Based on open-source intelligence, the ATT&CK ® Evaluations team created the below scenario leveraging techniques seen from Sandworm in the wild. We have adapted the scenario based on tools and resources available at the time.

Sandworm Team ¹ is a destructive threat group attributed to Russia's General Staff of the Armed Forces, Main Intelligence Directorate (GRU) that has been reportedly active since 2009.^{2 3} In 2015 Sandworm used a BlackEnergy variant and the KillDisk module against three Ukrainian power distribution companies causing a power outage during the Christmas holidays. The outage left over 225,000 Ukrainian citizens without power in the middle of winter.⁴ Sandworm is known for conducting large scale, well funded, destructive, and aggressive campaigns such as Olympic Destroyer, CrashOverride/Industroyer, and NotPetya.^{5 6 7 8} NotPetya, a destructive worm-like wiper malware disguised as ransomware, resulted in a global infection that caused nearly $1 billion in losses to three victim organizations alone.^{2 9} The "Sandworm" name was derived from references to the novel Dune found throughout the malware code, initially used to attribute other pieces of malware to the adversary. ¹⁰

Associated Names: ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh, VOODOO BEAR

The Resources Folder contains the emulated software source code. Executables are provided in password protected zip files located in the specified software folder. The password is malware.

We provide a script to automatically decrypt these files:

$ cd sandworm

$ python3 Resources/utilities/crypt_executables.py -i ./ -p malware --decrypt

YARA rules are provided to assist the community in researching, preventing, and detecting malware specimens used in this emulation plan.

• P.A.S. webshell

• Exaramel

• NotPetya

• OraDump/LaZagne Varient

• Win64/Spy.KeyLogger.G

• Detection Scenario - Step by Step walkthrough of Scenario's procedures (9 steps).
• Protection Scenario - Step by Step walkthrough of Scenario's procedures (3 tests)

• Operation Flow - High-level summary of the scenario & infrastructure with diagrams.
• Intelligence Summary - General overview of the Adversary with links to reporting used throughout the scenario.

We would like to formally thank the people that contributed to the content, review, and format of this document. This includes the MITRE ATT&CK and MITRE ATT&CK Evaluations teams, the organizations and people that provided public intelligence and resources, as well as the following organizations that participated in the community cyber threat intelligence contribution process:

• Cynet

We 💖 feedback! Let us know how using ATT&CK Evaluation results has helped you and what we can do better.

Email: evals@mitre-engenuity.org
Twitter: https://twitter.com/MITREengenuity
LinkedIn: https://www.linkedin.com/company/mitre-engenuity/

This content is only to be used with appropriate prior, explicit authorization for the purposes of assessing security posture and/or research.

© 2022 MITRE Engenuity. Approved for Public Release. Document number AT0016.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

This project makes use of ATT&CK®

ATT&CK Terms of Use