As the war rages, the APT
group with a long résumé of disruptive cyberattacks enters the spotlight again
René Holt ESET Research
For cybersecurity pundits,
it has become a doctrine that cyberdisruption, whether perpetrated directly or
via proxy groups, can be expected to accompany military, political, and
economic action as a way of softening up targets or of strategically applying
pressure via subterfuge. Thus, in a time of war in Ukraine, the spotlight has
also naturally turned to cyberwarfare, both past and present.
Since at least 2014,
companies in Ukraine or with network access to the region have suffered the
likes of malware such as BlackEnergy, GreyEnergy, Industroyer, NotPetya,
Exaramel, and, in 2022 alone, WhisperGate, HermeticWiper, IsaacWiper, and CaddyWiper. In all cases, except the last four, the
cybersecurity community discovered enough code similarities, shared command and
control infrastructure, malware execution chains and other hints to attribute
all the malware samples to one overarching group – Sandworm.
Who is
Sandworm?
The moniker Sandworm was
chosen by researchers at iSIGHT Partners, a threat intelligence company, who
discovered references to Frank Herbert’s novel Dune in
BlackEnergy malware binaries in 2014. At that time, ESET researchers were
presenting their findings on several targeted BlackEnergy attacks in Ukraine
and Poland at a Virus
Bulletin conference, but also
discovered the same, unmistakable references in the code: arrakis02, houseatreides94, BasharoftheSardaukars, SalusaSecundus2, and epsiloneridani0.
While some speculated that
Sandworm was a group working from Russia, it wasn’t until 2020 that the US
Department of Justice (DoJ) concretely identified Sandworm as Military Unit 74455 of the Main
Intelligence Directorate (GRU) – which was changed to the Main Directorate (GU)
in 2010, although “GRU” seems to have stuck in Western parlance – of the
General Staff of the Armed Forces of the Russian Federation, located at 22
Kirova Street, Khimki, Moscow in a building colloquially called “the Tower”: