FOCUS MODE
EXTRACT IOC
Cyber Security News

HTB UFO-1 | Sandworm Team | BlackEnergy Group | APT44

iocOne
HTB UFO-1 | Sandworm Team | BlackEnergy Group | APT44
The Sandworm Team, also known as BlackEnergy Group and APT44, has been active since 2009 and has conducted several prominent cyber campaigns, including a major attack on the Ukrainian electric grid in 2016 and various operations in 2022. Utilizing MITRE ATT&CK, insights into their tactics, techniques, and tools have been gathered, including malware like CaddyWiper and NotPetya, and techniques for credential access and persistence. Affected: ICS Industry, Ukrainian Electric Power Grid, SCADA Systems

Keypoints :

  • Sandworm Team has been operational since 2009.
  • Two credential access techniques were used during a campaign against the Ukrainian electric power grid in 2016.
  • VBS script named ufn.vbs was used for lateral transfer of ICS-specific payloads.
  • In 2022, they exploited server applications for persistence using the technique T1505.003.
  • Tool used for persistence was named Neo-REGEORG.
  • SCADA application binary scilc.exe was abused for code execution attacks.
  • Command line for executing scilc.exe included path C:scprogexecscilc.exe -do packscils1.txt.
  • CaddyWiper was used for data destruction in the 2022 campaign.
  • CaddyWiper could perform an execution technique identified as T1106.
  • NotPetya was used as a ransomware tool having worm-like features.
  • MS17-010 vulnerability was exploited for NotPetya’s global spread.
  • AcidRain was the malware tool targeting modems.
  • Sandworm team used non-standard port 6789 for establishing their SSH server.
  • They collaborated with APT28 on various operations.

MITRE Techniques :

  • Credential Access: LSASS Memory access (T1003.001) used during the 2016 campaign.
  • Credential Access: Attack ID for the second technique was T1110.
  • Execution: VBS Script ufn.vbs used for lateral movement and uploading payloads.
  • Persistence: Utilized server application abuse (T1505.003) to maintain access.
  • Execution: scilc.exe used for code execution in SCADA systems.
  • Execution: CaddyWiper used for data destruction (T1106).
  • Initial Access: Exploited MS17-010 vulnerability through NotPetya.
  • Command and Control: Non-standard port technique (6789) for SSH server.
  • Collaboration: Joint operations with APT28.

Full Story: https://medium.com/@yournextCISO/htb-ufo-1-ee8d7556df7c?source=rss——cybersecurity-5

Views: 14

Tags: CREDENTIAL, VULNERABILITY, WORM, LATERAL MOVEMENT, SOC, APT, PERSISTENCE, INITIAL ACCESS