Sandworm is a highly sophisticated Russian adversary, active since at least 2009, that has been attributed to Russia’s Main Intelligence Directorate (GRU) for Special Technologies (GTsST) military Unit 74455.

Sandworm is characterized by the use of malware families specifically designed to compromise Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) systems found in entities located in the Energy, Government, and Media sectors.

Its long-standing center focus has been Ukraine, where it has carried out a large number of disruptive and destructive operations, mainly against the Energy and Telecommunication sectors, through the use of multiple wipers during the last decade.

In addition, it sustains worldwide espionage and sabotage operations demonstrating the Russian military’s far-reaching ambitions and interests in other regions.

Sandworm has been previously emulated by AttackIQ in March 2024 through the publication of an Assessment Template that compiles all the Tactics, Techniques, and Procedures (TTPs) recently exhibited by it.

AttackIQ has released two new attack graphs that emulates the post-compromise Tactics, Techniques, and Procedures (TTPs) exhibited by Sandworm during its destructive activities to help customers validate their security controls and their ability to defend against this disruptive and destructive threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using these new assessment templates in the AttackIQ Security Optimization Platform, security teams will be able to:

• Evaluate security control performance against a highly disruptive and destructive threat.
• Assess your security posture against a threat interested in Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems.
• Continuously validate detection and prevention pipelines against a threat that sustains worldwide espionage and sabotage operations.

Sandworm – Hermetic Malware Suite Targets Ukrainian Objectives

In February 2022, Sandworm was observed deploying destructive malware against targets in Ukraine and other countries in the region shortly before the launch of the Russian invasion on February 24, 2022. These activities involved the use of different pieces of malware:

• HermeticWizard is a spreader used to deploy tools across a local network via Windows Management Instrumentation (WMI) and Server Message Block (SMB).
• HermeticWiper is a malware designed to render a system inoperative by corrupting its data.
• HermeticRansom is a ransomware that does not use any obfuscation and has pretty straightforward functionality, suggesting it was likely used as a smokescreen for the wiper due to its non-sophisticated style and poor implementation.

The use of “Hermetic” as a prefix is due to the fact that the pieces of malware were signed with a code-signing certificate assigned to the Cypriot company Hermetica Digital Ltd and was issued on April 13th, 2021. It seems that the certificate was not stolen but instead Sandworm impersonated the company to get this certificate from DigiCert.

Sandworm – 2022-02 – HermeticWizard Deployment Leads to HermeticWiper

This attack graph is based on a report published by ESET at the beginning of March 2022 that detailed the uncovering of a destructive attack against organizations in Ukraine that started on February 23, 2022. This followed Distributed Denial-of-Service (DDoS) attacks against major Ukrainian websites.

Execution & Discovery – Network Environment Reconnaissance

This stage begins with the deployment of HermeticWizard, a spreader used by Sandworm to deploy tools across a local network via Windows Management Instrumentation (WMI) and Server Message Block (SMB). Once executed via RegSvr32, it performs the reconnaissance of the local network through API calls and the discovery of open ports.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

System Binary Proxy Execution: Regsvr32 (T1218.010): RegSvr32 is a native Windows utility that threat actors can use to register Common Object Model (COM) DLLs. This functionality allows an actor to deploy a malicious DLL and have a native Windows tool execute the code as the parent process. This scenario executes RegSvr32 with an AttackIQ binary.

System Network Connections Discovery (T1049): This scenario performs network resource discovery by calling the WNetOpenEnumW and WNetEnumResourceW Windows API call to enumerate network resources from the local computer.

Remote System Discovery (T1018): This scenario performs a scan of the local network searching for any remotely accessible systems with ports 20, 21, 22, 80, 135, 137, 139, 443, or 445 open.

Lateral Movement – Accessing Additional Targets

This stage focuses on the deployment of two spreaders based on Windows Management Instrumentation (WMI) and Server Message Block (SMB) that are contained within HermeticWizard and are responsible for infecting other systems on the local network with the objective of deploying a wiper.

Once they have been deployed, Windows event logs are deleted using the wevtutil.exe utility.

Windows Management Instrumentation (T1047): This scenario attempts to move laterally to any available asset inside the network through the use of WMI. If the remote asset can be accessed, a configurable command is executed.

Indicator Removal: Clear Windows Event Logs (T1070.001): The scenario will use the wevtutil.exe binary to clear event logs from the system.

Impact – HermeticWiper and HermeticRansom Deployment

This stage begins with the deployment of HermeticWiper, a malware designed to render a system inoperative by corrupting its data. It is loaded through the creation of a service on the compromised system.

Once this is achieved, it continues with the deployment of HermeticRansom, a ransomware that does not use any obfuscation and has a straightforward functionality, suggesting it was likely used as a smokescreen for the wiper due to its non-sophisticated style and poor implementation.

Windows Service (T1543.003): This scenario creates a new Windows service in the system.

Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using a similar encryption algorithm as the one observed in HermeticRansom.

Sandworm – 2022-03 – From PowerShell Command to HermeticWiper Deployment

This attack graph is based on an incident that took place on December 23, 2021, in which Sandworm gained access via malicious Server Message Block (SMB) activity against a Microsoft Exchange Server to the network of one organization in Ukraine. A web shell was deployed on January 16, before the wiper was deployed on February 23.

In a similar incident, Sandworm seems to have used a known vulnerability in Microsoft SQL Server (CVE-2021-1636) to compromise at least one of the targeted organizations.

Execution & Credential Access – Credentials from Local System

This stage begins immediately after downloading a malicious Joint Photographic Experts Group (JPEG) file via PowerShell, which is subsequently executed through a scheduled task.

Once the execution is successful, it continues with the verification of connectivity through the certutil utility and culminates with the dumping of the Local Security Authority Subsystem Service (LSASS) through comsvcs.dll.

Scheduled Task/Job: Scheduled Task (T1053.005): This scenario creates a new scheduled task using the schtasks utility.

Internet Connection Discovery (T1016.001): This scenario executes the certutil utility to try and download a file from a website and save it to a temporary directory.

OS Credential Dumping: LSASS Memory (T1003.001): Uses rundll32.exe with comsvcs.dll to call the MiniDump export that will dump the LSASS process memory to disk. This process is used for enforcing security policy on the system and contains many privileged tokens and accounts that are targeted by threat actors.

Impact – HermeticWiper and HermeticRansom Deployment

This stage begins with the deployment of HermeticWiper, a malware designed to render a system inoperative by corrupting its data. It is loaded through the creation of a service on the compromised system.

Once this is achieved, it continues with the deployment of HermeticRansom, a ransomware that does not use any obfuscation and has a straightforward functionality, suggesting it was likely used as a smokescreen for the wiper due to its non-sophisticated style and poor implementation.

Detection and Mitigation Opportunities

Given the number of techniques used by Sandworm, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. System Binary Proxy Execution: Regsvr32 (T1218.010):

Adversaries may use DLL files for many of their malware payloads and use native Windows utilities to execute them. The primary native method for executing these files is to call the RegSvr32 utility and pass along the path and export function to be executed.

1a. Detection

While this native tool is commonly used by legitimate applications, there are behaviors related to their execution that can stand out in your process logs. Searching for files that are being executed from temporary directories that don’t have the standard .dll file extension or call strange looking export names can stand out from regular user behavior.

Process Name == (regsvr32.exe)
Command Line CONTAINS (‘TEMP’ OR ‘.png’ OR ‘Roaming’ OR ‘%APPDATA%’)

1b. Mitigation

• M1050 – Exploit Protection

2. Scheduled Task/Job: Scheduled Task (T1053.005):

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly from the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.

2a. Detection

With an EDR or SIEM Platform, you can detect the following commands being issued to schedule a malicious task.

Process Name = (“cmd.exe” OR “Powershell.exe”)
Command Line CONTAINS (“schtasks” AND “/CREATE” AND (“cmd” OR “powershell”)

2b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Scheduled Task

3. OS Credential Dumping: LSASS Memory (T1003.001):

Adversaries may attempt to extract user and credential information from the Local Security Authority Subsystem Service (LSASS) process.

3a. Detection

Search for executions of comsvcs that attempt to access the LSASS process.

Process Name == (comsvcs)
Command Line CONTAINS (‘lsass’)

3b. Mitigation

MITRE ATT&CK recommends the following mitigation recommendations:

Wrap-up

In summary, this assessment template will evaluate security and incident response processes and support the improvement of your security control posture against this disruptive and destructive threat. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a well-known and dangerous threat.

AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.