Sandworm Team Analysis
IOB - Indicator of Behavior (1000)
Timeline
The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.
Activities
Interest
Timeline
The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.
Vulnerabilities
Campaigns (2)
These are the campaigns that can be associated with the actor:
- BlackEnergy
- Xxxxxxx
IOC - Indicator of Compromise (38)
These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.
TTP - Tactics, Techniques, Procedures (24)
Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
IOA - Indicator of Attack (272)
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
ID | Class | Indicator | Type | Confidence |
---|---|---|---|---|
1 | File | /about.php | predictive | Medium |
2 | File | /admin/submit-articles | predictive | High |
3 | File | /ad_js.php | predictive | Medium |
4 | File | /api/v2/cli/commands | predictive | High |
5 | File | /app/options.py | predictive | High |
6 | File | /attachments | predictive | Medium |
7 | File | /bsms/?page=manage_account | predictive | High |
8 | File | /cgi-bin/login.cgi | predictive | High |
9 | File | /cgi-bin/luci/api/wireless | predictive | High |
10 | File | /ci_hms/massage_room/edit/1 | predictive | High |
11 | File | /context/%2e/WEB-INF/web.xml | predictive | High |
12 | File | /dashboard/reports/logs/view | predictive | High |
13 | File | /dcim/sites/add/ | predictive | High |
14 | File | /debian/patches/load_ppp_generic_if_needed | predictive | High |
15 | File | /debug/pprof | predictive | Medium |
16 | File | /etc/hosts | predictive | Medium |
17 | File | /forum/away.php | predictive | High |
18 | File | /goform/delAd | predictive | High |
19 | File | /goform/setmac | predictive | High |
20 | File | /goform/wizard_end | predictive | High |
21 | File | /hprms/admin/doctors/manage_doctor.php | predictive | High |
22 | File | /index/jobfairol/show/ | predictive | High |
23 | File | /librarian/bookdetails.php | predictive | High |
24 | File | /manage-apartment.php | predictive | High |
25 | File | /modules/caddyhttp/rewrite/rewrite.go | predictive | High |
26 | File | /out.php | predictive | Medium |
27 | File | /pages/apply_vacancy.php | predictive | High |
28 | File | /pet_shop/admin/?page=maintenance/manage_category | predictive | High |
29 | File | /print.php | predictive | Medium |
30 | File | /proc/<PID>/mem | predictive | High |
31 | File | /proxy | predictive | Low |
32 | File | /xxxxxx/xxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxx | predictive | High |
33 | File | /xxxx.xxx | predictive | Medium |
34 | File | /xxx | predictive | Low |
35 | File | /xxxxxxx/ | predictive | Medium |
36 | File | /xxxxxx | predictive | Low |
37 | File | /xxx/xxx/xxxxxx | predictive | High |
38 | File | /xxxxxx/xxxxx/xxx_xxxxxxx.xxx | predictive | High |
39 | File | /xxxx/xxx/xxx.xxxx | predictive | High |
40 | File | /xxxxxxxxxxxx/xxxxxxxxxxx/ | predictive | High |
41 | File | /xx/xxxxx.xxx | predictive | High |
42 | File | xxxxxxxxxxxxxx.xxxx | predictive | High |
43 | File | xxxxxxx.xxx | predictive | Medium |
44 | File | xxxxx.xxxxxxxxx.xxx | predictive | High |
45 | File | xxxxx.xxx | predictive | Medium |
46 | File | xxxxx.xxxx | predictive | Medium |
47 | File | xxxxx/xxxx_xxxxxxxx.xxx | predictive | High |
48 | File | xxxxx/xxxxxxxxxxxx_xxxx.xxx | predictive | High |
49 | File | xxxxxxxxxxxxx/xxxxxxxxxx/xxx_xxxxx/xxxxxxx/xxxxx.xxx | predictive | High |
50 | File | xxx/xx | predictive | Low |
51 | File | xxxxxxxxxxxxxxx.xxx | predictive | High |
52 | File | xxxxxxxxxxxxxxxxxxxxxxx.xxxx | predictive | High |
53 | File | xxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxx | predictive | High |
54 | File | xxx.xxx | predictive | Low |
55 | File | xxxxxxxxxxxxxxxxx.xxxx | predictive | High |
56 | File | xxxxxxxxxxxx/xxxxxxx.xxx | predictive | High |
57 | File | xxxxxxxxxx.xxxx | predictive | High |
58 | File | xxxxxx.xxx | predictive | Medium |
59 | File | xxxxxxx.xxx | predictive | Medium |
60 | File | xx_xxx.xx | predictive | Medium |
61 | File | xxxxx.xxx | predictive | Medium |
62 | File | xxxxxxx_xxxxx.xxx | predictive | High |
63 | File | xxxxxxxx/xxxxxxxx/xxxxxxxxxx_xxxxx.xxx | predictive | High |
64 | File | xxxx_xxxx.xxx | predictive | High |
65 | File | xxxx/xxxxxxxx.x | predictive | High |
66 | File | xxxxx.x | predictive | Low |
67 | File | xxxxxxxx.x | predictive | Medium |
68 | File | xxxxxxxxxxxx.xxx | predictive | High |
69 | File | xxxxxxxxxxxxxxxxxxxxxxxxxx.xxxx | predictive | High |
70 | File | xxx_xxxx.xxx | predictive | Medium |
71 | File | xxx_xxx | predictive | Low |
72 | File | xxxxxxx/xxxxxx/xxx/xxx-xxx.x | predictive | High |
73 | File | xxxxxxx/xxxxx/xxxxxxxx/xxxxx | predictive | High |
74 | File | xxxxxxx/xxxxx/xxxxxxxx/xxxxx/xxxxx-xxx.x | predictive | High |
75 | File | xxxxxxx/xxx/xxxxxxxx/xxxxxxxx/xxxxx/xxxxx_xxx.x | predictive | High |
76 | File | xxxxxxx/xxx/xxxxxxxx/xxxxx.x | predictive | High |
77 | File | xxxxxxx/xxx/xxxxxxxxx/xxx.x | predictive | High |
78 | File | xxxxxxx/xxx/xxx/xxx.x | predictive | High |
79 | File | xxxxxxx/xxxxx/xxxxxx_xxxxx_xxx.x | predictive | High |
80 | File | xxxxxxx/xxx/xxxx/xxxxx.x | predictive | High |
81 | File | xxxxxxx/xxx/xxxxxx/xxx/xxx-xxxxxx.x | predictive | High |
82 | File | xxxxxxx/xxxxx/xxxxx/xxxxxx-xxx.x | predictive | High |
83 | File | xxxxxxxx.xxx | predictive | Medium |
84 | File | xxxxx.xxx | predictive | Medium |
85 | File | xxxxxxxxxxxxxxxx.xxx | predictive | High |
86 | File | xxxx.xxx | predictive | Medium |
87 | File | xxx/xxxx/xxxx_xxxxxx.x | predictive | High |
88 | File | xx/xxxxx/xxxxxx-xxxx.x | predictive | High |
89 | File | xx/xx_xxxxx.x | predictive | High |
90 | File | xx/xxxxxx/xxxxx.x | predictive | High |
91 | File | xxxxxxx/xxxxx.xxx | predictive | High |
92 | File | xxxx.xxx | predictive | Medium |
93 | File | xxxxxxx.xxxxxx.xxx | predictive | High |
94 | File | xxxxxxx/xxxxxx.xxx | predictive | High |
95 | File | xxx-xxxxx.x | predictive | Medium |
96 | File | xxxxxxxxxxxx.xx | predictive | High |
97 | File | xxxxx.x | predictive | Low |
98 | File | xx/xxxx/xx.x | predictive | Medium |
99 | File | xx/xxx/xxxx.x | predictive | High |
100 | File | xxxx.x | predictive | Low |
101 | File | xxx/xxxxxx.xxx | predictive | High |
102 | File | xxx/xxxxxxxxxxx/xxxxxxx.xxx | predictive | High |
103 | File | xxxxxxx/xxx-xxxxxxx/xxx.x | predictive | High |
104 | File | xxxxxxxx/xxxxxxx/xxxxxxx.xxxx.xxx | predictive | High |
105 | File | xxxxx.xxxx | predictive | Medium |
106 | File | xxxxx.xxx | predictive | Medium |
107 | File | xxxxxxx.x | predictive | Medium |
108 | File | xxxxxxxx/xxxxxxxx_xxxxxxx_xxxxxx/xxxxx.xxx | predictive | High |
109 | File | xx.xxx | predictive | Low |
110 | File | xx_xxxxx.x | predictive | Medium |
111 | File | xxxxx/xxxxxxxxxxxx/xxxxx | predictive | High |
112 | File | xxxx.x | predictive | Low |
113 | File | xxxxxxxx.xxx | predictive | Medium |
114 | File | xxx/xxxxxx-xxxxxx.x | predictive | High |
115 | File | xxxxxx/xxxxx/xxxx.x | predictive | High |
116 | File | xxxxxxxxxxx/xxxxxxxxxxx.x | predictive | High |
117 | File | xxxxxxxxx/xxxxxxx/xxxxxx/xxxxxxxxxx.xxx | predictive | High |
118 | File | xxxxxxx/xxx_xxxxxxxx.x | predictive | High |
119 | File | xxxxxxx.xxx | predictive | Medium |
120 | File | xxxxx-xxxxxx-xxxxxx.xxxx | predictive | High |
121 | File | xxxxx.xxx | predictive | Medium |
122 | File | xxxxx.xxx | predictive | Medium |
123 | File | xx/xxxx.x | predictive | Medium |
124 | File | xxx_xxxxx.x | predictive | Medium |
125 | File | xxx/xxxx/xxxx_xxxxxxxxx.x | predictive | High |
126 | File | xxx/xxxx/xxxx.x | predictive | High |
127 | File | xxx/xxxx/xxxxxx_xxx_xxxx.x | predictive | High |
128 | File | xxx/xxx.x | predictive | Medium |
129 | File | xxx/xxxxxxxxx/xx_xxxxxx_xxx.x | predictive | High |
130 | File | xxx/xxxxx | predictive | Medium |
131 | File | xxx/xxx_xxxxx/xx_xxxxx.x | predictive | High |
132 | File | xxxxxxxxxxxxxx.xxxx | predictive | High |
133 | File | xxx_xxxxxxxx.x | predictive | High |
134 | File | xxxxxxxx.xxx | predictive | Medium |
135 | File | xxxxxxxxxxxxxxxxxxxxx.xx | predictive | High |
136 | File | xxx.x | predictive | Low |
137 | File | xxxxxx.xxxx | predictive | Medium |
138 | File | xxxxxx.xx | predictive | Medium |
139 | File | xxxxxxx/xxxxxxx/xxx/xxxxxxxxxx.xxx?xxxxxxxx=xxxx&xxxxxx=xxxxxxxxxx | predictive | High |
140 | File | xxxxxxx/xxx/xxxxxxx/xxxxxx/xxxx-xxxxxxxxxx/<xxxxxx>/xx.xxx | predictive | High |
141 | File | xxxxxxxx.x | predictive | Medium |
142 | File | xxxx.xxx | predictive | Medium |
143 | File | xxxxxx.xxx | predictive | Medium |
144 | File | xxxxxxxx.xx | predictive | Medium |
145 | File | xxx.xxxxx.xxx | predictive | High |
146 | File | xxxx-xxxxxx-xxxxxx.x | predictive | High |
147 | File | xxx/xxxxxxxx-xxxxx.x | predictive | High |
148 | File | xxxxxxx.x | predictive | Medium |
149 | File | xxxxxxxx.xxx | predictive | Medium |
150 | File | xxxxxxxxxx.xxx | predictive | High |
151 | File | xxxxxxxx.xxx | predictive | Medium |
152 | File | xxxxxx.xx | predictive | Medium |
153 | File | xxxxxxxxxxxxxxxxxxxx.xxxx | predictive | High |
154 | File | xxxxxx/xxxxxxx.x | predictive | High |
155 | File | xxxxx.xxx | predictive | Medium |
156 | File | xxxx.x | predictive | Low |
157 | File | xxxxx/xxxxxx.x | predictive | High |
158 | File | xxxxx.xxxx | predictive | Medium |
159 | File | xxxxxxx:xxxxxxxxxxxxx | predictive | High |
160 | File | xxxx_xxxxx.xxxx | predictive | High |
161 | File | xxx/xxxxxx.x | predictive | Medium |
162 | File | xxxxxx\xxxxxxxx\xx_xxxxx_xxxxxxx.xxx | predictive | High |
163 | File | xxxxxx_xxx.xx | predictive | High |
164 | File | xxxx.xxxx | predictive | Medium |
165 | File | xxxxxx/ | predictive | Low |
166 | File | xxxx-xxxxx.xxx | predictive | High |
167 | File | xxxxxxxxxxxxx.xxx | predictive | High |
168 | File | xxxxxx | predictive | Low |
169 | File | xxxxxx/xxxxxx/xxxxxxxxxx/xxxxxxx/xxxx.xxx | predictive | High |
170 | File | xxxxxxx-xxxxx.xxx | predictive | High |
171 | File | xxxx/xxx/xxxx-xxxxx.xxx | predictive | High |
172 | File | xx-xxxxx/xxxxx-xxxx.xxx | predictive | High |
173 | File | xx-xxxxx-xxxxxx.xxx | predictive | High |
174 | File | xx-xxxxxxxx/xxxxx-xx-xxxxx.xxx | predictive | High |
175 | File | xx/xx/xxxxx | predictive | Medium |
176 | File | xxxxxxxx.x | predictive | Medium |
177 | File | ~/.xxxxx | predictive | Medium |
178 | File | ~/xxxxxxxx/xxxxx-xx-xxxxxxxxxx-xxxxxxxxx.xxx | predictive | High |
179 | File | ~/xxxxxxxx/xxxxx-xx-xxxxxxxxxx-xxxx.xxx | predictive | High |
180 | File | ~/xxxxxxxx/xxxxx-xx-xxxxxxxxxx-xx.xxx | predictive | High |
181 | File | ~/xxxxxx.xxx | predictive | Medium |
182 | Library | /xxx/xxxx/xxxxx.x/xx-xxxx-xxxxxxx.xxxxx | predictive | High |
183 | Library | /xxxxxxxxx/xxxxxxxxxxxxxx.xxx | predictive | High |
184 | Library | x:/xxxxxxx xxxxx/xxxxx/xxxxxxx.xxx | predictive | High |
185 | Library | xxxxxxxxx.xxx | predictive | High |
186 | Library | xxxxxxxxx/xxx-xxxxxx/xxxxxxxx.xxx | predictive | High |
187 | Library | xxxxxx.xxx | predictive | Medium |
188 | Library | xxxxxx.xxx | predictive | Medium |
189 | Library | xxxx.xxx | predictive | Medium |
190 | Argument | --xx | predictive | Low |
191 | Argument | xxxxxx | predictive | Low |
192 | Argument | xxxxxx:/xxxxxxxx:/xxxxxxxxxxxxxx: | predictive | High |
193 | Argument | xxxxx | predictive | Low |
194 | Argument | xxxxxxxxx xxxxxx | predictive | High |
195 | Argument | xxxxxxxx | predictive | Medium |
196 | Argument | xxxxx_xxxx | predictive | Medium |
197 | Argument | xxxxxxxxx | predictive | Medium |
198 | Argument | xxxxxxx_xxxxxxx_xxxx | predictive | High |
199 | Argument | xxxxxxxxxx | predictive | Medium |
200 | Argument | xxx_xx | predictive | Low |
201 | Argument | xxxxxx_xx | predictive | Medium |
202 | Argument | xxxxxxxxxxxxx-xxxxx | predictive | High |
203 | Argument | xxxxx | predictive | Low |
204 | Argument | xxxxxxx_xxxx_xxxx | predictive | High |
205 | Argument | xxxxx/xxxxxxx | predictive | High |
206 | Argument | xxxx_xxx | predictive | Medium |
207 | Argument | xxx | predictive | Low |
208 | Argument | xxxxxx xx xxxx xxx | predictive | High |
209 | Argument | xxxxxxxxx_xxxxxx | predictive | High |
210 | Argument | xxxxxxxxx | predictive | Medium |
211 | Argument | xx_xxxxxx | predictive | Medium |
212 | Argument | xxxx | predictive | Low |
213 | Argument | xxxxxxxx | predictive | Medium |
214 | Argument | xxxxxxx[xxxxxxx] | predictive | High |
215 | Argument | xxxx | predictive | Low |
216 | Argument | xxxx | predictive | Low |
217 | Argument | xxxxxxxx | predictive | Medium |
218 | Argument | xx | predictive | Low |
219 | Argument | xx | predictive | Low |
220 | Argument | xxxxx | predictive | Low |
221 | Argument | xxxxxxxx | predictive | Medium |
222 | Argument | xx | predictive | Low |
223 | Argument | xxxx | predictive | Low |
224 | Argument | xxxx/xxx_xxxxxxxxx | predictive | High |
225 | Argument | xxxxxxxxxxxxxxxxxx | predictive | High |
226 | Argument | xxx_xx | predictive | Low |
227 | Argument | xxx | predictive | Low |
228 | Argument | xxxxxxxx_xxxxxxx | predictive | High |
229 | Argument | x_xx/xxxx | predictive | Medium |
230 | Argument | xxxx | predictive | Low |
231 | Argument | xxxxxxxxxxxxxxx | predictive | High |
232 | Argument | xxxxxx xxxxxx | predictive | High |
233 | Argument | xx | predictive | Low |
234 | Argument | xxxxxxx | predictive | Low |
235 | Argument | xxxx | predictive | Low |
236 | Argument | xxxxxxxx | predictive | Medium |
237 | Argument | xxxxxx_xxxxxx | predictive | High |
238 | Argument | xxxx_xx | predictive | Low |
239 | Argument | xxxxx | predictive | Low |
240 | Argument | xxxxxxx | predictive | Low |
241 | Argument | xxx | predictive | Low |
242 | Argument | xxxxxx/xxxxxx_xxxxxx | predictive | High |
243 | Argument | xxxxxxxxx | predictive | Medium |
244 | Argument | xxxxxx | predictive | Low |
245 | Argument | xxxxxxxxxxxxxxxxx | predictive | High |
246 | Argument | xxxxxxxxxxxxx/xxxxx | predictive | High |
247 | Argument | xxxx | predictive | Low |
248 | Argument | xxxx/xxxxxx/xxxxxxx/xxxxxxxxxx | predictive | High |
249 | Argument | xxxxxxx | predictive | Low |
250 | Argument | xxxxxx | predictive | Low |
251 | Argument | xxxxxxxxx | predictive | Medium |
252 | Argument | xxxxx | predictive | Low |
253 | Argument | xxxxx | predictive | Low |
254 | Argument | xx | predictive | Low |
255 | Argument | xxxxxxxx-xxxxxxxx | predictive | High |
256 | Argument | xxx | predictive | Low |
257 | Argument | xxxxxxxx | predictive | Medium |
258 | Argument | xxxxxxxx/xxxx xxxx | predictive | High |
259 | Argument | xxxxxxxx/xxxxxxxx | predictive | High |
260 | Argument | xxxx_xxxx | predictive | Medium |
261 | Argument | xxxxxxxxxxxxxxxxx | predictive | High |
262 | Argument | x-xxxxxxxxx-xxx | predictive | High |
263 | Argument | xxxx xxxx | predictive | Medium |
264 | Input Value | "><xxxxxx>xxxxx("xxx")</xxxxxx> | predictive | High |
265 | Input Value | ' xxx (xxxxxx xxxx xxxx (xxxxxx(xxxxx(x)))xxxx)-- xxxx | predictive | High |
266 | Input Value | 'xx''=' | predictive | Low |
267 | Input Value | ../ | predictive | Low |
268 | Input Value | <xxxxxx>xxxxx(x)</xxxxxx> | predictive | High |
269 | Pattern | xxxxxxxxxxxxx|xx| xxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx | predictive | High |
270 | Pattern | |xx| | predictive | Low |
271 | Network Port | xxx/xxx | predictive | Low |
272 | Network Port | xxx xxxxxx xxxx | predictive | High |
References (9)
The following list contains external sources which discuss the actor and the associated activities:
- https://ddanchev.blogspot.com/2022/06/exclusive-exposing-grus-unit-74455.html
- https://github.com/vuldb/cyber_threat_intelligence/tree/main/actors/Sandworm%20Team
- https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA%20Sandworm%20Actors%20Exploiting%20Vulnerability%20in%20Exim%20Transfer%20Agent%2020200528.pdf
- https://otx.alienvault.com/pulse/62552abdd7e44d9aba08636d
- https://www.threatminer.org/report.php?q=BlackEnergy2_Plugins_Router.pdf&y=2014
- https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/
- https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
- https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/
- https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/