Discover and read the best of Twitter Threads about #SandWorm

Most recents (14)

In 2019, a mysterious account called @m4lwatch started dumping extremely relevant information on #Sandworm. Shortly thereafter, they mentioned a company: NTC Vulcan. Fast-forward three years and that company is in the spotlights #VulkanFiles
spiegel.de/netzwelt/web/v…

Short thread
Almost every researcher tracking Russian APTs was following @m4lwatch. This screenshot tells you why: m4lwatch is talking about infrastructure related to #Sandworm almost six months before it showed up in an advisory sent out by the NSA (PDF).

media.defense.gov/2020/May/28/20…
(h/t to @jfslowik who alerted us to this piece of information and helped us understand big chunks of the files.) Anyway, m4lwatch started publishing information on "NTC Vulkan". He even posted diagrams on a supposed exploitation framework called "Znatok"
Read 9 tweets
Part of the #VulkanFiles is “Scan-V”, a framework to conduct cyberoperations with greater speed, scale and efficiency. Basically, it's purpose is helping the GRU to achieve its mission. One of the indended end-users seems to be #Sandworm.

sueddeutsche.de/projekte/artik… Image
At its heart, Scan-V is designed to scour the web for vulnerabilities that are then stored in an “ultra-large” database. When a new operation starts, things like identifying targets and initial entry supposed to be already at the hackers’ fingertips
derstandard.de/story/20001449… Image
The docs also describe the ability to store e-mails (pst-files), pcaps (network traffic) and network-layouts. Stuff you can’t just scan for externally. Storing info on previously breached targets in case your next task is to hack them again

blog.sekoia.io/sekoia-io-anal… Image
Read 11 tweets
#BREAKING On January 25th #ESETResearch discovered a new cyberattack in 🇺🇦 Ukraine. Attackers deployed a new wiper we named #SwiftSlicer using Active Directory Group Policy. The #SwiftSlicer wiper is written in Go programing language. We attribute this attack to #Sandworm. 1/3
Once executed it deletes shadow copies, recursively overwrites files located in %CSIDL_SYSTEM%\drivers, %CSIDL_SYSTEM_DRIVE%\Windows\NTDS and other non-system drives and then reboots computer. For overwriting it uses 4096 bytes length block filled with randomly generated byte 2/3
IoCs:
📄7346E2E29FADDD63AE5C610C07ACAB46B2B1B176
ESET Detection names:
🚨 WinGo/KillFiles.C trojan 3/3
Read 3 tweets
Paul Manafort was working with Russia's GRU and the SVR on the Barker Plan and the Mariupol Plan.

Russian collusion, @DonaldJTrumpJr.
What was William Barr of Kirkland & Ellis doing in London for Oleg Deripaska?

Russian collusion.
What was William Barr of Kirkland & Ellis doing in London for Oleg Deripaska?

Russian collusion.
Read 40 tweets
Attendees to the Trump Tower meeting included Donald Trump Jr., Natalia Veselnitskaya (SVR), Rinat Akhmetshin (GRU), Anatoli Samochornov, Ike Kaveladze (Crocus), Paul Manafort, Jared Kushner & Rob Goldstone (Emin Agalarov's Proxy).

Russia's GRU & SVR were helping Paul Manafort.
Russia's SVR was helping Paul Manafort on The Barker Plan.

Evgeny Fokin.

#UnitedWithUkraine #StandWithUkraine
Russia's GRU was helping Paul Manafort on The Mariupol Plan.

Konstantin Kilimnik.

#UnitedWithUkraine #StandWithUkraine
Read 21 tweets
Paul Manafort & David Vitter were both working on behalf of Russian organized crime.

Mercury Public Affairs and The Barker Plan.

It is a Conspiracy to Defraud the United States.
Paul Manafort & David Vitter were both working on behalf of Russian organized crime.

Mercury Public Affairs and The Barker Plan.

It is a Conspiracy to Defraud the United States.

What was William Barr doing in London and did it involve The Barker Plan?
Paul Manafort & David Vitter were both working on behalf of Russian organized crime.

Mercury Public Affairs and The Barker Plan.

It is a Conspiracy to Defraud the United States.

#ArrestBarrNow
Read 44 tweets
On November 21st #ESETResearch detected and alerted @_CERT_UA of a wave of ransomware we named #RansomBoggs, deployed in multiple organizations in Ukraine🇺🇦. While the malware written in .NET is new, its deployment is similar to previous attacks attributed to #Sandworm. 1/9
@_CERT_UA Its authors make multiple references to Monsters, Inc., the 2001 movie by Pixar. The ransom note (SullivanDecryptsYourFiles.txt) shows the authors impersonate James P. Sullivan, the main character of the movie, whose job is to scare kids. 2/9
@_CERT_UA The executable file is also named Sullivan.<version?>.exe and references are present in the code as well. 3/9
Read 9 tweets
We have become aware of a large #ICS/#SCADA malware project apparently conducted under a state contract on behalf of the Russian General Staff Main Intelligence Directorate (#GRU), Main Centre for Special Technologies (#GTsST), military unit 74455.
This military unit also known as #Sandworm is located at the GRU Ulitsa Kirova facility in the Khimki suburb of Moscow. In the past Sandworm has targeted ICS/SCADA, one of the most renowned being the #INDUSTROYER2 hacking attempt of a Ukrainian electrical substation in April 22.
The ongoing project is to cost more than 100 million rubles across three phases and undertaken by several technical defense contractors.
Read 5 tweets
New: #Ukraine bracing for new round of #Russia|n cyber attacks targeting its energy, financial sectors, Deputy Minister of Digital Transformation Georgii Dubynskyi tells reporters
"We saw this scenario before-before the winter they [#Russia] are trying to find a way how to undermine, how to defeat our energy system & how to make circumstances even more severe for Ukrainians" per Dubynskyi
#Russia also trying to employ "precision" #cyberattacks

"Using social engineering & using some traitors...so it's also possible #hybrid attacks as well" per Dubynskyi
Read 12 tweets
#BREAKING #Sandworm continues attacks in Ukraine 🇺🇦. #ESETresearch found an evolution of a malware loader used during the #Industroyer2 attacks. This updated piece of the puzzle is malware
@_CERT_UA calls #ArguePatch. ArguePatch was used to launch #CaddyWiper. #WarInUkraine 1/6 Image
The #Industroyer2 attacks used a patched version of @HexRaysSA IDA Pro’s remote debug server (win32_remote.exe). It was modified to include code to decrypt and run #CaddyWiper from an external file. 2/6 ImageImage
This time, #Sandworm chose an official @ESET executable to hide #ArguePatch. It was stripped of its digital signature and code was overwritten in a function called during the MSVC runtime initialization. 3/6 ImageImage
Read 6 tweets
In 2022, #Sandworm hackers targeted two waves of attacks towards an oblenergo. The same attack from the same organization in 2015 made #Ukraine️ the first country in the world that suffered a powerful blackout due to a #cyberattack #cyberwar
The #cyberattacks were being attempted constantly since mid-February. Overall, since the full-scale war began there have been about 50 attacks that could have left a massive number of civilians without electricity. #Ukraine #UkraineRussianWar #WARINUKRAINE #cyberwar
But thanks to our experience, this time we were better prepared. The #cyberattack meant to cause a power outage on April 8th was successfully deterred, even though #russianhackers used more advanced tools. #Ukraine️
#WARINUKRAINE #UkraineUnderAttaсk #cyberwar
Read 4 tweets
Thread on #APT grps, #hacktivists, #Ransomware gangs with their ‘likely’ associations (as per TTPs and reports) that are playing a significant role in impending #Ukraine #Russian conflict. Correct me if i am wrong or missing any one. 1/
Firstly on Russian 🇷🇺side there are #GhostWriter (#Belarus Govt Backed) #CozyBear (Russian Foreign Intel aka #SVR) #UNC1151 (Minsk based) #FancyBears & #SandWorm (Russian Military Intel aka #GRU) #Turla and #Gamaredon (Russian Internal Intel #FSB Former KGB) 2/
Read 7 tweets
Join #ESETresearch at #vblocalhost! Starting today, you can watch @RighardZw in a live presentation looking at internal attack scenarios and highlighting issues that have remained “foolishly ignored” for years (Thu 20:00 - 20:30 UTC). 1/4
On Friday, @zuzana_hromcova will walk the audience through the current landscape of IIS threats – ranging from traffic redirectors to backdoors – and share the essentials of reverse-engineering native IIS malware (Fri 17:45 - 18:15 UTC). 2/4
On demand you can watch @cherepanov74 and @Robert_Lipovsky as they guide you through the US #Sandworm indictment; @LukasStefanko will discuss the hidden cost of #Android #stalkerware. Finally, there is @RighardZw again in the panel debate. 3/4
Read 4 tweets
Znatok is fully featured has interface for “Commander” to assign tasking to a team. Look military. If #Sandworm is #GRU cyber then could fit
See BASHNYA as project name or user. Still work on functionality of framework. More soon #ThreatIntel #Sandworm
Bashnya is Башня. This translate from Russia is “Tower”. GTsST GRU Unit 74455 linked to Sandworm has HQ at the “Tower”, 22 Kirova Street in Khimki Moscow. Think Bashnya/Tower is code for end user of Znatok #ThreatIntel #Sandworm #GRU
Read 24 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!