det.T1033System Owner/User Discovery61 det.T1036Masquerading525 det.T1036.005Match Legitimate Resource Name or Location44 det.T1040Network Sniffing15 det.T1041Exfiltration Over C2 Channel31 det.T1047Windows Management Instrumentation87 det.T1049System Network Connections Discovery22 det.T1053.005Scheduled Task99 det.T1056.001Keylogging4 det.T1059.001PowerShell368 det.T1059.005Visual Basic68 det.T1070.004File Deletion42 det.T1071.001Web Protocols80 det.T1072Software Deployment Tools13 det.T1078Valid Accounts280 det.T1078.002Domain Accounts28 det.T1082System Information Discovery86 det.T1083File and Directory Discovery48 det.T1087.002Domain Account57 det.T1090Proxy46 det.T1102.002Bidirectional Communication15 det.T1105Ingress Tool Transfer183 det.T1106Native API29 det.T1132.001Standard Encoding5 det.T1133External Remote Services72 det.T1140Deobfuscate/Decode Files or Information58 det.T1190Exploit Public-Facing Application216 det.T1195Supply Chain Compromise40 det.T1195.002Compromise Software Supply Chain23 det.T1199Trusted Relationship6 det.T1203Exploitation for Client Execution75 det.T1204.001Malicious Link10 det.T1204.002Malicious File425 det.T1213.006Databases2 det.T1218.011Rundll3275 det.T1219Remote Access Tools40 det.T1485Data Destruction91 det.T1486Data Encrypted for Impact360 det.T1489Service Stop57 det.T1490Inhibit System Recovery59 det.T1491.002External Defacement1 det.T1499Endpoint Denial of Service10 det.T1505.003Web Shell63 det.T1539Steal Web Session Cookie15 det.T1555.003Credentials from Web Browsers16 det.T1561.002Disk Structure Wipe3 det.T1566.001Spearphishing Attachment905 det.T1566.002Spearphishing Link904 det.T1570Lateral Tool Transfer22 det.T1571Non-Standard Port16 det.T1583Acquire Infrastructure1 det.T1583.001Domains61 det.T1587.001Malware10 det.T1588.002Tool13 det.T1589.002Email Addresses2 det.T1590.001Domain Properties2 det.T1592.002Software1 det.T1595.002Vulnerability Scanning12 det.T1598.003Spearphishing Link285 det.T1608.001Upload Malware3 det.