adpare
173 lines
11 KiB
JSON
173 lines
11 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--22e4ffac-f98d-417c-bb0b-58d004e024a3",
|
|
"spec_version": "2.0",
|
|
"objects": [
|
|
{
|
|
"modified": "2024-12-04T21:17:08.593Z",
|
|
"name": "Sandworm Team",
|
|
"description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)",
|
|
"aliases": [
|
|
"Sandworm Team",
|
|
"ELECTRUM",
|
|
"Telebots",
|
|
"IRON VIKING",
|
|
"BlackEnergy (Group)",
|
|
"Quedagh",
|
|
"Voodoo Bear",
|
|
"IRIDIUM",
|
|
"Seashell Blizzard",
|
|
"FROZENBARENTS",
|
|
"APT44"
|
|
],
|
|
"x_mitre_deprecated": false,
|
|
"x_mitre_version": "4.2",
|
|
"x_mitre_contributors": [
|
|
"Dragos Threat Intelligence",
|
|
"Hakan KARABACAK"
|
|
],
|
|
"type": "intrusion-set",
|
|
"spec_version": "2.1",
|
|
"id": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
|
|
"created": "2017-05-31T21:32:04.588Z",
|
|
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"revoked": false,
|
|
"external_references": [
|
|
{
|
|
"source_name": "mitre-attack",
|
|
"url": "https://attack.mitre.org/groups/G0034",
|
|
"external_id": "G0034"
|
|
},
|
|
{
|
|
"source_name": "Voodoo Bear",
|
|
"description": "(Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"
|
|
},
|
|
{
|
|
"source_name": "ELECTRUM",
|
|
"description": "(Citation: Dragos ELECTRUM)(Citation: UK NCSC Olympic Attacks October 2020)"
|
|
},
|
|
{
|
|
"source_name": "Sandworm Team",
|
|
"description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"
|
|
},
|
|
{
|
|
"source_name": "Quedagh",
|
|
"description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020)"
|
|
},
|
|
{
|
|
"source_name": "FROZENBARENTS",
|
|
"description": "(Citation: Leonard TAG 2023)"
|
|
},
|
|
{
|
|
"source_name": "APT44",
|
|
"description": "(Citation: mandiant_apt44_unearthing_sandworm)"
|
|
},
|
|
{
|
|
"source_name": "IRIDIUM",
|
|
"description": "(Citation: Microsoft Prestige ransomware October 2022)"
|
|
},
|
|
{
|
|
"source_name": "Seashell Blizzard",
|
|
"description": "(Citation: Microsoft Threat Actor Naming July 2023)"
|
|
},
|
|
{
|
|
"source_name": "BlackEnergy (Group)",
|
|
"description": "(Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)"
|
|
},
|
|
{
|
|
"source_name": "Telebots",
|
|
"description": "(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"
|
|
},
|
|
{
|
|
"source_name": "IRON VIKING",
|
|
"description": "(Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"
|
|
},
|
|
{
|
|
"source_name": "Leonard TAG 2023",
|
|
"description": "Billy Leonard. (2023, April 19). Ukraine remains Russia\u2019s biggest cyber focus in 2023. Retrieved March 1, 2024.",
|
|
"url": "https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/"
|
|
},
|
|
{
|
|
"source_name": "US District Court Indictment GRU Oct 2018",
|
|
"description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.",
|
|
"url": "https://www.justice.gov/opa/page/file/1098481/download"
|
|
},
|
|
{
|
|
"source_name": "Dragos ELECTRUM",
|
|
"description": "Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.",
|
|
"url": "https://www.dragos.com/resource/electrum/"
|
|
},
|
|
{
|
|
"source_name": "F-Secure BlackEnergy 2014",
|
|
"description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.",
|
|
"url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf"
|
|
},
|
|
{
|
|
"source_name": "iSIGHT Sandworm 2014",
|
|
"description": "Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.",
|
|
"url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html"
|
|
},
|
|
{
|
|
"source_name": "CrowdStrike VOODOO BEAR",
|
|
"description": "Meyers, A. (2018, January 19). Meet CrowdStrike\u2019s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.",
|
|
"url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/"
|
|
},
|
|
{
|
|
"source_name": "Microsoft Threat Actor Naming July 2023",
|
|
"description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
|
|
"url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
|
|
},
|
|
{
|
|
"source_name": "Microsoft Prestige ransomware October 2022",
|
|
"description": "MSTIC. (2022, October 14). New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.",
|
|
"url": "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"
|
|
},
|
|
{
|
|
"source_name": "InfoSecurity Sandworm Oct 2014",
|
|
"description": "Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian \u2018Sandworm\u2019 Hackers. Retrieved October 6, 2017.",
|
|
"url": "https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/"
|
|
},
|
|
{
|
|
"source_name": "NCSC Sandworm Feb 2020",
|
|
"description": "NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.",
|
|
"url": "https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory"
|
|
},
|
|
{
|
|
"source_name": "USDOJ Sandworm Feb 2020",
|
|
"description": "Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved September 12, 2024.",
|
|
"url": "https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia/index.html"
|
|
},
|
|
{
|
|
"source_name": "mandiant_apt44_unearthing_sandworm",
|
|
"description": "Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.",
|
|
"url": "https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf"
|
|
},
|
|
{
|
|
"source_name": "US District Court Indictment GRU Unit 74455 October 2020",
|
|
"description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.",
|
|
"url": "https://www.justice.gov/opa/press-release/file/1328521/download"
|
|
},
|
|
{
|
|
"source_name": "Secureworks IRON VIKING ",
|
|
"description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.",
|
|
"url": "https://www.secureworks.com/research/threat-profiles/iron-viking"
|
|
},
|
|
{
|
|
"source_name": "UK NCSC Olympic Attacks October 2020",
|
|
"description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.",
|
|
"url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games"
|
|
}
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
|
],
|
|
"x_mitre_attack_spec_version": "3.2.0",
|
|
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"x_mitre_domains": [
|
|
"enterprise-attack",
|
|
"ics-attack",
|
|
"mobile-attack"
|
|
]
|
|
}
|
|
]
|
|
} |