Welcome to the VB2021 conference!

Sandworm: reading the indictment between the lines

Anton Cherepanov (ESET) & Robert Lipovsky (ESET)
partner message

Looking for performance validation for your product?


Get an edge over your competitors with Virus Bulletin’s anti-malware & email security certification

programmes, supported by 30+ years of experience. Or take advantage of our bespoke testing service

offering valuable performance feedback for R&D. Email [email protected].

partner message

Calling all Hackers!


We are hiring mid-senior-principal level hackers!

Remote option • Flex schedule • Unlimited vacation • Opportunities for research and publication

partner message

Stay ahead of threats with VirusTotal


Stay ahead of the next generation of threats and get relevant insights to solve

the most critical security challenges.

partner message

Do you like doing work that matters to you… and really frustrates the bad guys?


At Talos, our mission is to make the internet a safer place and fight the good fight for our customers

and users. If you think you have the expertise and attitude to help lead the world in cutting-edge security,

we’d like to talk.

partner message

Ransomware prevention starts with zero


Ransomware attacks are increasing 500% year-over-year.

Learn how Zscaler's Zero Trust Exchange helps minimize exposure, damage, and risk

at every stage of a ransomware attack.

partner message

Amazon Information Security - come build the future with us!


Do you want to work on privacy and security challenges at unprecedented scale?

We have Privacy and Information Security opportunities available now across

the United States, Dublin, Ireland, and Sydney, Australia.

partner message

QI-ANXIN Technology Group Inc. Leader of New Generation Cybersecurity


QI-ANXIN Technology Group Inc. offers next generation enterprise-class cybersecurity products

and services to government and businesses. QI-ANXIN is the Official Cyber Security Services and

Anti-Virus Software Sponsor of the Olympic and Paralympic Winter Games Beijing 2022.

partner message

Farsight Security DNSDB® is the world's largest real-time and historical database of DNS resolutions


DNSDB 2.0 introduces Flexible Search support, unlocking both Regular Expressions and Globbing syntaxes for more granular and accurate search results. Get your free DNSDB API key and use it in our newly updated

web GUI, DNSDB Scout as well as your own existing environments. Contextualize everything that is DNS related with one API key - DNSDB.

partner message

VirusTotal: Actionable crowdsourced threat intelligence


Comprehensive context and cutting-edge functionality to proactively protect from cybersecurity threats.

partner message

IoT security begins with your Smart TV


CHOMAR Smart TV Security.

Protect your Android Smart TV against malicious activities and use your IoT devices without any worries.

partner message

F5 helps find malware hiding in plain sight


Encrypted malware is becoming increasingly common, and daisy-chaining security devices is neither

cost-effective, nor efficient. Detecting and stopping malware doesn’t have to be overwhelming with

F5’s innovative products.

partner message

Threat Intelligence and Cyber Resilience


Join the VB2021 Threat Intelligence Practitioners' Summit (TIPS), sponsored by the Cyber Threat Alliance,

and learn how investment in threat intelligence builds cyber resilience, allowing you to be more effective

when addressing today's dynamic threat landscape.

partner message

We don’t just talk about sharing. We do it every day.


Learn how to collaborate with the Cyber Threat Alliance to improve your overall cyber resilience.

We are a greater team when we work together; our collective efforts magnifies our success and

ensures that we are and remain cyber resilient.

The Sandworm group’s activities are a quite frequent topic at Virus Bulletin conferences. And there is no doubt why – it’s arguably the most dangerous APT group. Throughout the years of its existence, the Sandworm APT has performed a number of notorious destructive attacks, including the first-ever malware-driven electricity blackout (Kiev, December 2015), the costliest cyberattack ever (NotPetya), and attacks against entities that were involved in organizing the 2018 Winter Olympics in Pyeongchang (Olympic Destroyer).

In October 2020, the US Department of Justice published an indictment against six computer hackers who allegedly prepared and conducted the Sandworm attacks. The indictment contains detailed descriptions of attacks that have been performed during the past few years. Some of these details were already known, but some of them were published for the first time in the indictment.

After careful examination of the indictment, we were able link an activity we observed back in 2019 to Sandworm. At that time, Sandworm attackers used a previously unreported malware toolkit with an interesting and rare Windows persistence mechanism (time provider).

Our presentation reveals details about that activity and provides an in-depth analysis of the malware. In addition, we will discuss detection opportunities for the technique used by this malware.

Got a question about this presentation? To get in touch with the speakers, contact Anton Cherepanov by email on [email protected] or on Twitter at @cherepanov74, or Robert Lipovsky on Twitter at @Robert_Lipovsky.
Anton Cherepanov

Anton Cherepanov is a senior malware researcher for ESET; his responsibilities include the analysis of, and hunting for, the most complex threats. He has done extensive research on cyber attacks in Ukraine and uncovered the origins of the NotPetya attack. He has presented his research at numerous conferences, including Black Hat USA, Virus Bulletin and CARO Workshop. His interests focus on reverse engineering and malware analysis automation.

Robert Lipovsky

Robert Lipovsky is a senior malware researcher for ESET, with 13 years’ experience in cybersecurity and a broad spectrum of expertise covering targeted APTs, crimeware, as well as vulnerability research. He is responsible for threat intelligence and malware analysis and leads the Malware Research Team at ESET headquarters in Bratislava. He is a regular speaker at security conferences, including RSA Conference, Black Hat USA, Virus Bulletin, BlueHat, ATT&CKcon, Gartner Security & Risk Management Summit, and various NATO-organized conferences. He also teaches reverse engineering at the Slovak University of Technology – his alma mater – and at Comenius University. When not bound to a keyboard, he enjoys travelling, playing guitar and flying single-engine airplanes.