Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireTechnologies & SolutionsSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceCybersecurity News

Digital Shadows maps out MITRE ATT&CK to SandWorm APT's campaign

cyber hack
October 30, 2020

On Thursday, October 15th, the United States Department of Justice (DoJ) indicted six Russian military officers connected to the SandWorm advanced persistent threat (APT) group, a threat group attributed to Russia’s Main Intelligence Directorate (GRU). According to the indictment, beginning in or around November 2015 and continuing until at least in or around October 2019, the defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorized access to victim computers (hacking). 

Their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer, which each caused blackouts in Ukraine; NotPetya, which caused nearly $1 billion in losses to the three victims identified in the indictment alone; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics. 

Digital Shadows, throughout the years, has tracked SandWorm, and has now revisited the tactics, techniques and procedures (TTPs) behind the SandWorm APT. Below, is a summary of the Digital Shadows research, which can be found here. All of the following research, including the writing, belongs to Digital Shadows. 

According to the Photon Research Team, SandWorm has been active since at least 2009. Researchers have suggested the group was involved in attacks against Georgia in 2008. The tactics employed in SandWorm’s campaigns align with GRU’s philosophy of leveraging aggressive and sometimes destructive cyberattacks. 

The indictment, says the research team, not only represents the first criminal charges against SandWorm for its most destructive attacks but the first time that most of the charged threat actors have been publicly identified as members of the cybercriminal group. They also represent SandWorm’s first global law enforcement reaction to their deployment of the NotPetya malware.

Other notable campaigns attributed to SandWorm, include: 

  • Around December 2015 and December 2016, SandWorm attempted to destabilize Ukraine by launching cyberattacks against companies that support the country’s electric infrastructure, disrupting the supply of electricity to more than 225,000 Ukrainian customers.
  • SandWorm launched spearphishing campaigns targeting local government entities, political parties, and campaigns in France, including those connected with French President Emmanuel Macron’s presidential campaign. 
  • Around June 2017, SandWorm launched its “NotPetya” malware campaign, causing hundreds of victim organizations worldwide to lose one billion dollars collectively.
  •  SandWorm retaliated against the 2018 Winter Olympics by launching cyberattacks against critical infrastructure after a Russian government-sponsored doping effort led to Russian athletes being unable to participate under the Russian flag.
  • Around April 2018, SandWorm undermined efforts to hold Russia accountable for its use of a weapons-grade nerve agent on foreign soil by launching spearphishing campaigns against international and government organizations investigating the poisoning of a former GRU officer and his daughter.  
  • SandWorm defaced approximately 15,000 websites in Georgia by launching a cyberattack around October 2019. 

MITRE ATT&CK MAPPING

INITIAL ACCESS

T1566: Phishing

SandWorm threat group members primarily used spearphishing emails to gain access to computers or account credentials. The group specifically crafted the emails to resemble those from trustworthy or familiar senders. Attackers went so far as to develop and test spearphishing techniques before carrying out their campaigns to increase their success chances. 

 

EXECUTION

T1059: Command and Scripting Interpreter

SandWorm heavily leveraged PowerShell commands and scripts to discover system information, execute code, and download malware. In one instance, the group executed a malicious PowerShell script that contained versions of a credential harvesting tool. The tool operated only in memory and was not easily detectable by antivirus software.

T1204: User Execution

Many of the spearphishing emails sent by SandWorm contained malware-laced documents that required user execution to deploy. 

 

PERSISTENCE

T1078: Valid Accounts

To maintain their foothold, SandWorm obtained and repeatedly used existing accounts’ credentials to preserve persistence in victim systems. The group primarily deployed malware and leveraged hacking tools to maintain control over victim computers and networks. 

 

PRIVILEGE ESCALATION

T1078: Valid Accounts

SandWorm leveraged malware to escalate system privileges and determine whether particular antivirus processors were running, then attempted to identify other computers on the same network to potentially compromise. 

 

DEFENSE EVASION

T1070: Indicator Removal on Host

SandWorm used an algorithm to obscure particular features of the Olympic Destroyer malware to obstruct post-attack investigations and avoid detection. The group also attempted to obfuscate their activity by deleting data from compromised machines and servers and clearing event logs. 

T1036: Masquerading

On multiple occasions, SandWorm attempted to masquerade their activity through researching and emulating malware used by the Lazarus Group. 

 

CREDENTIAL ACCESS

T1003: OS Credential Dumping

SandWorm dumped credentials to obtain account login and credential details from compromised machines. 

T1552: Unsecured Credentials

SandWorm leveraged customized malware to overwrite itself to incorporate any additional usernames and passwords that it could obtain from the previous computer before spreading to the next computer.

 

DISCOVERY

T1083: File and Directory Discovery

SandWorm repeatedly accessed and browsed files, ran malicious scripts, and searched compromised machines for credential files and files containing network configuration details. 

 

LATERAL MOVEMENT

T1210: Exploitation of Remote Services

SandWorm exploited remote services to gain unauthorized access to internal systems. Once they gained access to the remote system, they deployed malware that was leveraged to obtain system privileges, extract and execute an open-source credential harvesting tool, and move laterally throughout the network.

 

COLLECTION

T1083: File and Directory Discovery

After gaining access to victims’ computers, SandWorm threat actors performed various functions designed to identify, collect, package, and view targeted data, including usernames, IP addresses, and server data relating to RDP sessions on the target computers. This activity included stealing credentials that allowed them to move laterally and exponentially throughout victims’ computer networks.

 

COMMAND AND CONTROL

T1001: Data Obfuscation

SandWorm established command and control to create a single point of access between compromised networks and a server they controlled. The tunnel allowed them to hide their activity, issue commands, install additional tools, and transfer data.

 

EXFILTRATION

T1078: Valid Accounts

SandWorm leveraged legitimate credentials to exfiltrate data from a victim network and retrieve internal documents from machines inside victim environments. 

 

IMPACT

T1491: Defacement

SandWorm defaced approximately 1,500 websites and disrupted service to some of those websites following the Georgian web hosting provider’s compromise. 

T1490: Inhibit System Recovery

The group deployed destructive malware to delete files from the hard drive, force shutdowns, and impede rebooting and recovery by misconfiguring BitLocker, rendering computers inoperable.

 

Although the indictment will not likely deter future activity from Russian state-associated threat actors, it still is a step in the right direction. And considering the GRU allegedly sponsored APT group, the arrest and extraction of its members are unlikely. But, writes Digital Shadows, "it is possible that authorities would impose sanctions against the alleged cybercriminals and the GRU unit that sponsors them, considering this countermeasure has previously been used. For now, SandWorm’s indictments will limit their ability to use the Western financial system or travel to any country that may have an extradition agreement with the US."

For the full blog, please visit https://www.digitalshadows.com/blog-and-research/mapping-mitre-attck-to-sandworm-apts-global-campaign/

KEYWORDS: advanced persistent threat cyber security hackers incident response

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Person working on laptop

Governance in the Age of Citizen Developers and AI

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • The MITRE Corporation has a lab in the FAA-sponsored Center for Advanced Aviation System Development FFRDC

    Study finds MITRE ATT&CK improves cloud security, yet security leaders struggle to implement it

    See More
  • cyber security network

    Best practices in applying MITRE ATT&CK to your organizational security

    See More
  • cyber training

    Cybrary and MITRE announce MAD (MITRE ATT&CK Defender)

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing