November 5, 2014 by

Kaspersky Provides More Information on the Sandworm APT Team

The Kaspersky team has recently provided more information on the (presumably) Russian APT group named Sandworm, the hackers behind the attacks on NATO and Ukraine.

According to the original post by Kaspersky researchers, the Sandworm hackers have customized and utilized a well-known BlackEnergy crimeware. BlackEnergy was originally designed to carry out DDoS attacks, steal banking information, etc. A later version, however seems to have been re-purposed and put to use by the APT team. In fact, all the attacks in 2014 by the team have used this tool. The original BlackEnergy tool is meanwhile still being used by the criminals.

The APT’s modified version allows them to use the tool for additional purposes, including stealing digital certificates, attacking Cisco networking devices, even to target ARM and MIPS platforms. Under Windows, BlackEnergy can steal passwords, take screenshots, gather information on connected USB devices, and to log keystrokes.

The Kaspersky researchers further inform that the APT team “protected their servers by keeping their non-Windows hacker tools and plug-in in separate servers or server folders.” They also point out that “each CnC server hosts a different set of plug-ins, meaning that each server works with different victims and uses plug-ins based on its current needs.”

It appears the Sandworm hackers are mainly concentrating on industrial control system organizations, including power plant owners and operators, manufacturers and suppliers of heavy, power related materials.


About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Croatian Police Arrest Operator Behind Global DDoS Attack Platform Webstresser

Croatian police have confirmed the arrest of a 19-year old individual who is alleged to be operating...

Read more arrow_forward

‘Big Four’ Giant KPMG: No Business is Safe from Cyber Attacks

Businesses that operate online should ensure operational resilience whereas those in the financial...

Read more arrow_forward

$1.5 Trillion: That’s the Cost of Global CyberCrime, Study Reveals

A study into the macroeconomics of cybercrime and how various elements link together has pegged...

Read more arrow_forward