ctipilot.ch

Sandworm

actor · actor:sandworm

Russian GRU-linked destructive/disruptive threat actor. Referenced in pipeline coverage as the contested alternative attribution for the 29 December 2025 Poland energy-grid sabotage: earlier ESET reporting (via BleepingComputer, 2026-01-24) attributed the DynoWiper attack to Sandworm, while CERT Polska and the 2026-07-13 UK/EU government attribution assign the incident to the Static Tundra / FSB Centre 16 cluster.

Aliases: APT44, Seashell Blizzard, UAC-0113, Voodoo Bear

Coverage timeline
6
first 2026-05-04 → last 2026-07-13
Peak priority
high
3 high · 3 notable
Sources cited
21
20 hosts
Sections touched
5
deep-dive, research, weekly-annual-reports
Co-occurring entities
4
see Related entities below
ATT&CK techniques
17
pinned v19.1 · see below
2026-05-046 appearances2026-07-13

ATT&CK techniques

17 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Reconnaissance TA0043

T1595.001Active Scanning: Scanning IP Blocks×1

Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

T1595.002Active Scanning: Vulnerability Scanning×1

Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

Resource Development TA0042

T1583.003Acquire Infrastructure: Virtual Private Server×1

Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

T1584.008Compromise Infrastructure: Network Devices×1

Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not Initial Access to that environment, but rather to leverage these devices to support additional targeting.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

T1588.005Obtain Capabilities: Exploits×1

Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

Initial Access TA0001

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

Persistence TA0003

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

Privilege Escalation TA0004

T1068Exploitation for Privilege Escalation×1

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

Stealth TA0005

T1027Obfuscated Files or Information×1

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

Defense Impairment TA0112

T1601.001Modify System Image: Patch System Image×1

Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses. Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

Credential Access TA0006

T1003OS Credential Dumping×1

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures. Credentials can then be used to perform Lateral Movement and access restricted information.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

Collection TA0009

T1602.001Data from Configuration Repository: SNMP (MIB Dump)×1

Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

T1602.002Data from Configuration Repository: Network Device Configuration Dump×1

Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

Command and Control TA0011

T1071Application Layer Protocol×1

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

T1090Proxy×1

Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

Exfiltration TA0010

T1048Exfiltration Over Alternative Protocol×1

Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

Impact TA0040

T1485Data Destruction×1

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.

Evidence: 2026-07-13/fsb-centre-16-static-tundra-router-hijacking-advisory · ATT&CK page ↗

Story timeline

  1. 2026-07-13FSB Centre 16 (Static Tundra) router-hijacking campaign: 19-agency joint advisory, formal Poland energy-grid attribution and first joint EU/UK cyber sanctions
    deep-dive19-agency advisory details FSB Centre 16 router hijacking via SNMP and Cisco Smart Install as the UK and EU attribute Poland's Dec-2025 grid sabotage
  2. 2026-06-29Threat-actor developments: Russia-nexus espionage broadens; new China-nexus and DPRK clusters
    weekly-research
  3. 2026-05-30ESET APT Activity Report Q4 2025–Q1 2026: Sandworm strikes NATO energy, Lazarus targets EU drone sector, UNC5221 pivots to Ivanti SPAWN toolset
    research
  4. 2026-05-25ESET APT Activity Report Q4 2025–Q1 2026 — three state programmes converging on EU energy, defence and edge appliances
    weekly-annual-reports
  5. 2026-05-10Bauman University "Department No. 4" — leaked GRU cyber-operator training pipeline reveals direct line to Sandworm and APT28 operations against European targets
    research
  6. 2026-05-04Sandworm / GRU Unit 74455 — Bauman pipeline disclosure
    weekly-long-running

Where this entity is cited

  • research2
  • weekly-long-running1
  • weekly-annual-reports1
  • weekly-research1
  • deep-dive1

Source distribution

  • bleepingcomputer.com2 (10%)
  • blog.talosintelligence.com1 (5%)
  • cert.pl1 (5%)
  • cisa.gov1 (5%)
  • cloud.google.com1 (5%)
  • gov.uk1 (5%)
  • heise.de1 (5%)
  • ic3.gov1 (5%)
  • other12 (57%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

All cited sources (21)

Entries about Sandworm (6)

2026-07-13 · view entry permalink →

HIGHCVE-2018-0171exploitedNATOA1

FSB Centre 16 (Static Tundra) router-hijacking campaign: 19-agency joint advisory, formal Poland energy-grid attribution and first joint EU/UK cyber sanctions

Background. The FSB Centre 16 network-device cluster is not new — it has a decade-plus public record under the vendor labels Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly and Ghost Blizzard, and Cisco Talos profiled it in August 2025 as "Static Tundra," documenting long-term compromise of unpatched and end-of-life network gear for configuration theft and persistent collection (Cisco Talos, 2025-08-20). What is new is a same-day trio of actions on 2026-07-13: a much fuller TTP disclosure, a formal government attribution of a destructive attack, and the first coordinated EU/UK cyber-sanctions package.

A joint Cybersecurity Advisory carrying 19 authoring and co-sealing agencies across 13 countries — NSA, CISA, FBI and DC3 (US) alongside the cyber and intelligence authorities of Australia, Canada, New Zealand, the UK, Czech Republic, Denmark, Estonia, Finland, France, Italy, Poland and Sweden — describes FSB Centre 16 opportunistically compromising poorly configured routers across communications, defense industrial base, energy, financial services, government (especially state/local), and healthcare sectors (NSA/CISA/FBI joint advisory, 2026-07-13; NCSC-UK, 2026-07-13). The advisory notes these TTPs overlap with Salt Typhoon activity, so the hardening below counters more than one actor.

The primary access vector is not a novel exploit but weak SNMP hygiene. The actors scan internet IP ranges for SNMP agents that accept common or default community strings, then issue spoofed-source SNMP Set-Requests carrying object identifiers that instruct the device to copy its running configuration to a file (commonly config.bkp or output.txt) and transfer it, usually over TFTP, to a leased VPS or a compromised FTP server (joint advisory, 2026-07-13). The advisory names the exact OIDs abused — 1.3.6.1.4.1.9.9.96.1.1 (Cisco Config Copy) and 1.3.6.1.4.1.9.9.96.1.1.1.1.5 (the destination address for the copied config). A stolen configuration frequently discloses further credentials and additional community strings, feeding lateral movement. Talos's profile records the actor guessing or reusing insecure read-write community strings such as public and anonymous (Cisco Talos, 2025-08-20). Secondarily — "occasionally," per the advisory — the actors exploit known Cisco bugs and the Smart Install (SMI) feature, naming CVE-2018-0171 (the Smart Install pre-auth RCE, in CISA KEV since 2021) and CVE-2008-4128 (end-of-life devices only, no patch). Persistence has historically included the SYNful Knock IOS firmware implant.

The Poland grid attribution. On the same day, the UK together with EU member states formally attributed the destructive 29 December 2025 attack on Poland's energy grid to FSB Centre 16 (NCSC-UK, 2026-07-13). CERT Polska's own incident report describes coordinated destructive activity against 30-plus wind and photovoltaic grid-connection substations — RTU, HMI and protection-relay firmware damaged or system files deleted — and a combined heat-and-power plant serving roughly half a million people, where wiper malware was blocked by the operator's EDR before detonation; CERT Polska tied the activity to the Static Tundra / Berserk Bear / Ghost Blizzard / Dragonfly cluster via VPS, router and anonymizing-infrastructure overlap and called it "the first publicly described destructive activity attributed to this activity cluster" (CERT Polska, 2026-01-30). Note the attribution is contested at the cluster-label level: earlier ESET reporting attributed the same DynoWiper attack to the GRU's Sandworm (BleepingComputer, 2026-01-24), and the EU Council statement names FSB Centre 16 as the parent controlling several groups including Turla — so treat "FSB Centre 16" as an umbrella unit rather than a single team.

The sanctions package is the policy layer: the EU designated 9 individuals and 4 entities and the UK designated 24, covering senior GRU figures, the front company IMPULS accused of recruiting hackers for GRU Unit 29155, Lumma Stealer operators, and the disinformation outlet Rybar LLC (UK Government, 2026-07-13; BleepingComputer, 2026-07-13).

Detection. The telemetry classes to prioritise on network gear: network-flow and firewall logs for inbound SNMP Set-Requests (especially with spoofed or unfamiliar source addresses) and for outbound TFTP sessions initiated from a router/switch management interface to non-management destinations; device syslog and AAA/TACACS+ logs for unexpected "config copy" events, new local-account creation, and unexplained drops in logging volume — Talos documents the actor tampering with TACACS+ configuration to blind logging and standing up GRE tunnels to redirect victim traffic (Cisco Talos, 2025-08-20); and IDS rules keyed to inbound SNMP Set-Requests carrying the config-copy OIDs above, as the advisory recommends (joint advisory, 2026-07-13). Baseline NetFlow for the new GRE tunnel endpoints Talos describes.

Defender takeaway. For a Swiss or European CI operator this is a router-hygiene mandate with a live destructive precedent next door. Disable Smart Install where it is not in active use, confirm CVE-2018-0171 is patched, migrate management SNMP to v3 with authPriv and disable SNMPv1/v2c (or, where legacy SNMP is unavoidable, replace every default/weak community string and enforce read-only), restrict all management protocols to known stations via out-of-band ACLs, use Cisco password hashing type 8 (never 0/4/7), and treat the device configuration held in your management system — not the device itself — as the source of truth so a tampered config is detectable.

Triage: legitimate network-management stations poll SNMP on a predictable cadence from a known IP set, almost always read-only GET/GET-NEXT. The signal is a write (SNMP Set-Request) — particularly one carrying the config-copy OIDs — from a source outside the management range or with an inconsistent/spoofed source address, followed by an outbound TFTP transfer from the device; either alone is weak, the sequence config-write-then-TFTP-egress is the discriminator.

The actors scan for Internet IP ranges with active Simple Network Management Protocol (SNMP) agents that accept common or default community strings for authentication

NSA / CISA / FBI / DC3 joint Cybersecurity Advisory (19 agencies, 13 countries) 2026-07-13

The UK together with EU member states has also today formally attributed the December 2025 attack on Poland's energy grid to Russia's FSB Centre 16.

NCSC-UK 2026-07-13

This is, however, the first publicly described destructive activity attributed to this activity cluster.

CERT Polska 2026-01-30

This reckless attack failed but could have caused 500,000 citizens to lose electricity in the depths of winter.

UK Government (FCDO) 2026-07-13
threat13 Jul 12:40Zmulti-sourceOpen finding ↗

2026-06-29 · view entry permalink →

HIGH

Threat-actor developments: Russia-nexus espionage broadens; new China-nexus and DPRK clusters

The most significant new actor finding the dailies did not carry is Turla's STOCKSTAY — Google GTIG characterised a multi-component .NET/Windows Forms backdoor that communicates C2 over secure WebSocket and shares significant code overlap with Kazuar (Turla's staple implant since 2017). Delivery used malicious RDP files by phishing and, as recently as November 2025, RAR archives exploiting WinRAR's CVE-2025-8088 (a flaw also abused by Sandworm, Gamaredon and RomCom). Current targeting is Ukrainian government and military, but earlier victims had Italian, Dutch, Polish and German foreign-policy interest — a direct read-across for Swiss federal and European governmental entities with Ukraine-adjacent policy work (The Hacker News). This sits alongside the week's other Russia-nexus signal: FBI/CISA escalated their warning that Russian intelligence (tracked as UNC5792) is now phishing Signal Backup Recovery Keys for persistent account takeover, and ESET's Gamaredon retrospective (§ 7) shows the FSB-linked group moving exfil and C2 wholesale onto trusted cloud services.

Two non-Russian clusters round out the picture. Unit 42 documented CL-STA-1062, a Chinese-speaking cluster (overlapping Talos's UAT-7237) deploying the new TinyRCT .NET backdoor via AppDomainManager injection against Southeast-Asian government and state-owned energy targets (Unit 42); Kaspersky GReAT analysed the StrikeShark cluster's SharkLoader deploying Cobalt Strike via "Perfect DLL Hijacking" against government targets (Securelist). And SentinelLABS' macOS.Gaslight, a DPRK-aligned Rust backdoor, notably turns prompt injection on the LLM-assisted analyst rather than the sandbox (SentinelLABS) — an early instance of tradecraft built specifically to poison AI-assisted triage. Attribute the claim to the research outfit, not the state, where the source itself hedges.

research29 Jun 00:21Zmulti-sourceOpen finding ↗

2026-05-30 · view entry permalink →

HIGH

ESET APT Activity Report Q4 2025–Q1 2026: Sandworm strikes NATO energy, Lazarus targets EU drone sector, UNC5221 pivots to Ivanti SPAWN toolset

ESET published its APT Activity Report covering October 2025 through March 2026 on 28 May 2026 (ESET WeLiveSecurity, 2026-05-28). EU- and NATO-relevant findings for public-sector defenders: Sandworm (Russia/GRU) intensified destructive winter operations against Ukrainian infrastructure and targeted a Polish energy company in December 2025 — a NATO member state critical-infrastructure attack attributed with medium confidence; this represents continued Sandworm willingness to conduct wiper operations beyond Ukraine's borders. Sednit/APT28 deployed Covenant and BeardShell implants against Ukrainian military, drone manufacturers, and logistics companies. Lazarus Group ran Operation DreamJob targeting European drone manufacturers — ESET assesses this as technology acquisition for North Korea's weapons programme. Operation DangerousPassword compromised the axios JavaScript library (100+ million weekly npm downloads), injecting trojanised code and demonstrating ongoing North Korea supply-chain interest in developer ecosystem targeting. UNC5221 (China-nexus) deployed a new implant assessed as part of the SPAWN toolset, specifically targeting Ivanti VPN appliances (Connect Secure, Policy Secure); organisations running unpatched Ivanti VPN should audit for SPAWN toolset artefacts including SPAWNANT installer, SPAWNMOLE tunneller, SPAWNSNAIL SSH backdoor, and SPAWNSLOTH log-tampering utility. The report PDF is available at https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q4-2025-q1-2026.pdf. Key defender actions: (a) confirm Sandworm wiper detection capability (file-destruction followed by MBR/VBR overwrite patterns, VSS deletion); (b) review Ivanti VPN logs for SPAWN footprints per CISA AA24-060A indicators; (c) audit npm dependency trees for axios versions <1.8.0 or 0.x released after the DangerousPassword campaign window.

annual-report30 May 05:00Zmulti-sourceOpen finding ↗

Earlier coverage (3)