Welcome to the VB2021 conference!

arrow left Back

Sandworm: reading the indictment between the lines

Anton Cherepanov (ESET) & Robert Lipovsky (ESET)
The Sandworm group’s activities are a quite frequent topic at Virus Bulletin conferences. And there is no doubt why – it’s arguably the most dangerous APT group. Throughout the years of its existence, the Sandworm APT has performed a number of notorious destructive attacks, including the first-ever malware-driven electricity blackout (Kiev, December 2015), the costliest cyberattack ever (NotPetya), and attacks against entities that were involved in organizing the 2018 Winter Olympics in Pyeongchang (Olympic Destroyer).

In October 2020, the US Department of Justice published an indictment against six computer hackers who allegedly prepared and conducted the Sandworm attacks. The indictment contains detailed descriptions of attacks that have been performed during the past few years. Some of these details were already known, but some of them were published for the first time in the indictment.

After careful examination of the indictment, we were able link an activity we observed back in 2019 to Sandworm. At that time, Sandworm attackers used a previously unreported malware toolkit with an interesting and rare Windows persistence mechanism (time provider).

Our presentation reveals details about that activity and provides an in-depth analysis of the malware. In addition, we will discuss detection opportunities for the technique used by this malware.

Got a question about this presentation? To get in touch with the speakers, contact Anton Cherepanov by email on [email protected] or on Twitter at @cherepanov74, or Robert Lipovsky on Twitter at @Robert_Lipovsky.
Anton Cherepanov

Anton Cherepanov is a senior malware researcher for ESET; his responsibilities include the analysis of, and hunting for, the most complex threats. He has done extensive research on cyber attacks in Ukraine and uncovered the origins of the NotPetya attack. He has presented his research at numerous conferences, including Black Hat USA, Virus Bulletin and CARO Workshop. His interests focus on reverse engineering and malware analysis automation.

Robert Lipovsky

Robert Lipovsky is a senior malware researcher for ESET, with 13 years’ experience in cybersecurity and a broad spectrum of expertise covering targeted APTs, crimeware, as well as vulnerability research. He is responsible for threat intelligence and malware analysis and leads the Malware Research Team at ESET headquarters in Bratislava. He is a regular speaker at security conferences, including RSA Conference, Black Hat USA, Virus Bulletin, BlueHat, ATT&CKcon, Gartner Security & Risk Management Summit, and various NATO-organized conferences. He also teaches reverse engineering at the Slovak University of Technology – his alma mater – and at Comenius University. When not bound to a keyboard, he enjoys travelling, playing guitar and flying single-engine airplanes.