Seashell Blizzard Threat Actor Profile

Seashell Blizzard (also known as Sandworm) is a Russian state-sponsored threat actor group attributed to the Russian Main Directorate/Main Intelligence Directorate of the General Staff of the Armed Forces (GRU) Main Center for Special Technologies (GTsST), Unit 74455. The group has been operational since at least 2014. The unit associated with Seashell Blizzard consists of three subgroups, each with a focus on specific operations: Kamacite serves as an access and enablement group; Electrum conducts actions on objectives including disrupting Industrial Control Systems (ICS); and TeleBots conducts cyber sabotage against a broader range of targets. An overlap exists with respect to the subgroups as it pertains to the tools and tactics, techniques, and procedures (TTPs) used to conduct their activities. An indictment on 15th October 2020 by the US Department of Justice (DoJ) against six officers of Unit 74455 conclusively linked several key intrusions to the different Seashell Blizzard sub-groups.

The group has conducted spear phishing attacks, software supply chain attacks, information operations, and employed intrusions that masqueraded as ransomware. Their primary objectives have included disruptive cyber efforts, influence operations and espionage, likely on behalf of decision-makers in Russian military intelligence, or as a matter of national pride in cases of targeting relating to international sports. Seashell Blizzard has frequently employed tactics that make attribution difficult, such as attempting to plant false flags, obfuscate command and control (C2) infrastructure, or otherwise engaging in the Russian military tactic of “maskirovka” (concealment or obfuscation). The group has not only used a suite of custom tools like BlackEnergy3, Bad Rabbit, CHEMISTGAMES, OlympicDestroyer, Industroyer/Industroyer2, NotPetya, KillDisk, GreyEnergy, VPNFilter, Exaramel, Exim Mail Transfer Agent, P.A.S Webshell, Teledoor, Cyclops Blink, CaddyWiper, ArguePatch, and AcidRain, but also frequently employs open-source tools such as Mimikatz.

Targeted Sectors

Seashell Blizzard frequently targets Ukrainian organisations, North Atlantic Treaty Organisation (NATO) and NATO-partner organisations and institutions, likely because of this military alliance’s interests and activities at Russia’s western border as well as to support Russian military intelligence objectives. The threat actor group has also been detected to have targeted organisations in the education, energy, government and telecommunications sectors.

Threat Actor Motivations

The motives of Seashell Blizzard can be evaluated by observing the strategies they apply within the context of their campaigns. The group is known for its interest in secret geopolitical data that would be advantageous to the Russian State.

Seashell Blizzard operates within the context of the GRU or GU (General Staff of the Armed Forces of the Russian Federation), a military foreign intelligence agency., which has advanced and disruptive capabilities to conduct global disinformation, propaganda, espionage, and cyber operations. The GRU has capabilities focused on improving both technical and psychological capabilities. As such, Seashell Blizzard acts with the motivations of espionage and sabotage purposes.

Russia’s security agencies are in competition with each other and often carry out similar operations on a similar set of targets. It therefore becomes difficult to apply specific attribution and motivational assessments. However, in some cases, attacks can also be carried out in a collaborated effort. As an example, some of the Seashell Blizzard attacks were carried out with the help of GRU Unit 26165, the Russian GRU cyber military unit that is part of Fancy Bear (APT28).

Threat Actor Activity Timeline

2015-2016: Seashell Blizzard deployed wiper malware to target Ukrainian critical infrastructure.

2017: Seashell Blizzard was responsible for the international NotPetya incident.

2018: Seashell Blizzard targeted the 2018 Winter Olympics with destructive malware.

2019: Seashell Blizzard engaged in distributed denial-of-service (DDoS) attacks and defacement of Georgian national government entities.

2022: Seashell Blizzard deployed a series of destructive wiping attacks aimed at Ukrainian infrastructure during Russia’s largescale military operations.

May 2023: Seashell Blizzard was linked to an attack on Ukrainian state networks where WinRar was used to destroy data on government devices. The Ukrainian Government Computer Emergency Response Team (CERT-UA) stated at the time of the event that compromised virtual private network (VPN) accounts were used that weren’t protected with multi-factor authentication (MFA) to access critical systems in Ukrainian state networks.

August 2023: Seashell Blizzard deployed an Android malware strain named “Infamous Chisel” to remotely access Ukrainian soldiers’ devices. The Security Service of Ukraine (SBU) blocked the campaign.

Associated Malware

Seashell Blizzard deploys specific malware variants to their target realm. In general, they deliver Industroyer and CaddyWiper malware when targeting ICS and other variants, such as ORCHSHRED, SOLOSHRED and AWFULSHRED when targeting Linux and Solaris networks. Some of this malware is described in more detail here:

• Industroyer: Industroyer is a sophisticated malware framework designed to disrupt ICS, particularly components used in power grids. Seashell Blizzard has deployed Industroyer variants in multiple attacks targeting power grids in Ukraine. This is the first publicly-known malware specifically designed to target and impact operations in the electric grid. One variant includes Industroyer2
• CaddyWiper: CaddyWiper is a wiper malware variant designed to damage target systems by erasing user data, programs, and hard drives. Seashell Blizzard deployed CaddyWiper in attacks against Ukrainian government agencies prior to the current Russia-Ukrainian conflict
• NotPetya: NotPetya is an altered ransomware variant of the Petya encryption malware. It destroys data and disk structures on compromised systems. Seashell Blizzard deployed NotPetya in the infamous worldwide attacks in 2017. NotPetya also contains worm features that allow it to spread itself across a target network using the SMBv1 exploits EternalBlue and EternalRomance.

Indicators of Compromise

Seashell Blizzard Associated File Hashes (MD5):

• 0544d425c7555dc4e9d76b571f31f500
• 0face841f7b2953e7c29c064d6886523
• 27c69aa39024d21ea109cc9c9d944a04
• 288166952f934146be172f6353e9a1f5
• 437f135ba179959a580412e564d3107f
• 6c39c3f4a08d3d78f2eb973a94bd7718
• 8b675db417cc8b23f4c43f3de5c83438
• c73d42d7546fe049f63115635c092288

Seashell Blizzard Associated File Hashes ( SHA256):

• 08c34c6ac9186b61d9f29a77ef5e618067e0bc9fe85cab1ad25dc6049c376949
• 1a2ab4df156ccd685f795baee7df49f8e701f271d3e5676b507112e30ce03c42
• 1db93ee81050da0ba413543f9fbc388499a466792f9a54ea6f1bbdb712ba9690
• 37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4
• 3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571
• 5c776a33568f4c16fee7140c249c0d2b1e0798a96c7a01bfd2d5684e58c9bb32
• 5fc44c7342b84f50f24758e39c8848b2f0991e8817ef5465844f5f2ff6085a57
• 5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14
• 6c52a5850a57bea43a0a52ff0e2d2179653b97ae5406e884aee63e1cf340f58b
• 6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47
• 73e1f2762ffe8e674f08d83c1308362bd96ccd4f64c307ee0a568bc66faf45bb

Seashell Blizzard Associated Domains:

• stark-industries[.]solutions
• as210558[.]net
• besthosting[.]ua
• digitalcourage[.]de
• milkywan[.]fr
• ett[.]ddns[.]net
• hostapp[.]be
• kievstar[.]online
• ett[.]hopto[.]org
• star-link[.]ddns[.]net
• darkett[.]ddns[.]net
• darkfox[.]ddns[.]net
• electrum[.]org
• frge[.]io
• rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad[.]onion
• starlink-ua[.]ddns[.]net
• yugyuvyugguitgyuigtfyutdtoghghbbgyv[.]cx
• cache-pdf[.]com
• darksea[.]ddns[.]net
• domtern[.]com

Seashell Blizzard Associated IP Addresses:

• 185[.]220[.]102[.]244
• 185[.]220[.]101[.]185
• 45[.]154[.]98[.]225
• 80[.]67[.]167[.]81
• 77[.]91[.]123[.]136
• 203[.]96[.]191[.]70
• 5[.]199[.]174[.]219
• 65[.]108[.]213[.]210
• 5[.]199[.]173[.]152
• 103[.]150[.]187[.]121
• 103[.]94[.]157[.]5
• 136[.]144[.]41[.]177
• 162[.]241[.]216[.]236
• 195[.]230[.]23[.]19
• 217[.]77[.]221[.]199
• 91[.]245[.]255[.]243
• 95[.]216[.]13[.]196
• 185[.]170[.]144[.]159
• 185[.]80[.]92[.]143
• 87[.]236[.]16[.]143

Exploited Vulnerabilities

CVE-2014-4114 (Sandworm): Successful exploitation of this vulnerability allows remote threat actors to execute arbitrary code via a crafted OLE object in an Office document, as exploited in the wild with a “Sandworm” attack in June to October 2014, aka “Windows OLE Remote Code Execution Vulnerability.”

CVE-2022-30190 (Follina) (CVSSv3 Score: 7.8: Severity Level – High): Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.

CVE-2019-10149 (CVSSv3 Score: 9.8 Severity Level – Critical): A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c and may lead to remote command execution.

CVE-2022-0715 (CVSSv3 Score: 9.1 Severity Level – Critical): Improper Authentication vulnerability exists that could allow a threat actor to arbitrarily change the behaviour of the UPS when a key is leaked and used to upload malicious firmware.

CVE-2022-22805 (CVSSv3 Score: 9.8 Severity Level – Critical): Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) vulnerability exists that could cause remote code execution when an improperly handled TLS packet is reassembled.

CVE-2022-22806 (CVSSv3 Score: 9.8 Severity Level – Critical): Authentication Bypass by Capture-replay vulnerability exists that could cause an unauthenticated connection to the UPS when a malformed connection is sent.

Mitre Methodologies

Initial Access
T1190 – Exploit Public-Facing Application
T1133 – External Remote Services
T1078 – Valid Accounts
T1566.001 – Phishing: Spearphishing Attachment

Execution
T1204.002 – User Execution: Malicious File
T1059.001 – Command and Scripting Interpreter: PowerShell
T1059.005 – Command and Scripting Interpreter: Visual Basic
T1053.005 – Scheduled Task/Job: Scheduled Task
T1059.004 – Command and Scripting Interpreter: Unix Shell
T1053.003 – Scheduled Task/Job: Cron

Persistence
T1505.003 – Server Software Component: Web Shell
T1133 – External Remote Services
T1543.002 – Create or Modify System Process: Systemd Service
T1136 – Create Account
T1053.005 – Scheduled Task/Job: Scheduled Task
T1078 – Valid Accounts
T1053.003 – Scheduled Task/Job: Cron

Privilege Escalation
T1053.005 – Scheduled Task/Job: Scheduled Task
T1078 – Valid Accounts
T1548.001 – Abuse Elevation Control Mechanism: Setuid and Setgid
T1053.003 – Scheduled Task/Job: Cron

Defense Evasion
T1036.005 – Masquerading: Match Legitimate Name or Location
T1140 – Deobfuscate/Decode Files or Information
T1543.002 – Create or Modify System Process: Systemd Service
T1078 – Valid Accounts
T1548.001 – Abuse Elevation Control Mechanism: Setuid and Setgid

Credential Access
T1555.003 – Credentials from Password Stores: Credentials from Web Browsers
T1003.001 – OS Credential Dumping: LSASS Memory
T1040 – Network Sniffing
T1056.001 – Input Capture: Keylogging

Discovery
T1083 – File and Directory Discovery
T1018 – Remote System Discovery
T1040 – Network Sniffing

Collection
T1056.001 – Input Capture: Keylogging

Command and Control
T1571 – Non-Standard Port
T1219 – Remote Access Software
T1132 – Data Encoding
T1071.001 – Application Layer Protocol: Web Protocols
T1090 – Proxy45

Exfiltration
T1041 – Exfiltration Over C2 Channel

Cyber Kill Chain

With respect to the Seashell Blizzard campaign involving the delivery of NotPetya ransomware, analysis has shown that the threat actor group follows the cyber-attack chain outlined below:

1. Access compromised Linux host
2. Lateral movement to Windows machine
3. Discovery of Windows network environment
4. Credential dumping from Windows environment
5. Move to domain controller
6. Deployment of NotPetya ransomware to encrypt files

Additional information

• Brandefense Blog
• SOCRadar Threat Actor Profile
• IBM Seashell Blizzard Threat Actor Profile
• CISA – Infamous Chisel Malware Analysis