Sandworm | Threat Actor Profile

Background

Sandworm is a destructive cyber threat group attributed to Unit 74455 of Russia's Main Intelligence Directorate (GRU), also known as the Main Center for Special Technologies (GTsST). Active since at least 2009, Sandworm is unique among nation-state actors for its willingness to conduct destructive cyberattacks against critical infrastructure, including operations that cause physical effects in the real world. The group operates alongside but separately from APT28 (GRU Unit 26165) within the GRU hierarchy.

In October 2020, the U.S. Department of Justice indicted six GRU Unit 74455 officers for their roles in Sandworm operations, including the Ukraine power grid attacks, NotPetya, and Olympic Destroyer. The indictment provided unprecedented detail on the group's organizational structure and individual roles in specific campaigns.

Sandworm is responsible for the first publicly confirmed cyberattacks to cause power outages (Ukraine 2015, 2016, 2022), the most economically damaging cyberattack in history (NotPetya, estimated $10+ billion in damages), and numerous destructive wiper attacks deployed in support of Russia's military operations in Ukraine. The group bridges the gap between traditional cyber espionage and cyber warfare, routinely conducting operations designed to degrade, disrupt, or destroy target systems.

Notable Campaigns

Ukraine Power Grid Attacks (2015-2016) — In December 2015, Sandworm used BlackEnergy malware and KillDisk to compromise three Ukrainian power distribution companies, remotely opening circuit breakers and causing outages affecting approximately 230,000 customers. In December 2016, the group deployed Industroyer (CrashOverride), purpose-built ICS malware that directly manipulated industrial control protocols (IEC 101, IEC 104, IEC 61850, OPC DA) to attack a Kyiv transmission substation, demonstrating a dramatically more sophisticated capability.

NotPetya (June 2017) — Sandworm compromised the update mechanism of M.E.Doc, a Ukrainian tax accounting software used by virtually all businesses operating in Ukraine. The group pushed NotPetya, a destructive wiper disguised as ransomware, through a software update. NotPetya spread globally via EternalBlue and credential harvesting, causing over $10 billion in damages to organizations including Maersk, Merck, FedEx/TNT Express, and Mondelez. This remains the most costly cyberattack in history.

Olympic Destroyer (February 2018) — During the opening ceremony of the 2018 PyeongChang Winter Olympics, Sandworm deployed destructive malware against Olympic IT infrastructure, disrupting the ceremony broadcast, Wi-Fi, and the official website. The malware included multiple false flag indicators designed to misdirect attribution toward North Korea and China, demonstrating deliberate deception operations.

Industroyer2 and Ukraine Wiper Campaign (2022) — In support of Russia's full-scale invasion of Ukraine, Sandworm launched Industroyer2 against Ukrainian high-voltage electrical substations in April 2022, alongside CaddyWiper for IT system destruction. The attack was detected and mitigated by CERT-UA and ESET before causing extended outages. Throughout 2022-2023, Sandworm deployed numerous wiper variants (HermeticWiper, IsaacWiper, WhisperGate, CaddyWiper, SwiftSlicer, AcidRain) against Ukrainian government and infrastructure targets.

Cyclops Blink Botnet (2019-2022) — Sandworm built a large-scale botnet by compromising WatchGuard Firebox and ASUS router devices with Cyclops Blink, a modular framework replacing the earlier VPNFilter botnet. The U.S. DOJ and FBI conducted a court-authorized operation in April 2022 to disrupt the botnet before it could be weaponized for destructive purposes.

Tactics, Techniques & Procedures

Initial Access — Sandworm uses a combination of spearphishing (T1566.001), exploitation of internet-facing systems (T1190), and supply chain compromise (T1195.002). The group has repeatedly targeted VPN appliances, firewalls, and email servers using both zero-day and n-day vulnerabilities. For supply chain attacks, Sandworm compromises software update mechanisms (M.E.Doc, SolarWinds-adjacent targets) to distribute malicious payloads at scale.

ICS/OT Targeting — Sandworm is one of very few threat actors with demonstrated capability to develop and deploy ICS-specific malware. Industroyer and Industroyer2 directly manipulate industrial control protocols, requiring deep knowledge of power grid operations. The group combines IT network compromise with OT-specific payloads, typically gaining initial access through IT networks and pivoting to OT environments.

Destructive Operations — Destruction is Sandworm's signature capability. Techniques include disk wiping (T1561.002), MBR/firmware corruption (T1495), file destruction (T1485), and rendering systems unbootable. The group maintains an arsenal of wiper variants that can be rapidly customized and deployed. NotPetya demonstrated the ability to combine destruction with self-propagation for maximum impact.

Command & Control — Sandworm uses a mix of custom C2 protocols, compromised infrastructure, and Tor for communications. The Cyclops Blink and VPNFilter botnets used compromised networking equipment as C2 relay points. For targeted operations, the group deploys custom backdoors (Exaramel, GreyEnergy) with encrypted communications over standard protocols (T1071.001, T1573).

Tools & Malware

Industroyer / Industroyer2 — Purpose-built ICS malware targeting power grid infrastructure. Industroyer supports four industrial protocols (IEC 101, IEC 104, IEC 61850, OPC DA). Industroyer2 targeted IEC-104 specifically with hardcoded parameters for Ukrainian substations.
BlackEnergy — Modular backdoor framework evolved from a DDoS tool. Used in the 2015 Ukraine power grid attack. Included plugins for credential harvesting, keylogging, screenshots, and KillDisk deployment.
NotPetya — Destructive wiper masquerading as Petya ransomware. Propagated via EternalBlue (MS17-010) and credential harvesting (Mimikatz). The encryption was irreversible by design, making payment impossible.
CaddyWiper / HermeticWiper / SwiftSlicer — Family of wiper malware deployed against Ukraine during the 2022 invasion. Each variant uses different destruction methods: CaddyWiper overwrites files and partition tables, HermeticWiper corrupts the MBR and abuses a legitimate disk management driver, SwiftSlicer uses Active Directory Group Policy for deployment.
AcidRain — ELF wiper targeting MIPS-based modems, deployed against Viasat KA-SAT satellite broadband service on February 24, 2022 (invasion day), disrupting communications across Ukraine and parts of Europe.
Olympic Destroyer — Destructive malware deployed at the PyeongChang Olympics with built-in false flag artifacts mimicking Lazarus Group and Chinese APTs.
Cyclops Blink — Modular botnet framework targeting WatchGuard and ASUS networking devices, successor to VPNFilter, providing persistent access and relay capabilities.

Indicators & Detection

ICS/OT Environment Monitoring — Organizations operating critical infrastructure should implement network monitoring between IT and OT segments. Detect anomalous industrial protocol traffic (IEC 104, OPC DA) and unauthorized connections to engineering workstations, RTUs, and PLCs. Maintain offline backups of PLC/RTU configurations and firmware images.

Wiper Detection — Monitor for bulk file overwriting or deletion operations, MBR modifications, and abuse of legitimate disk management drivers. Implement application whitelisting to prevent unauthorized executables. Detect lateral movement via SMB/WMI (T1047) and Group Policy abuse, which Sandworm uses to deploy wipers across networks.

Network Infrastructure Hardening — Audit and patch all internet-facing devices, especially VPN appliances, firewalls, and routers. Sandworm systematically targets vulnerable network edge devices. Monitor for firmware modifications on networking equipment and implement secure boot where available.

Supply Chain Integrity — Verify integrity of software updates through independent channels. Monitor for anomalous behavior from management and monitoring tools. Segment networks to limit the blast radius of supply chain compromises. Implement canary tokens and tripwires in high-value network segments to detect stealthy intrusions.

Background

Notable Campaigns

Tactics, Techniques & Procedures

Tools & Malware

Industroyer / Industroyer2 — Purpose-built ICS malware targeting power grid infrastructure. Industroyer supports four industrial protocols (IEC 101, IEC 104, IEC 61850, OPC DA). Industroyer2 targeted IEC-104 specifically with hardcoded parameters for Ukrainian substations.
BlackEnergy — Modular backdoor framework evolved from a DDoS tool. Used in the 2015 Ukraine power grid attack. Included plugins for credential harvesting, keylogging, screenshots, and KillDisk deployment.
NotPetya — Destructive wiper masquerading as Petya ransomware. Propagated via EternalBlue (MS17-010) and credential harvesting (Mimikatz). The encryption was irreversible by design, making payment impossible.
CaddyWiper / HermeticWiper / SwiftSlicer — Family of wiper malware deployed against Ukraine during the 2022 invasion. Each variant uses different destruction methods: CaddyWiper overwrites files and partition tables, HermeticWiper corrupts the MBR and abuses a legitimate disk management driver, SwiftSlicer uses Active Directory Group Policy for deployment.
AcidRain — ELF wiper targeting MIPS-based modems, deployed against Viasat KA-SAT satellite broadband service on February 24, 2022 (invasion day), disrupting communications across Ukraine and parts of Europe.
Olympic Destroyer — Destructive malware deployed at the PyeongChang Olympics with built-in false flag artifacts mimicking Lazarus Group and Chinese APTs.
Cyclops Blink — Modular botnet framework targeting WatchGuard and ASUS networking devices, successor to VPNFilter, providing persistent access and relay capabilities.