Latest headline

In March 2024, Sandworm targeted around 20 critical infrastructure facilities across Ukraine, encompassing energy, water, and heating suppliers. These attacks affected 10 regions and coincided with physical military strikes, indicating a coordinated effort to maximize disruption. 

Facilitated by compromised supply chains, the attacks deployed weaponized software due to the weak cybersecurity defenses of the entities and used several tools for persistence and privilege escalation in the cyberattacks against Ukraine's critical infrastructure.

Key points

• Russia backed cyber threat group

• Targets the US, Europe, and other Western nations

• 10136 IOCs as of publication

Fletch is constantly monitoring the threat landscape. The data in this guide is most up to date as of publication. Check out Sandworm’s Threat Board for any updates or create a workspace to be in the know for every threat.

Sandworm group summary

The Sandworm group, also known as BlackEnergy, Voodoo Bear, and APT44, is a cyber espionage and disruptive group linked to Russia's military intelligence agency, the GRU. Known for sophisticated cyber operations, Sandworm has been implicated in several high-profile attacks aimed at destabilizing or spying on nations, with a particular focus on Ukraine. Their activities are typically aligned with Russian geopolitical interests and have intensified during periods of heightened tensions or conflicts involving Russia.

• Severity: High

• Maturity: Mainstream

• IOCs: 10929 Malware hashes and 7 vulnerabilities

• Targets: 3 tech targets, 6 industry targets, and 12 geo targets

Learn more about Fletch’s metrics in the Fletch Help Center.

Sandworm group victims and motivations

While the group’s recent focus has largely been on Ukraine, Sandworm has conducted significant cyber operations against the United States, Europe, and other Western nations, with the goal of impacting governmental and private sector entities. 

The motivations behind their attacks range from dealing direct harm to a target’s critical infrastructure, to undermining public trust in government capabilities and destabilizing regional political climates.

Sandworm group tactics

Sandworm's approach involves infiltrating networks via compromised software updates or through software providers' maintenance access, utilizing a mix of established and newly developed tools. Following initial access, they use compromised software for lateral movements and to launch further attacks on corporate networks.

Notable targets and methodologies include:

• Ransomware Attacks: The 2017 NotPetya attacks caused billions in damages to businesses worldwide. It functioned primarily as a wiper under the guise of ransomware.

• Disruptions to Energy Grids: Their attacks have led to power outages and operational disruptions at energy companies in the US and Europe.

• Water Utility Compromise: The group has successfully infiltrated water utility companies in the US and Poland, posing immediate public health risks.

Sandworm has deployed a variety of malware tools including:

• QUEUESEED/IcyWell/Kapeka for Windows systems.

• BIASBOAT and LOADGRIP for Linux systems.

• Regeorg and BlackEnergy for establishing secure tunnels and executing data-wiping attacks, respectively.

Mitigation advice

At the time of publication this was the mitigation advice against Sandworm:

Short-Term:

• Ensure all Android devices have host-based detection systems installed.

• Limit the use of personal Android devices for work purposes, especially when handling sensitive information.

• Regularly back up critical data and systems to ensure quick recovery in case of an attack.

• Implement network segmentation to limit the potential impact of an attack.

• Enable multi-factor authentication for remote VPN connections to prevent unauthorized access.

Long-Term:

• Install security applications like Windows Defender Exploit Guard and Enhanced Mitigation Experience Toolkit to protect against software exploits.

• Use browser sandboxes and application microsegmentation to isolate applications and reduce the impact of exploitation.

• Use separate accounts for daily tasks and administrative tasks.

• Turn off User Account Control's privilege elevation for standard users and enable installer detection for all users.

• Regularly update all software on company devices; make sure all auto-update mechanisms are enabled and working correctly.

You can check out the most recent mitigation measures by creating a workspace.

Communication 

On top of mitigation advice, Fletch also provides Beta AI generated communications so you can educate your different company stakeholders. At the time of publication, this was what was recommended for the following:

For employees

For customers:

For more templates for your different stakeholders, create a workspace.

Takeaway

Sandworm continues to pose a significant threat to global security, particularly in regions experiencing geopolitical tensions with Russia. Their evolving toolkit and tactics necessitate ongoing vigilance and adaptive security strategies among at-risk nations and organizations. 

Robust defensive measures, regular updates, monitoring for indicators of compromise, and leveraging advanced threat detection capabilities are essential for stakeholders in critical infrastructure and cybersecurity sectors. Continued international cooperation and information sharing remain vital in combating the impact of Sandworm's disruptive activities.

Sandworm is just one example of an ever evolving threat that requires in-depth cyber intelligence to stay on top of. Fletch helps you keep track of, and prioritizes, them all. 

As the de facto record on the threat landscape, our AI engine is constantly scanning and indexing the threat landscape for you so you can plug the gaps in your security. You can use Fletch to prioritize your alerts, detect threats to your tech and people early, or simply to become an instant expert on any threat at any time. 

Learn more about Fletch’s threat intelligence or create a workspace.