On Thursday, October 15th, the United States Department of Justice (DoJ) indicted six Russian military officers connected to the SandWorm advanced persistent threat (APT) group, a threat group attributed to Russia’s Main Intelligence Directorate (GRU). According to the indictment, beginning in or around November 2015 and continuing until at least in or around October 2019, the defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorized access to victim computers (hacking). 

Their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer, which each caused blackouts in Ukraine; NotPetya, which caused nearly $1 billion in losses to the three victims identified in the indictment alone; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics. 

Digital Shadows, throughout the years, has tracked SandWorm, and has now revisited the tactics, techniques and procedures (TTPs) behind the SandWorm APT. Below, is a summary of the Digital Shadows research, which can be found here. All of the following research, including the writing, belongs to Digital Shadows. 

According to the Photon Research Team, SandWorm has been active since at least 2009. Researchers have suggested the group was involved in attacks against Georgia in 2008. The tactics employed in SandWorm’s campaigns align with GRU’s philosophy of leveraging aggressive and sometimes destructive cyberattacks. 

The indictment, says the research team, not only represents the first criminal charges against SandWorm for its most destructive attacks but the first time that most of the charged threat actors have been publicly identified as members of the cybercriminal group. They also represent SandWorm’s first global law enforcement reaction to their deployment of the NotPetya malware.

Other notable campaigns attributed to SandWorm, include: 

• Around December 2015 and December 2016, SandWorm attempted to destabilize Ukraine by launching cyberattacks against companies that support the country’s electric infrastructure, disrupting the supply of electricity to more than 225,000 Ukrainian customers.
• SandWorm launched spearphishing campaigns targeting local government entities, political parties, and campaigns in France, including those connected with French President Emmanuel Macron’s presidential campaign. 
• Around June 2017, SandWorm launched its “NotPetya” malware campaign, causing hundreds of victim organizations worldwide to lose one billion dollars collectively.
•  SandWorm retaliated against the 2018 Winter Olympics by launching cyberattacks against critical infrastructure after a Russian government-sponsored doping effort led to Russian athletes being unable to participate under the Russian flag.
• Around April 2018, SandWorm undermined efforts to hold Russia accountable for its use of a weapons-grade nerve agent on foreign soil by launching spearphishing campaigns against international and government organizations investigating the poisoning of a former GRU officer and his daughter.  
• SandWorm defaced approximately 15,000 websites in Georgia by launching a cyberattack around October 2019. 

MITRE ATT&CK MAPPING

INITIAL ACCESS

T1566: Phishing

SandWorm threat group members primarily used spearphishing emails to gain access to computers or account credentials. The group specifically crafted the emails to resemble those from trustworthy or familiar senders. Attackers went so far as to develop and test spearphishing techniques before carrying out their campaigns to increase their success chances. 

EXECUTION

T1059: Command and Scripting Interpreter

SandWorm heavily leveraged PowerShell commands and scripts to discover system information, execute code, and download malware. In one instance, the group executed a malicious PowerShell script that contained versions of a credential harvesting tool. The tool operated only in memory and was not easily detectable by antivirus software.

T1204: User Execution

Many of the spearphishing emails sent by SandWorm contained malware-laced documents that required user execution to deploy. 

PERSISTENCE

T1078: Valid Accounts

To maintain their foothold, SandWorm obtained and repeatedly used existing accounts’ credentials to preserve persistence in victim systems. The group primarily deployed malware and leveraged hacking tools to maintain control over victim computers and networks. 

PRIVILEGE ESCALATION

T1078: Valid Accounts

SandWorm leveraged malware to escalate system privileges and determine whether particular antivirus processors were running, then attempted to identify other computers on the same network to potentially compromise. 

DEFENSE EVASION

T1070: Indicator Removal on Host

SandWorm used an algorithm to obscure particular features of the Olympic Destroyer malware to obstruct post-attack investigations and avoid detection. The group also attempted to obfuscate their activity by deleting data from compromised machines and servers and clearing event logs. 

T1036: Masquerading

On multiple occasions, SandWorm attempted to masquerade their activity through researching and emulating malware used by the Lazarus Group. 

CREDENTIAL ACCESS

T1003: OS Credential Dumping

SandWorm dumped credentials to obtain account login and credential details from compromised machines. 

T1552: Unsecured Credentials

SandWorm leveraged customized malware to overwrite itself to incorporate any additional usernames and passwords that it could obtain from the previous computer before spreading to the next computer.

DISCOVERY

T1083: File and Directory Discovery

SandWorm repeatedly accessed and browsed files, ran malicious scripts, and searched compromised machines for credential files and files containing network configuration details. 

LATERAL MOVEMENT

T1210: Exploitation of Remote Services

SandWorm exploited remote services to gain unauthorized access to internal systems. Once they gained access to the remote system, they deployed malware that was leveraged to obtain system privileges, extract and execute an open-source credential harvesting tool, and move laterally throughout the network.

COLLECTION

T1083: File and Directory Discovery

After gaining access to victims’ computers, SandWorm threat actors performed various functions designed to identify, collect, package, and view targeted data, including usernames, IP addresses, and server data relating to RDP sessions on the target computers. This activity included stealing credentials that allowed them to move laterally and exponentially throughout victims’ computer networks.

COMMAND AND CONTROL

T1001: Data Obfuscation

SandWorm established command and control to create a single point of access between compromised networks and a server they controlled. The tunnel allowed them to hide their activity, issue commands, install additional tools, and transfer data.

EXFILTRATION

T1078: Valid Accounts

SandWorm leveraged legitimate credentials to exfiltrate data from a victim network and retrieve internal documents from machines inside victim environments. 

IMPACT

T1491: Defacement

SandWorm defaced approximately 1,500 websites and disrupted service to some of those websites following the Georgian web hosting provider’s compromise. 

T1490: Inhibit System Recovery

The group deployed destructive malware to delete files from the hard drive, force shutdowns, and impede rebooting and recovery by misconfiguring BitLocker, rendering computers inoperable.

 

Although the indictment will not likely deter future activity from Russian state-associated threat actors, it still is a step in the right direction. And considering the GRU allegedly sponsored APT group, the arrest and extraction of its members are unlikely. But, writes Digital Shadows, "it is possible that authorities would impose sanctions against the alleged cybercriminals and the GRU unit that sponsors them, considering this countermeasure has previously been used. For now, SandWorm’s indictments will limit their ability to use the Western financial system or travel to any country that may have an extradition agreement with the US."

For the full blog, please visit https://www.digitalshadows.com/blog-and-research/mapping-mitre-attck-to-sandworm-apts-global-campaign/