Sandworm Team
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 100 attack patterns (mitre), 26 malware, 6 sectors, 5 countries, 22 indicators, 7 vulnerabilities (cve), 8 tool, 3 campaign
Aliases
ELECTRUM Telebots IRON VIKING BlackEnergy (Group) Quedagh Voodoo Bear FROZENBARENTS APT44 IRIDIUM Seashell Blizzard
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
- mitre-attack (G0034)
- NCSC Sandworm Feb 2020
- Microsoft Threat Actor Naming July 2023
- Secureworks IRON VIKING
- CrowdStrike VOODOO BEAR
- F-Secure BlackEnergy 2014
- mandiant_apt44_unearthing_sandworm
- InfoSecurity Sandworm Oct 2014
- Dragos ELECTRUM
- USDOJ Sandworm Feb 2020
- iSIGHT Sandworm 2014
- Leonard TAG 2023
- US District Court Indictment GRU Oct 2018
- UK NCSC Olympic Attacks October 2020
- Microsoft Prestige ransomware October 2022
- US District Court Indictment GRU Unit 74455 October 2020
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Attack patterns (MITRE) (100)
-
T1041 usesExfiltration Over C2 Channel MITRE
-
T1003 usesOS Credential Dumping MITRE
-
Databases uses
-
T1587.001 usesMalware MITRE
-
T1140 usesDeobfuscate/Decode Files or Information MITRE
-
T1087 usesAccount Discovery MITRE
-
T1027 usesObfuscated Files or Information MITRE
-
T1588.002 usesTool MITRE
-
T1484.001 usesGroup Policy Modification MITRE
-
T1572 usesProtocol Tunneling MITRE
-
T1047 usesWindows Management Instrumentation MITRE
-
T1105 usesIngress Tool Transfer MITRE
Malware (26)
-
HermeticWiper usesFamily The MITRE Corporation Confidence 100
[HermeticWiper](https://attack.mitre.org/software/S0697) is a data wiper that has been used since at least early 2022, primarily against Ukraine with additional activity observed in Latvia and Lithuania. Some sectors targeted…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Exaramel for Windows usesFamily The MITRE Corporation Confidence 100
[Exaramel for Windows](https://attack.mitre.org/software/S0343) is a backdoor used for targeting Windows systems. The Linux version is tracked separately under [Exaramel for Linux](https://attack.mitre.org/software/S0401).(Citation: ESET TeleBots Oct 2018)
First seen 01/01/1970 · Last seen 16/11/5138 · -
LocalOlive usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Industroyer - S0604 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BlackEnergy usesFamily The MITRE Corporation Confidence 100
[BlackEnergy](https://attack.mitre.org/software/S0089) is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Prestige usesFamily The MITRE Corporation Confidence 100
[Prestige](https://attack.mitre.org/software/S1058) ransomware has been used by [Sandworm Team](https://attack.mitre.org/groups/G0034) since at least March 2022, including against transportation and related logistics industries in Ukraine and Poland in October 2022.(Citation: Microsoft…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Cobalt Strike usesFamily The MITRE Corporation Confidence 100
[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced…
First seen 01/01/1970 · Last seen 16/11/5138 · -
CaddyWiper usesFamily The MITRE Corporation Confidence 100
[CaddyWiper](https://attack.mitre.org/software/S0693) is a destructive data wiper that has been used in attacks against organizations in Ukraine since at least March 2022.(Citation: ESET CaddyWiper March 2022)(Citation: Cisco CaddyWiper March…
First seen 01/01/1970 · Last seen 16/11/5138 · -
VPNFilter usesFamily The MITRE Corporation Confidence 100
[VPNFilter](https://attack.mitre.org/software/S1010) is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. [VPNFilter](https://attack.mitre.org/software/S1010) modules such as its packet sniffer ('ps') can collect…
First seen 01/01/1970 · Last seen 16/11/5138 · -
AcidRain usesFamily The MITRE Corporation Confidence 100
[AcidRain](https://attack.mitre.org/software/S1125) is an ELF binary targeting modems and routers using MIPS architecture.(Citation: AcidRain JAGS 2022) [AcidRain](https://attack.mitre.org/software/S1125) is associated with the ViaSat KA-SAT communication outage that took place during…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Foxblade usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Olympic Destroyer usesFamily The MITRE Corporation Confidence 100
[Olympic Destroyer](https://attack.mitre.org/software/S0365) is malware that was used by [Sandworm Team](https://attack.mitre.org/groups/G0034) against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (6)
-
Energy targets
-
Government targets
-
Defense targets
-
Manufacturing targets
-
Telecommunications targets
-
Transportation targets
Countries (5)
-
Canada targets
-
Australia targets
-
Ukraine targets
-
United Kingdom of Great Britain and Northern Ireland targets
-
United States of America targets
Indicators (22)
-
stix 100/100 Revoked· Valid until 13/02/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 09/02/2026 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 16/07/2023 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 09/02/2026 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 16/07/2023 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 09/02/2026 · Source: AlienVault
-
stix 100/100 Revoked
mespinoza_svchost SHA256 of 986ba7a5714ad5b0de0d040d1c066389bcb81a67
· Valid until 29/05/2024 · Source: AlienVault -
stix 100/100 Revoked· Valid until 16/07/2023 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 09/02/2026 · Source: AlienVault
Vulnerabilities (CVE) (7)
JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.
- Attack vector
- Network
- Published
- 04/10/2023
- Modified
- 29/05/2026
ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, …
- Attack vector
- Network
- Published
- 22/02/2024
- Modified
- 28/02/2026
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.
- Published
- 03/11/2021
- Modified
- 29/05/2026
Microsoft Office Outlook contains a privilege escalation vulnerability that allows for a NTLM Relay attack against another service to authenticate as the …
- Attack vector
- Network
- Published
- 14/03/2023
- Modified
- 21/12/2025
Fortinet FortiClient EMS contains a SQL injection vulnerability that allows an unauthenticated attacker to execute commands as SYSTEM via specifically crafted requests.
- Attack vector
- Network
- Published
- 25/03/2024
- Modified
- 21/12/2025
Synacor Zimbra Collaboration Suite (ZCS) allows an attacker to upload arbitrary files using cpio package to gain incorrect access to any other …
- Attack vector
- Network
- Published
- 20/10/2022
- Modified
- 20/12/2025
Ignite Realtime Openfire contains a path traversal vulnerability that allows an unauthenticated attacker to access restricted pages in the Openfire Admin Console …
- Attack vector
- Network
- Published
- 24/08/2023
- Modified
- 21/12/2025
Tool (8)
-
Invoke-PSImage usesThe MITRE Corporation Confidence 100
[Invoke-PSImage](https://attack.mitre.org/software/S0231) takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from…
-
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…
-
PoshC2 usesThe MITRE Corporation Confidence 100
[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while…
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
Impacket usesThe MITRE Corporation Confidence 100
[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation,…
-
PsExec usesThe MITRE Corporation Confidence 100
[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…
-
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of…
-
SDelete usesThe MITRE Corporation Confidence 100
[SDelete](https://attack.mitre.org/software/S0195) is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. (Citation: Microsoft SDelete…
Campaign (3)
-
2016 Ukraine Electric Power Attack attributed-to
-
2015 Ukraine Electric Power Attack attributed-to
-
2022 Ukraine Electric Power Attack attributed-to