Sandworm Team 1 is a destructive threat group attributed to Russia's General Staff of the Armed Forces, Main Intelligence Directorate (GRU) that has been reportedly active since 2009.2 3 In 2015 Sandworm used a BlackEnergy variant and the KillDisk module against three Ukrainian power distribution companies causing a power outage during the Christmas holidays. The outage left over 225,000 Ukrainian citizens without power in the middle of winter.4 Sandworm is known for conducting large scale, well funded, destructive, and aggressive campaigns such as Olympic Destroyer, CrashOverride/Industroyer, and NotPetya.5 6 7 8 NotPetya, a destructive worm-like wiper malware disguised as ransomware, resulted in a global infection that caused nearly $1 billion in losses to three victim organizations alone.2 9 The "Sandworm" name was derived from references to the novel Dune found throughout the malware code, initially used to attribute other pieces of malware to the adversary. 10
Associated Names: ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh, VOODOO BEAR
We 💖 feedback! Let us know how using ATT&CK Evaluation results has helped you and what we can do better.
Email: evals@mitre-engenuity.org
Twitter: https://twitter.com/MITREengenuity
LinkedIn: https://www.linkedin.com/company/mitre-engenuity/