The Sandworm team is a Russian advanced persistent threat group that targets systems of political targets of interest to the Russian Federation. BlackEnergy / Sandworm team is likely state-sponsored. The group’s name originates from strings in their code and names of their C&C servers that reference the Dune fantasy book series.

Sandworm team has targeted governments and political organizations since at least 2009; but the group also may have been behind the 2008 cyber-attacks against Georgia. The Ukrainian government, NATO, the European Union, the European Telecommunications sector, European Energy companies, and Poland are among the group’s top targets. Attendees of the May 2014 Globesec conference were also targeted. Many of the decoy documents used to deploy the malware were spoofed news coverage of political or economic situations in Europe.

The new variant of the BlackEnergy malware, which is now capable of stealing documents from targets, has been used against government institutions in Ukraine and Eastern Europe. The initial appearance of the malware coincides with the conflict between Russia and Ukraine. Trend Micro discovered that the newest variant of the malware, customized by the group, can target ICS and SCADA systems. The group may have infected these systems to monitor or sabotage systems that compete with Russia’s energy interests.

Sandworm delivers malware through spear phishing emails containing malicious documents, such as a Microsoft PowerPoint attachment. The attachments either deliver the initial dropper or exploit a zero-day vulnerability to install the malware. In some cases, legitimate applications were trojanized to perform the installation. Through zero-day exploits, the malware infects any system running a Windows Operating System ranging from Vista to Windows, including Windows server systems. The malware only infects the victim system if the current user is a member of the local administrator group. If the user is not an administrator, then the malware will attempt to re-launch itself as Administrator or exploit the Windows backward compatibility features to bypass UAC.

The BlackEnergy crimeware appeared for sale in underground Russian cyber-markets around 2007. The malware was designed to create botnets for Distributed Denial of Service attacks (DDoS), but it has since evolved to support other capabilities. BlackEnergy can create botnets to send spam emails for phishing campaigns and it has tools to harvest passwords and banking credentials from infected computers.

The BlackEnergy toolkit gained notoriety during the 2008 cyber-attacks on Georgia during the conflict between Russia and Georgia. The BlackEnergy malware is available for purchase in cyber underground communities; however, the variant used in Sandworm attacks has been modified with custom code, incorporates a proxy server infrastructure, techniques to User Account Control and driver signing features in 64-bit Windows systems, and tools to collect documents. F-Secure notes BlackEnergy is used by a variety of criminal and cyber espionage groups; so, Sandworm’s adoption of BlackEnergy, instead of writing custom malware, may have been an attempt to shirk attribution and blend into the crowd of nefarious actors to remain undiscovered.

The BlackEnergy toolkit features a builder application that generates the clients used to infect victim systems, it features server-side scripts to create C&C servers, and it includes an interface for the attacker to communicate with their botnet. F-Secure comments that the toolkit is simple enough and convenient enough that anyone can build a botnet without possessing extensive skills. The information stealing plugin of the toolkit gathers system information, session information, a list of installed applications, a list of registered mail, browser, and instant messaging clients, a list of network connections, and stored user credentials for online and offline accounts, and exfiltrates the information back to the C&C server via a HTTP POST request. New variants of the malware may also be able to capture screenshots and record audio. On December 23, 2015, a Sandworm campaign against the Prykarpattyaoblenegro power plant in Ukraine caused a severe outage. More significant than the immediate loss of power, the threat actor, who is likely backed by the Russian state, demonstrated that the malware, which has been regularly discovered on U.S. networks, can severely cripple a nation’s critical infrastructure as part of a cyber-physical campaign.

Type: Nation State Sponsored

Status: Active

Other Names: Sandworm/ Quedagh/ TEMP.Noble

Active Since/Discovered: 2010/ December 2013


  • Russia, Ukraine, USA, Poland, Lithuania, Belarus, Azerbaijan, Kyrgyzstan, Kazakhstan, Iran, Israel

Target Sectors: Energy, Government, Military, Manufacturing, Federal Land Holding Agencies, Municipal Offices, Federal Emergency Services, Space, Academia, Financial, High Tech, Transportation, and other ICS Construction


  • BlackEnergy (Version 3) – malware toolkit
    • Originally designed (2007) for Distributed Denial of Service (DDoS) attacks
    • Executes “tasks” that are commissioned by its C&C servers and implemented by the plugins.
      • Known plugins include Windows plugins and plugins for ARM/MIPS architecture and tcl scripts for Cisco
    • attempts to bypass default User Access Control (UAC) settings by exploiting a backward-compatibility setting found in Windows 7 and later
    • locates existing driver services that have been disabled and drops its driver component into one of those service’s paths
      • sets the hijacked service to start automatically in order to establish persistence
    • injects its DLL component into svchost.exe
    • drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder
    • gathers a list of installed apps from the uninstall program Registry and the registered mail, browser, and instant messaging clients from the Registry
    • uses netstat to gather local connection info
    • gathers credentials stored in files on the host by various software programs, including The Bat! email client, Mozilla password manager, Google Chrome password manager, Outlook, Internet Explorer, and Windows Credential Store
    • port scans
    • HTTP C2 communication
    • run a plug-in on a victim to spread through the local network by using PsExec and accessing admin shares
    • Screenshotting, keylogging, etc
    • drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder
  • Systeminfo- gathers OS version, system configuration, BIOS, and motherboard and processor information
  • KillDisk – deletes Windows Events Logs

Preferred Attack Vector:  

  • Social engineering
  • USB drives
  • LAN spreading
  • File infection


  • CVE-2014-4114
  • Targets Windows, Linux, Cisco IOS
  • Conducts Cyberespionage, Distributed Denial of Service (DDoS), Data Theft, and Data Wiping


  • Responsible for taking Ukranian Energy Grid offline in late December 2015
  • Found dormant on numerous US Agency systems


Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google