{ "id": "520fb88d-b9b2-49c9-b4ef-efdb5a05b21f", "created_at": "2026-04-06T00:17:37.420868Z", "updated_at": "2026-04-10T13:11:37.953169Z", "deleted_at": null, "sha1_hash": "426ef930d0d651fe4bbd5b2094b88e385d94944c", "title": "Russian Sandworm hackers targeted 20 critical orgs in Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4530102, "plain_text": "Russian Sandworm hackers targeted 20 critical orgs in Ukraine\r\nBy Bill Toulas\r\nPublished: 2024-04-22 · Archived: 2026-04-05 18:06:42 UTC\r\nRussian hacker group Sandworm aimed to disrupt operations at around 20 critical infrastructure facilities in Ukraine,\r\naccording to a report from the Ukrainian Computer Emergency Response Team (CERT-UA).\r\nAlso known as BlackEnergy, Seashell Blizzard, Voodoo Bear, and APT44, the hackers are believed to be associated with\r\nRussia's Main Directorate of the General Staff of the Armed Forces (the GRU), carrying out cyberespionage and destructive\r\nattacks on various targets.\r\nCERT-UA reports that in March 2024, APT44 conducted operations to disrupt information and communication systems at\r\nenergy, water, and heating suppliers in 10 regions of Ukraine.\r\nhttps://www.bleepingcomputer.com/news/security/russian-sandworm-hackers-targeted-20-critical-orgs-in-ukraine/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/russian-sandworm-hackers-targeted-20-critical-orgs-in-ukraine/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThe attacks occurred in March and in some cases the hackers were able to infiltrate the targeted network by poisoning the\r\nsupply chain to deliver compromised or vulnerable software, or through the software provider's ability to access\r\norganization's systems for maintenance and technical support.\r\nSandworm also combined previously documented malware with new malicious tools (BIASBOAT and LOADGRIP for\r\nLinux) to obtain access and move laterally on the network.\r\nCERT-UA experts have confirmed the compromise of at least three \"supply chains,\" as a result of which the circumstances\r\nof the initial unauthorized access either correlate with the installation of software containing backdoors and vulnerabilities or\r\nare caused by the regular technical ability of the supplier employees to access the organizations' ICS for maintenance and\r\ntechnical support. – CERT-UA (machine translated).\r\nThe Ukrainian agency notes that Sandworm's breaches were made easier by the targets' poor cybersecurity practices (e.g.\r\nlack of network segmentation and insufficient defenses at the software supplier level).\r\nFrom March 7 to March 15, 2024, CERT-UA engaged in extensive counter-cyberattack operations, which included\r\ninforming affected enterprises, removing malware, and enhancing security measures.\r\nBased on the findings from investigating the logs retrieved from the compromised entities, Sandworm relied on the\r\nfollowing malware for its attacks on Ukraine's utility suppliers:\r\nQUEUESEED/IcyWell/Kapeka: C++ backdoor for Windows that collects basic system information and executes\r\ncommands from a remote server. It handles file operations, command execution, and configuration updates and can\r\ndelete itself. Communications are secured via HTTPS, and data is encrypted using RSA and AES. It stores its data\r\nand maintains persistence on infected systems by encrypting its configuration in the Windows registry and setting up\r\ntasks or registry entries for automatic execution.\r\nQUEUESEED scheduled execution (CERT-UA)\r\nBIASBOAT (new): a Linux variant of QUEUESEED that emerged recently. It is disguised as an encrypted file\r\nserver and operates alongside LOADGRIP.\r\nLOADGRIP (new): also a Linux variant of QUEUESEED developed in C, used to inject a payload into processes\r\nusing the ptrace API. The payload is usually encrypted, and the decryption key is derived from a constant and a\r\nmachine-specific ID.\r\nhttps://www.bleepingcomputer.com/news/security/russian-sandworm-hackers-targeted-20-critical-orgs-in-ukraine/\r\nPage 3 of 5\n\nBash script that loads BIASBOAT and LOADGRIP (CERT-UA)\r\nGOSSIPFLOW: Go-based malware use on Windows to set up tunneling using the Yamux multiplexer library; it\r\nprovides SOCKS5 proxy functionality to help exfiltrate data and secure communication with the command and\r\ncontrol server.\r\nAdditional malicious tools CERT-UA discovered during the investigation are from the open source space and include the\r\nWeevly webshell, the Regeorg.Neo, Pitvotnacci, and Chisel tunnelers, LibProcessHider, JuicyPotatoNG, and\r\nRottenPotatoNG.\r\nThe threat actors used these tools to maintain persistence, hide malicious processes, and elevate their privileges on\r\ncompromised systems.\r\nThe Ukrainian agency belives that the purpose of these attacks was to increase the effect of Russian missile strikes on the\r\ntargeted infrastructure facilities.\r\nLast week, Mandiant exposed Sandworm's connection to three hacktivist-branded Telegram groups that have previously\r\nclaimed attacks on critical infrastructure in Europe and the U.S.\r\nCERT-UA's report provides a long list of indicators of compromise that includes files, hosts, and network details.\r\nhttps://www.bleepingcomputer.com/news/security/russian-sandworm-hackers-targeted-20-critical-orgs-in-ukraine/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/russian-sandworm-hackers-targeted-20-critical-orgs-in-ukraine/\r\nhttps://www.bleepingcomputer.com/news/security/russian-sandworm-hackers-targeted-20-critical-orgs-in-ukraine/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/russian-sandworm-hackers-targeted-20-critical-orgs-in-ukraine/" ], "report_names": [ "russian-sandworm-hackers-targeted-20-critical-orgs-in-ukraine" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434657, "ts_updated_at": 1775826697, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/426ef930d0d651fe4bbd5b2094b88e385d94944c.pdf", "text": "https://archive.orkl.eu/426ef930d0d651fe4bbd5b2094b88e385d94944c.txt", "img": "https://archive.orkl.eu/426ef930d0d651fe4bbd5b2094b88e385d94944c.jpg" } }