ATK14

Presumed Origin: Russia < Back

Alias: Black Energy, BlackEnergy, ELECTRUM, GreyEnergy, Iron Viking, Quedagh, Sandworm, Sandworm Team, TEMP.Noble, TeleBots, Voodoo Bear

ATK14 (aka BlackEnergy, Sandworm) is a group of attackers of Russian origin, active since at least 2008. This attacker is extremely active and skilled, and is well known for the BlackEnergy campaign as well as the NotPetya campaign. This group appears to correspond to unit 74455 (Main Center for Special Technologies).

In early 2022, the group appears to be responsible for the attack attempt against a Ukrainian energy provider using Industroyer2.

 

 

Origins of the group

 

The malware BlackEnergy is a malware, allegedly created in 2006-2007. This malware was used to launch DDoS attacks against machines. It was used against Georgia and Estonia in large campaigns, taking down governmental and banking websites. The attacker reportedly sold the source code for $700. Several actors did use this malware, continuing DDoS attacks against Georgia. Around 2014, a group created SCADA and ICS plugins for BlackEnergy, in order to target manufacturing and the energy sector worldwide. This is the group named ATK14.

 

 

REFERENCES

Target sector

  • Energy
  • Government and administration agencies
  • Media
  • Transportation

Target countries

  • Estonia
  • France
  • Georgia
  • Russian Federation
  • Poland
  • Ukraine

Attack pattern

  • T1008 - Fallback Channels
  • T1016 - System Network Configuration Discovery
  • T1020 - Automated Exfiltration
  • T1023 - Shortcut Modification
  • T1024 - Custom Cryptographic Protocol
  • T1043 - Commonly Used Port
  • T1044 - File System Permissions Weakness
  • T1046 - Network Service Scanning
  • T1047 - Windows Management Instrumentation
  • T1049 - System Network Connections Discovery
  • T1050 - New Service
  • T1055 - Process Injection
  • T1056 - Input Capture
  • T1057 - Process Discovery
  • T1060 - Registry Run Keys / Startup Folder
  • T1067 - Bootkit
  • T1070 - Indicator Removal on Host
  • T1071 - Standard Application Layer Protocol
  • T1077 - Windows Admin Shares
  • T1081 - Credentials in Files
  • T1082 - System Information Discovery
  • T1083 - File and Directory Discovery
  • T1087 - Account Discovery
  • T1088 - Bypass User Account Control
  • T1113 - Screen Capture
  • T1119 - Automated Collection
  • T1120 - Peripheral Device Discovery
  • T1145 - Private Keys
  • T1192 - Spearphishing Link
  • T1193 - Spearphishing Attachment
  • T1195 - Supply Chain Compromise
  • T1203 - Exploitation for Client Execution
  • T1485 - Data Destruction
  • T1486 - Data Encrypted for Impact
  • T1487 - Disk Structure Wipe
  • T1488 - Disk Content Wipe
  • T1495 - Firmware Corruption
  • T1498 - Network Denial of Service
  • T1499 - Endpoint Denial of Service

Motivation

  • Espionage
  • Sabotage

Malwares

  • BCS-Server
  • BlackEnergy
  • GCat
  • GreyEnergy
  • Mimikatz
  • Potao
  • Telebot
  • WSO
  • c99shell
  • malware Industroyer2

Vulnerabilities

  • CVE-2010-3333
  • CVE-2014-1761
  • CVE-2017-0143
  • CVE-2017-0144
  • CVE-2017-0146
  • CVE-2017-0147