AttackIQ presents emulation graphs tracing Sandworm’s post-compromise TTPs, focusing on HermeticWizard, HermeticWiper, and HermeticRansom to disrupt ICS/SCADA targets in Ukraine and beyond, while highlighting ongoing global espionage and sabotage activities. The content emphasizes using these templates to validate security controls against a highly destructive threat and to improve detection and response for ICS/SCADA environments. Hashtags: #Sandworm #HermeticWizard #HermeticWiper #HermeticRansom #HermeticaDigitalLtd #DigiCert #AttackIQ
Keypoints
- Sandworm is a highly capable Russian threat actor (GRU) linked to military Unit 74455 and targets ICS/SCADA systems in Energy, Government, and Media sectors.
- Ukraine has been a primary objective with destructive wipers (HermeticWizard, HermeticWiper, HermeticRansom) and a publicized sign-off certificate tied to Hermetica Digital Ltd.
- AttackIQ released two attack graphs emulating Sandworm’s post-compromise TTPs to help validate defenses for disruptive operations in ICS/SCADA environments.
- The emulation covers execution, discovery, lateral movement, and impact phases, including network reconnaissance, WMI/SMB propagation, and credential dumping.
- HermeticWiper aims to render systems inoperative; HermeticRansom appears as a non-obfuscated smokescreen used alongside the wiper.
- Notable techniques include RegSvr32-based proxy execution, Ingress Tool Transfer, scheduled tasks, LSASS memory dumping, and end-user log clearing.
- Historically, Sandworm’s activities include 2021–2022 Ukraine incidents with wipers and a cyber operation linked to CVE-2021-1636 against SQL Server, illustrating a broad, disruptive campaign.
MITRE Techniques
- [T1105] Ingress Tool Transfer – “This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.”
- [T1218.010] System Binary Proxy Execution: Regsvr32 – “RegSvr32 is a native Windows utility that threat actors can use to register Common Object Model (COM) DLLs. This functionality allows an actor to deploy a malicious DLL and have a native Windows tool execute the code as the parent process.”
- [T1049] System Network Connections Discovery – “This scenario performs network resource discovery by calling the WNetOpenEnumW and WNetEnumResourceW Windows API call to enumerate network resources from the local computer.”
- [T1018] Remote System Discovery – “This scenario performs a scan of the local network searching for any remotely accessible systems with ports 20, 21, 22, 80, 135, 137, 139, 443, or 445 open.”
- [T1047] Windows Management Instrumentation – “This scenario attempts to move laterally to any available asset inside the network through the use of WMI. If the remote asset can be accessed, a configurable command is executed.”
- [T1070.001] Indicator Removal: Clear Windows Event Logs – “The scenario will use the wevtutil.exe binary to clear event logs from the system.”
- [T1053.005] Scheduled Task/Job – “This scenario creates a new scheduled task using the schtasks utility.”
- [T1003.001] OS Credential Dumping: LSASS Memory – “Uses rundll32.exe with comsvcs.dll to call the MiniDump export that will dump the LSASS process memory to disk.”
- [T1543.003] Windows Service – “This scenario creates a new Windows service in the system.”
- [T1486] Data Encrypted for Impact – “This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using a similar encryption algorithm as the one observed in HermeticRansom.”
Indicators of Compromise
- [Malware] HermeticWizard, HermeticWiper, HermeticRansom – Signatures and roles: HermeticWizard as a spreader; HermeticWiper to render systems inoperative; HermeticRansom as a non-obfuscated ransomware; pieces signed with a Hermetica Digital Ltd certificate.
- [Certificate] Code Signing Certificate – “The pieces of malware were signed with a code-signing certificate assigned to the Cypriot company Hermetica Digital Ltd … issued on April 13th, 2021.”
- [Executable/Utility] RegSvr32, wevtutil.exe, schtasks, certutil, rundll32.exe, comsvcs.dll – Tools used in deployment, persistence, credential dumping, and log manipulation.
- [Malware] The Hermetic family, including HermeticWizard, HermeticWiper, HermeticRansom – Used in 2022 Ukrainian targeting operations and linked to the Hermetic prefix.
- [Vulnerability] CVE-2021-1636 – Mentioned as a used vulnerability in a related incident against Microsoft SQL Server.
- [File/Document] JPEG file downloaded via PowerShell – “downloading a malicious Joint Photographic Experts Group (JPEG) file via PowerShell” as part of credential access workflow.
Read more: https://www.attackiq.com/2024/07/03/emulating-sandworm-2/