Threat Intel Diaries #2 — Profiling Sandworm Team (APT44)

Karim Walid

Follow

6 min read

·

1 day ago

Listen

Share

Threat Actor Overview

Sandworm Team, also known as APT44 or the BlackEnergy Group, is a Russian state-sponsored threat actor linked to GRU Unit 74455. They’re behind some of the most destructive cyber attacks in recent history, including NotPetya and the 2015/2016 Ukraine power grid blackouts. They’ve been active since at least 2009, and their operations have escalated over time in both scope and impact.

They are responsible for :

• BlackEnergy malware used in attacks against Ukrainian infrastructure
• Industroyer/CrashOverride — malware targeting Industrial Control Systems (ICS)
• NotPetya (2017) — one of the most devastating cyberattacks in history, disguised as ransomware but designed to destroy
• Olympic Destroyer — targeted the 2018 Winter Olympics in South Korea
• Recent operations include Industroyer2, targeting Ukraine’s energy sector in 2022

Motives and Objectives

Their main goal is to disrupt, destroy, or spy on critical infrastructure in countries considered hostile to Russian interests. Most of their attacks are politically motivated, aimed at energy sectors, government, and military systems.

• Cyber sabotage — disrupting critical infrastructure in enemy states
• Espionage — stealing data from governments and military organizations
• Psychological impact — causing fear, uncertainty, and loss of public trust
• Hybrid warfare support — combining cyber attacks with kinetic or political campaigns (Russia’s invasion of Ukraine)

They don’t just want access — they want to break things, cause damage, and send a message.

Capabilities

Sandworm is one of the few threat actors that has demonstrated the ability to cause real-world physical effects through cyber. They specialize in:

• ICS/SCADA exploitation: They have custom malware built specifically to disable power grids and critical infrastructure (e.g., Industroyer, KillDisk)
• Wipers: NotPetya was disguised as ransomware but was designed to wipe data and cause chaos
• Custom malware: They often develop their own toolkits instead of relying on off-the-shelf tools
• Operational security: They use VPNs, obfuscation, and even manipulate timestamps to cover tracks
• Supply chain attacks: They’ve used infected software updates to gain access to targets (e.g., MeDoc used in NotPetya)

Tools & TTPs

INITIAL ACCESS

• T1566: Phishing: SandWorm mainly relied on spearphishing emails to get into systems or steal login credentials. They made the emails look like they came from trusted or known contacts. Before launching their attacks, they even tested different spearphishing methods to make sure they’d work effectively.

Tools they used: most probably is Spearphishing documents

EXECUTION

• T1059 Command and Scripting Interpreter : SandWorm often used PowerShell to gather system info run code and drop malware
  In one case they ran a PowerShell script loaded with a credential stealing tool that stayed only in memory which made it hard for antivirus to catch
• T1204 User Execution : Most spearphishing emails from SandWorm included files that needed the user to open them to launch the malware

Tools they used: PowerShell , P.A.S. Web Shell

PERSISTENCE

• T1078 Valid Accounts : To stay inside victim systems SandWorm kept using stolen usernames and passwords
  They installed malware and used hacking tools to hold control of the machines and networks

Tools they used: GreyEnergy , Chopstick

PRIVILEGE ESCALATION

• T1078 Valid Accounts : SandWorm used malware to raise their access level check for antivirus software and look for other computers on the network to attack next

Tools they used: Mimikatz , Exaramel

DEFENSE EVASION

• T1070 Indicator Removal on Host : They used an algorithm to hide key traits of Olympic Destroyer so defenders would struggle to investigate
  They also tried to cover their tracks by deleting files logs and other evidence
• T1036 Masquerading : Sometimes SandWorm copied methods used by Lazarus Group to hide their real identity and actions

Tools they used: Olympic Destroyerm, Custom obfuscation scripts, WinRAR

CREDENTIAL ACCESS

• T1003 OS Credential Dumping : They dumped login data to steal account credentials from infected systems
• T1552 Unsecured Credentials : Their malware rewrote itself to collect more usernames and passwords from each machine before jumping to the next one

Tools they used: Mimikatz, In-memory PowerShell stealers

DISCOVERY

• T1083 File and Directory Discovery : They searched through files ran scripts and looked for anything with login details or network info

Tools they used: PowerView (likely) Custom PowerShell scripts

LATERAL MOVEMENT

• T1210 Exploitation of Remote Services : They broke into remote systems and planted malware to gain deeper access run tools and move across the network

Tools they used: PsExec, WMI, RDP

COLLECTION

• T1083 File and Directory Discovery : Once inside they looked for and gathered specific data like usernames IPs and RDP session info
  They also grabbed credentials to help them spread deeper into the network

Tools they used: GreyEnergy, Custom data collection scripts

COMMAND AND CONTROL (C2)

• T1001 Data Obfuscation : They set up a hidden tunnel to connect the hacked network to their own server
  This tunnel let them send commands install tools and move data without being noticed

Tools they used: Exaramel, GreyEnergy, Custom HTTPS and DNS tunnels

EXFILTRATION

• T1078 Valid Accounts : They used real login credentials to steal data and pull sensitive files out of the target environment

Tools they used: PowerShell scripts, WinRAR

IMPACT

• T1491 Defacement :They defaced over one thousand websites and caused service disruptions after breaching a Georgian hosting provider
• T1490 Inhibit System Recovery: They pushed destructive malware that wiped files forced shutdowns and damaged system recovery by messing with BitLocker settings making machines unusable

Tools they used: NotPetya, Olympic Destroyer, KillDisk, BitLocker

IOC (Indicators of compromise)

Indicators of Compromise (IOCs) are are pieces of forensic data or artifacts observed on a network or in operating system files that indicate a potential intrusion, breach, or malicious activity. They act as digital “clues” that security teams use to detect, identify, and respond to cyber threats.

CVE :

• CVE-2014–4114

Domain :

• ett.ddns.net
• tgset.click
• outlook.adfs.kyivstar.online
• zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc
• cpcpipe.org
• telegramweb.us
• ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid.onion.moe
• darksea.ddns.net
• ukroboronprom.com.ukr.pm
• userarea.in
• zdg.re

URLs :

• https://88.80.148.65/news/article
• https://185.38.150.8/star/key
• https://103.78.122.94/help/healthcheck
• https://185.181.229.102/home/info
• https://fex.net/s/bttyrz4
• https://fex.net/s/59znp5b

File Hashes :

• 97e0e161d673925e42cdf04763e7eaa53035338b
• 9bbde40cab30916b42e59208fbcc09affef525c1
• d297281c2bf03ce2de2359f0ce68f16317bf0a86
• 587b6377a3e069c1f399cb480729bbc70665cdd25af95f859f4b0a767463b3d3
• 00af82a2676688bdefec49941b61b3df
• 87f5d52c006400e17af08bd4f1cf3b5afd90f377caad723c2cc597f9f62478e6
• 1557e59985faab8ee3630641378d232541a8f6f9

IP Addresses :

• 24.199.247.222
• 45.154.98.225
• 70.62.153.174
• 77.91.123.136
• 78.134.89.167
• 80.67.167.81
• 80.78.24.14
• 82.180.150.197
• 85.206.161.94
• 96.80.68.193
• 103.27.202.1
• 103.150.187.121

Target Sectors & Victim Profile

Who do they go after?

Sandworm’s focus is on high-value targets that align with Russia’s strategic interests. They usually aim at:

• Energy sector (power grids, nuclear, oil & gas)
• Government institutions
• Military and defense contractors
• Media outlets
• Elections and democratic infrastructure

Victim geography:

• Ukraine (primary target)
• NATO countries
• United States
• EU member states (especially Eastern Europe)
• Georgia (notably during the 2008 conflict)

Their Campaigns History

Here’s a quick timeline of major attacks:

2014–2015: BlackEnergy Attacks first major ICS-targeted malware against Ukrainian power grid

Dec 2015: Ukraine Power Grid Outage first known cyberattack to cause a power blackout

2016: Industroyer (CrashOverride) — Second attack on Ukraine’s power grid

2017: NotPetya — Disguised as ransomware, wiped data globally; targeted Ukraine but spread worldwide

2018: Olympic Destroyer — Disrupted the Winter Olympics in South Korea

2020: French network attack — Exploited Centreon monitoring software

2022: Industroyer2 — Attempted repeat of the Ukraine power grid attack during the war

Recommended Defenses

Practical steps organizations should take:

Asset inventory: Know your critical systems, especially ICS/SCADA components

Network segmentation: Isolate OT from IT networks and restrict lateral movement

Regular patching: Focus on remote execution vulnerabilities and privilege escalation

Email security: Harden against phishing and malicious attachments

Logging and monitoring: Especially for PowerShell, WMI, PsExec, and scheduled tasks

Threat hunting: Look for known Sandworm indicators (IP addresses, C2 domains, malware hashes)

Incident response planning: Prepare for destructive attacks, not just espionage

Backups: Maintain offline, immutable backups in case of wiper attacks