Sandworm is a highly sophisticated Russian adversary, active since at least 2009, that has been attributed to Russia’s Main Intelligence Directorate (GRU) for Special Technologies (GTsST) military Unit 74455.

Sandworm is characterized by the use of malware families specifically designed to compromise Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) systems found in entities located in the Energy, Government, and Media sectors.

Its long-standing center focus has been Ukraine, where it has carried out a large number of disruptive and destructive operations, mainly against the Energy and Telecommunication sectors, through the use of multiple wipers during the last decade.

In addition, it sustains worldwide espionage and sabotage operations demonstrating the Russian military’s far-reaching ambitions and interests in other regions.

Sandworm is believed to be associated with the Russian adversary known as APT28, which is attributed to Russia’s General Staff Main Intelligence Directorate (GRU) military Unit 26165, which was previously emulated by AttackIQ in September 2022.

AttackIQ has released a new assessment template that brings together the post-compromise Tactics, Techniques, and Procedures (TTPs) exhibited by Sandworm during its latest activities to help customers validate their security controls and their ability to defend against this disruptive and destructive threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:

• Evaluate security control performance against a highly disruptive and destructive threat.
• Assess your security posture against a threat interested in Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems.
• Continuously validate detection and prevention pipelines against a threat that sustains worldwide espionage and sabotage operations.

Sandworm – 2023-11 – Post-Compromise Tactics, Techniques and Procedures (TTPs)

Since its appearance in 2009, Sandworm has conducted a large number of espionage, sabotage, and destruction operations against multiple targets around the world.

Beginning in 2014, it has conducted multiple sabotage attacks against Ukraine’s energy sector through the use of specialized malware that primarily targeted Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems.

In 2017, Sandworm was responsible for the mass distribution of the NotPetya ransomware, which affected multiple entities and organizations around the world causing widespread disruption and financial losses.

Several of these activities were supported by the Russian adversary known as APT28, which has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) military Unit 26165.

This assessment template emulates all those Post-Compromise Tactics, Techniques, and Procedures (TTP) exhibited by Sandworm during its most recent activities.

1. Execution

Consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, such as exploring a network or stealing data.

System Binary Proxy Execution: Rundll32 (T1218.011): RunDll32 is a native system utility that can be used to execute DLL files and call a specific export inside the file. This scenario executes RunDll32 with an AttackIQ DLL and calls an export to mimic previously reported malicious activity.

Command and Scripting Interpreter: Visual Basic (T1059.005): This scenario will attempt to execute a Visual Basic Script (VBS) via cscript.exe.

2. Persistence

Techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

Scheduled Task/Job: Scheduled Task (T1053.005): This scenario creates a new scheduled task using the schtasks utility with the name qAWZe that was observed being used by Sandworm.

3. Defense Evasion

Consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts.

Masquerading (T1036): This scenario will attempt to modify a file type extension to an alternate file extension once it has landed on the target asset using the move utility.

4. Discovery

Techniques that adversaries use to discover information related to the compromised environment.

System Network Connections Discovery (T1049): The native Windows command line tool netstat is used to collect active connections and any listening services running on the host.

System Network Configuration Discovery (T1016): The network configuration of the asset is collected using standard Windows utilities like ipconfig, arp, route, and nltest.

File and Directory Discovery (T1083): This scenario uses the native dir command to find files of interest and output to a temporary file.

5. Credential Access

Techniques used by adversaries to harvest credentials available on the compromised system.

OS Credential Dumping: LSASS Memory (T1003.001): Uses rundll32.exe with comsvcs.dll to call the MiniDump export that will dump the LSASS process memory to disk. This process contains a variety of credential materials and can passed to additional dumping tools to extract credentials.

6. Command and Control

Techniques that adversaries may use to communicate with systems under their control within a victim network.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

7. Impact

Consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes.

Inhibit System Recovery (T1490): This scenario executes the vssadmin.exe utility to delete a recent Volume Shadow Copy created by the assessment template.

Opportunities to Expand Emulation Capabilities

In addition to the released assessment template, AttackIQ recommends the following scenario to extend the emulation of the capabilities exhibited by Sandworm.

Dump Active Directory Database using ntdsutil.exe: This scenario will attempt to execute the ntdsutil.exe utility to dump the NTDS.dit file along with the SYSTEM and SECURITY registry hives.

Detection and Mitigation Opportunities

Given the vast number of techniques used by these adversaries, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. System Binary Proxy Execution: Rundll32 (T1218.011):

Adversaries may use DLL files for many of their malware payloads and leverage a native Windows utility to execute them. The primary native method for executing these files is to call the RunDll32 tool and pass along the path and export function to be executed.

1a. Detection

While this tool is commonly used by legitimate applications, there are behaviors related to their execution that can stand out in your process logs. Searching for files that are being executed from temporary directories, that don’t have the standard .dll file extension, or call strange looking export names can stand out from regular user behavior.

Process Name == (rundll32.exe)
Command Line CONTAINS (‘TEMP’ OR ‘.png’ OR ‘Roaming’ OR ‘%APPDATA%’)
Current Directory CONTAINS (‘D:\’ OR ‘E:\’)

1b. Mitigation

MITRE ATT&CK recommends the following mitigation recommendation:

• M1050 – Exploit Protection

2. Scheduled Task/Job: Scheduled Task (T1053.005):

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly from the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.

2a. Detection

With an EDR or SIEM Platform, you can detect the following commands being issued to schedule a malicious task.

Process Name = (“cmd.exe” OR “Powershell.exe”)
Command Line CONTAINS (“schtasks” AND “/CREATE” AND (“cmd” OR “powershell”)

2b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Scheduled Task

3. OS Credential Dumping: LSASS Memory (T1003.001):

Adversaries may attempt to extract user and credential information from the Local Security Authority Subsystem Service (LSASS) process.

3a. Detection

Search for executions of comsvcs that attempt to access the LSASS process.

Process Name == (comsvcs)
Command Line CONTAINS (‘lsass’)

3b. Mitigation

MITRE ATT&CK recommends the following mitigation recommendations:

Wrap-up

In summary, this assessment template will evaluate security and incident response processes and support the improvement of your security control posture against this disruptive and destructive threat. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a well-known and dangerous threat.

AttackIQ stands at the ready to help security teams implement this assessment template and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.